slides - Chao Zhang

VTint:
Protecting Virtual
Function Tables’ Integrity
Chao Zhang (UC Berkeley)
Chengyu Song (Georgia Tech)
Kevin Zhijie Chen (UC Berkeley)
Zhaofeng Chen (Peking University)
Dawn Song (UC Berkeley)
VTable for Dynamic Dispatch (C++)
void foo(Base2* obj){
objàvg4();
}
class Sub: public Base1, Base2{…};
writable section
read-only section
Base1 object b1
VTable for Base1
vfptr
Base1::vf1
base1_a
...
VTable for Base2
Base2 object b2
Base2::vg1
vfptr
...
base2_a
Base2::vg10
Base1::vf10
VTable for Sub::Base1
Sub object s
Sub::vf1
vfptr
...
base1_a
VTable for Sub::Base2
Sub::vf10
vfptr
Sub::vg1
Sub::vh1
base2_a
...
...
sub_a
Sub::vg10
Sub::vh10
void main(){
Base2* obj = new Sub();
foo(obj);
}
code section
; Function main()
push SIZE
call malloc()
mov ecx, eax
call Sub::Sub()
; now ECX points to the Sub object
add ecx, 8
; now ECX points to the Sub::Base2 object
call foo()
ret
; Function foo()
mov eax, [ecx]
; read vfptr of Base2
mov edx, [eax+0x0C] ; get vg4() from vtable
call edx
; call Base2::vg4()
ret
VTable Hijacking in real world
+ Vulnerabilities like use-after-free
+ VTable Injection
+ ROP gadgets
writable section
• 
Pwn2Own 2014 Firefox
• 
Pwn2Own 2014 Chrome
• 
CVE-2014-1772 IE
read-only section
fake VTable
VTable for Base1
gadget
Base1::vf1
...
...
...
VTable for Base2
...
Base2::vg1
...
...
gadget
Base2::vg10
Base1::vf10
VTable for Sub::Base1
Sub object s
Sub::vf1
vfptr
new_vfptr
...
base1_a
VTable for Sub::Base2
Sub::vf10
vfptr
new_vfptr
Sub::vg1
Sub::vh1
base2_a
...
...
sub_a
Sub::vg10
Sub::vh10
code section
; Function main()
push SIZE
call malloc()
mov ecx, eax
call Sub::Sub()
; now ECX points to the Sub object
add ecx, 8
; now ECX points to the Sub::Base2 object
call foo()
ret
; Function foo()
mov eax, [ecx]
; read vfptr of Base2
mov edx, [eax+0x0C] ; get vg4() from vtable
call edx
; call Base2::vg4()
ret
VTable Hijacking in real world
•  A common way to exploit
heap
overflow
use
after
free
Google:
"80% attacks exploit use-after-free...”
Microsoft:
50% CVEs targeted Winows7 are UAF
VTable
Hijacking
…
format
string
•  written in C++
•  BIG Targets in the Cloud
VTable Hijacking Classification
•  VTable corruption
writable section
read-only section
VTable for Base1
Base1::vf1
o  overwrite VTable
...
VTable for Base2
Base1::vf10
Base2::vg1
...
•  VTable injection
Base2::vg10
VTable for Sub::Base1
Sub object s
Sub::vf1
shellcode()
vfptr
•  VTable reuse
...
base1_a
VTable for Sub::Base2
Sub::vf10
vfptr
Sub::vg1
Sub::vh1
base2_a
...
...
sub_a
Sub::vg10
Sub::vh10
shellcode()
…
VTable Hijacking Classification
•  VTable corruption
o  overwrite VTable
•  VTable injection
o  overwrite vfptr
o  point to fake VTable
•  VTable reuse
writable section
read-only section
fake VTable
VTable for Base1
shellcode()
Base1::vf1
...
...
...
VTable for Base2
...
Base2::vg1
...
...
shellcode()
Base2::vg10
Base1::vf10
VTable for Sub::Base1
Sub object s
Sub::vf1
vfptr
new_vfptr
...
base1_a
VTable for Sub::Base2
Sub::vf10
vfptr
Sub::vg1
Sub::vh1
base2_a
...
...
sub_a
Sub::vg10
Sub::vh10
VTable Hijacking Classification
•  VTable corruption
writable section
read-only section
VTable for Base1
Base1::vf1
o  overwrite VTable
...
VTable for Base2
Base1::vf10
Base2::vg1
...
•  VTable injection
o  overwrite vfptr
o  point to fake VTable
Base2::vg10
VTable for Sub::Base1
Sub object s
Sub::vf1
vfptr
new_vfptr
...
base1_a
VTable for Sub::Base2
Sub::vf10
vfptr
Sub::vg1
Sub::vh1
base2_a
...
...
sub_a
Sub::vg10
Sub::vh10
•  VTable reuse
o  overwrite vfptr
o  point to existing VTable, data etc.
