Static detection of C++ vtable escape vulnerabilities in binary code



Similar documents
Static detection of C++ vtable escape vulnerabilities in binary code

Visual Studio 2008 Express Editions

Virtual Machine Learning: Thinking Like a Computer Architect

Introduction. Figure 1 Schema of DarunGrim2

On the value of hybrid security testing

esrever gnireenigne tfosorcim seiranib

Checking Access to Protected Members in the Java Virtual Machine

How To Port A Program To Dynamic C (C) (C-Based) (Program) (For A Non Portable Program) (Un Portable) (Permanent) (Non Portable) C-Based (Programs) (Powerpoint)

Storage Classes CS 110B - Rule Storage Classes Page 18-1 \handouts\storclas

IS0020 Program Design and Software Tools Midterm, Feb 24, Instruction

AN ENABLING OPTIMIZATION FOR C++ VIRTUAL FUNCTIONS

Jonathon T. Giffin. Research Interests. Education

Hijacking Arbitrary.NET Application Control Flow. Topher Timzen

Detecting the Presence of Virtual Machines Using the Local Data Table

Bypassing Browser Memory Protections in Windows Vista

An Analysis of Address Space Layout Randomization on Windows Vista

A Framework for Measuring Software Obfuscation Resilience Against Automated Attacks

An Exception Monitoring System for Java

How To Trace

Reversing C++ Paul Vincent Sabanal. Mark Vincent Yason

Stitching the Gadgets On the Ineffectiveness of Coarse-Grained Control-Flow Integrity Protection

Configuration Management

Systems Integration: Co C mp m onent- t bas a e s d s o s ftw ft a w r a e r e ngin i eeri r n i g

Defining Digital Forensic Examination and Analysis Tools Using Abstraction Layers

Implementation Aspects of OO-Languages

Software Vulnerabilities

3 SOFTWARE AND PROGRAMMING LANGUAGES

Last Class: OS and Computer Architecture. Last Class: OS and Computer Architecture

Data Structure Reverse Engineering

Detection of illegal control flow in Android System: Protecting private data used by Smartphone Apps

Týr: a dependent type system for spatial memory safety in LLVM

IKOS: A Framework for Static Analysis based on Abstract Interpretation (Tool Paper)

Ray Chance President Browsercraft, LLC

A deeper look at Inline functions

How to make the computer understand? Lecture 15: Putting it all together. Example (Output assembly code) Example (input program) Anatomy of a Computer

How To Detect A Buffer Overflow Vulnerability In Binary Code

Advanced compiler construction. General course information. Teacher & assistant. Course goals. Evaluation. Grading scheme. Michel Schinz

Type Casting Verification: Stopping an Emerging Attack Vector

Habanero Extreme Scale Software Research Project

Computer Programming C++ Classes and Objects 15 th Lecture

The Java Series. Java Essentials I What is Java? Basic Language Constructs. Java Essentials I. What is Java?. Basic Language Constructs Slide 1

Object Oriented Software Design II

SYMANTEC ADVANCED THREAT RESEARCH. An Analysis of Address Space Layout Randomization on Windows Vista

Motorola 8- and 16-bit Embedded Application Binary Interface (M8/16EABI)

PROBLEM SOLVING SEVENTH EDITION WALTER SAVITCH UNIVERSITY OF CALIFORNIA, SAN DIEGO CONTRIBUTOR KENRICK MOCK UNIVERSITY OF ALASKA, ANCHORAGE PEARSON

Course Title: Software Development

Analysis of FileVault 2: Apple's full disk encryption. Omar Choudary Felix Grobert Joachim Metz

High level code and machine code

Performance Measurement of Dynamically Compiled Java Executions

Visual C Tutorial

OKLAHOMA SUBJECT AREA TESTS (OSAT )

Semantic Analysis: Types and Type Checking

Building Applications Using Micro Focus COBOL

Chapter 6: Programming Languages

Compiler Construction

C++ Crash Kurs. C++ Object-Oriented Programming

Briki: a Flexible Java Compiler

C++ INTERVIEW QUESTIONS

PE Explorer. Heaventools. Malware Code Analysis Made Easy

I Control Your Code Attack Vectors Through the Eyes of Software-based Fault Isolation. Mathias Payer, ETH Zurich

Fast Arithmetic Coding (FastAC) Implementations

Towards practical reactive security audit using extended static checkers 1

Developing Database Business Applications using VB.NET

Messing with the Android Runtime

Application Note C++ Debugging

Embedded Software Development

Safety & Security. Software Technologies. Software Technologies. Software Technologies. Safety & Security Standards

Hands-on CUDA exercises

Developing an ODBC C++ Client with MySQL Database

6.088 Intro to C/C++ Day 4: Object-oriented programming in C++ Eunsuk Kang and Jean Yang

Soft-Timer Driven Transient Kernel Control Flow Attacks and Defense

Final Exercise Let s go Shopping!

