VPS: Excavating High-Level C++ Constructs from Low-Level Binaries to Protect Dynamic Dispatching

Abstract

Po­ly­mor­phism and in­heri­t­an­ce make C++ sui­ta­ble for wri­ting com­plex soft­ware, but si­gni­fi­cant­ly in­crea­se the at­tack sur­face be­cau­se the im­ple­men­ta­ti­on re­li­es on vir­tu­al func­tion ta­bles (vta­bles). These vta­bles con­tain func­tion poin­ters that at­ta­ckers can po­ten­ti­al­ly hi­jack and in prac­tice, vta­ble hi­ja­cking is one of the most im­portant at­tack vec­tor for C++ bi­na­ries. In this paper, we pre­sent VTa­ble Poin­ter Se­pa­ra­ti­on (VPS), a prac­tical bi­na­ry-le­vel de­fen­se against vta­ble hi­ja­cking in C++ ap­p­li­ca­ti­ons. Un­li­ke pre­vious bi­na­ry-le­vel de­fen­ses, which rely on un­sound sta­tic ana­ly­ses to match clas­ses to vir­tu­al call­si­tes, VPS achie­ves a more ac­cu­ra­te pro­tec­tion by re­stric­ting vir­tu­al call­si­tes to va­lidly crea­ted ob­jects. More spe­ci­fi­cal­ly, VPS en­su­res that vir­tu­al call­si­tes can only use ob­jects crea­ted at valid ob­ject con­struc­tion sites, and only if those ob­jects can reach the call­si­te. Mo­re­over, VPS ex­pli­cit­ly prevents false po­si­ti­ves (fal­se­ly iden­ti­fied vir­tu­al call­si­tes) from brea­king the bi­na­ry, an issue exis­ting work does not hand­le cor­rect­ly or at all. We eva­lua­te the pro­to­ty­pe im­ple­men­ta­ti­on of VPS on a di­ver­se set of com­plex, re­al-world ap­p­li­ca­ti­ons (Mon­goDB, MySQL ser­ver, Node.​js, SPEC CPU2017/CPU2006), show­ing that our ap­proach pro­tects on aver­a­ge 97.8% of all vir­tu­al call­si­tes in SPEC CPU2006 and 97.4% in SPEC CPU2017 (all C++ bench­marks), with a mo­de­ra­te per­for­mance over­head of 11% and 9% geo­me­an, re­spec­tive­ly. Fur­ther­mo­re, our eva­lua­ti­on re­veals 86 false ne­ga­ti­ves in VTV, a po­pu­lar sour­ce-ba­sed de­fen­se which is part of GCC.