VTint
• 
• 
• 
• 
Motivation
VTint Design
VTint Implementation
Evaluation
Our solution: VTint
•  Goal: VTable Hijacking
o  lightweight
o  binary
o  effective
Observation
Attack
Requirement
VTable Corruption overwrite VTable
VTable is writable
VTable Injection
overwrite vfptr,
point to injected VTable
VTable is writable
VTable Reuse
overwrite vfptr,
point to existing VTable/data
VTable-like data,
existing VTable
Observation à Intuition
Attack
Requirement
Countermeasure
VTable Corruption overwrite VTable
VTable is writable
Read-only VTable
VTable Injection
overwrite vfptr,
point to injected VTable
VTable is writable
Read-only VTable
VTable Reuse
overwrite vfptr,
point to existing VTable/data
VTable-like data,
existing VTable
different VTable/data
Need exact TYPE information
Light weight source-code solutions like VTGuard
VTint vs. DEP
VTint
DEP
VTable Corruption Read-only VTable
Code Corruption
Read-only Code Sec
VTable Injection
Read-only VTable
Code Injection
Read-only Code Sec
(writable sections will
not be executed)
VTable Reuse
different VTable/data
Code Reuse
NO
•  Similar to DEP
o  lightweight, and can be binary-compatible
•  Different from DEP
o  after hardening, the attack surface is smaller
VTint
• 
• 
• 
• 
Motivation
VTint Design
VTint Implementation
Evaluation
Architecture
VTint
parsing
PE
files
PE
executable
PEParser
candidate
VTables,
function entries
recursive
disassembling
BitCover
Instrumenting
VTables,
virtual calls
VRewriter
VTables,
virtual calls
hardened
PE
•  Binary parsing
•  Disassembling
•  Binary rewriting
VTint
parsing
PE
files
Binary Parsing
•  PE format
o  relocation table
o  import/export table
•  Output:
PE
executable
PEParser
candidate
VTables,
function entries
recursive
disassembling
BitCover
VTables,
virtual calls
Instrumenting
VTables,
virtual calls
VRewriter
o  candidate function entries
§  relocation entries, export entries, EntryPoint
o  candidate VTables
§  addresses of VTables are in the relocation table
§  entries in VTables are also in the relocation table
hardened
PE
VTint
parsing
PE
files
Disassembling
•  Goal
o  recover CFG
§  find out all functions, instructions
o  recover high-level information
§  constructor functions
§  real VTables
§  virtual function calls
PE
executable
PEParser
candidate
VTables,
function entries
recursive
disassembling
BitCover
Instrumenting
VTables,
virtual calls
VRewriter
•  recursive disassembly
o  starting from candidate function entries
o  targeting normal PE binaries, with relocation table
VTables,
virtual calls
hardened
PE
Disassembling (1)
Identify Constructor Function
•  Basic Pattern
; allocate object memory
push SIZE
call malloc()
mov ecx, eax
•  Identification
o  we know candidate vtables
object init
; get VTable ptr
mov eax, vfptr
vtable references
; assign VTable to object
mov [ecx], eax
vtable assignments
Disassembling (2)
Identify VTables
•  Basic Pattern
•  Identification
o  we know candidate vtables
; assign to objects in constructors
mov [ecx], vfptr
find vtable assignments
•  VTable size
o  unable to get exact size in binaries
o  we can estimate the maximum size
§  continuous relocation entries
§  adjacent RTTI, this adjustors, base offsets
Disassembling (3)
Identify Virtual Function Calls
•  Basic Pattern
•  Idenfication
o  we know indirect calls
; get vtable ptr from object
mov eax, [ecx+8]
; get virtual func ptr from vtable
mov edx, [eax+24]
; prepare this ptr for callee
add ecx, 8
; call virtual function
call edx
vtable read operation
vfunc read operation
this argument
indirect calls
VTint
parsing
PE
files
Binary Rewriting
•  Security Policy
PEParser
candidate
VTables,
function entries
recursive
disassembling
o  Enforce VTables to be read-only
o  Differentiate VTables from other data
BitCover
Instrumenting
VTables,
virtual calls
•  Rewriting
(Read-only
page)
VTID
VTable 2
VTable …
VTables,
virtual calls
hardened
PE
VRewriter
; get vtable ptr from object
mov eax, [ecx+8]
check vtable page has VTID
VTable 1
PE
executable
Info Leakage?
No problem!
check vtable page is read-only
; get virtual func ptr from vtable
mov edx, [eax+24]
; call virtual function
call edx
VTint
• 
• 
• 
• 
Motivation
VTint Solution
VTint Implementation
Evaluation
Static Analysis Results
•  Firefox analysis
o  fast analysis for each module
o  small file size overhead
Performance Evaluation
•  Firefox
•  Chrome
•  Average performance overhead is less than 2%
Protection Effect
•  Real World Exploits
Limitations
•  Binary disassembling
•  High-level information recovery
o  Constructor functions
o  VTables
o  Virtual function calls
•  Reusing existing VTables
o  call existing virtual functions
Conclusion
•  VTable hijacking is popular and critical
•  Existing solutions are not perfect
•  VTint is a lightweight, binary-compatible and
effective defense against VTable hijacking,
similar to DEP
Thanks!