Sourcerer: channeling the void

Abstract

Type confusion vulnerabilities occur when a program misinterprets an object as an incompatible type. Such errors result in undefined behavior and can lead to illegal memory accesses undermining security. For compatibility reasons, the C++ programming language tolerates insecure type conversions, delegating the responsibility for assuring an object’s type to the developer. Sanitizers help developers detect and patch vulnerabilities during dynamic testing, i.e., before they reach production environments. However, current type confusion sanitizers either incur prohibitive runtime overheads, or fail to check all casts. In particular, casts from void* have historically been overlooked due to challenges in recognizing the underlying object’s type, thus leading to incomplete type coverage.

We introduce Sourcerer, a new sanitizer that correctly and fully traces and recognizes all type confusions, in particular, casts from unrelated types and void*. Sourcerer enriches the classes involved in a cast with runtime type information to perform precise runtime checks. When compared with the state-of-the-art, Sourcerer expands type coverage to all cast operations, 8,507M additional casts on the SPEC CPU2006 and CPU2017 benchmarks—a 118% increase—with reasonable average performance overhead of 5.14%. Additionally, we conduct an ablation study to understand what causes this runtime overhead and showcase a fuzzing campaign finding six bugs, highlighting the improved bug-finding capabilities when Sourcerer is deployed.