Comp151. Definitions & Declarations

Applications to Computational Financial and GPU Computing. May 16th. Dr. Daniel Egloff

C++ Programming Language

Introduction. Application Security. Reasons For Reverse Engineering. This lecture. Java Byte Code

Analytics Configuration Reference

Glossary of Object Oriented Terms

Object Oriented Software Design II

The programming language C. sws1 1

REALbasic versus Visual Basic

Sandy. The Malicious Exploit Analysis. Static Analysis and Dynamic exploit analysis. Garage4Hackers

Course MS10975A Introduction to Programming. Length: 5 Days

Curriculum Map. Discipline: Computer Science Course: C++

Software Reversing Engineering (a.k.a. Reversing) Spiros Mancoridis. What is Reverse Engineering? Software Reverse Engineering: Reversing

Computing Concepts with Java Essentials

The Microsoft Way: COM, OLE/ActiveX, COM+ and.net CLR. Chapter 15

Write Barrier Removal by Static Analysis

Compilers. Introduction to Compilers. Lecture 1. Spring term. Mick O Donnell: michael.odonnell@uam.es Alfonso Ortega: alfonso.ortega@uam.


PeopleSoft Financials/Supply Chain Management 9.1 FP2 Hardware and Software Requirements

Obfuscation: know your enemy

Seminar: Cryptographic Protocols Staged Information Flow for JavaScript

Volume I, Section 4 Table of Contents

風 水. Heap Feng Shui in JavaScript. Alexander Sotirov.

Database Application Developer Tools Using Static Analysis and Dynamic Profiling

QEMU, a Fast and Portable Dynamic Translator

Topics. Introduction. Java History CS 146. Introduction to Programming and Algorithms Module 1. Module Objectives

Braindumps.C questions

C++FA 5.1 PRACTICE MID-TERM EXAM

Transcription:

Static detection of C++ vtable escape vulnerabilities in binary code David Dewey Jonathon Giffin School of Computer Science Georgia Institute of Technology ddewey, giffin@gatech.edu

Common problem in C++ In C++ specifically, how does one convert and instance of an object into an instance of another object? use static_cast in all cases and see what the compiler says. B. Stroustrup. The Design and Evolution of C++. Pearson Education, 1994. 2

C++ Type confusion vulnerabilities Adobe Flash Player SharedObject Type Confusion Vulnerability CVE-2011-0611 Microsoft ATL/MFC ActiveX Type Confusion Vulnerability CVE-2009-2494 Microsoft Office Excel Conditional Expression Ptg Type Confusion Vulnerability CVE-2011-1989 The list goes on and on and on 3

Reverse engineering C++ binaries is hard 4

As it turns out, these are all the same problem Recently, many software-level vulnerabilities caused by C++ type confusion Compiled C++ code can be very difficult to analyze IDS/IPS vendor wanted to provide signature coverage Software consumer concerned with application security Third-party interoperation Software developers regularly incorrectly use the static_cast operator No compiler warning from most modern compilers C++ standard only requires cv-check 5

Root of the problem This code compiles without warning with Visual Studio and g++ (< 4.6) Running this code causes a call to arbitrary memory class class1 public: class1(); ~class1(); virtual void addref(); virtual void print(); ; class class2 : public class1 public: class2(); ~class2(); virtual void voidfunc1() ; virtual void debug(); ; int tmain(int argc, TCHAR* argv[]) class1 C1; C1.addRef(); C1.print(); static cast<class2*>(&c1)->debug(); return 0; 6

Same problem In the previous slide, the problem should be obvious to a developer Consider this code. _tmain() and internalfunction() may be miles apart Separate libraries Not caught by g++ 4.6 Very common code construct in MS COM int internalfunction(void *pv) static_cast<class1*>(pv)->addref(); static_cast<class1*>(pv)->print(); static_cast<class1*>(pv)->debug(); return 0; int _tmain(int argc, _TCHAR* argv[]) class1 *C1 = new class1; class2 *C2 = new class2; internalfunction((void *)C1); internalfunction((void *)C2); return 0; 7

Structure of a C++ object after compilation Class2 ptr to VTable prop1 prop2 VTable void (Class1::*AddRef)() void (Class1::*print)() void (Class2::*voidFunc1) () void (Class2::*debug)() void Class1::AddRef() prop1++; void Class1::print() return; cout void << Class2::voidFunc1 I m in Class1 () << endl; return; void Class2::debug() return; cout<< In debug <<endl; return; 00402138 off 402138 dd offset sub 4010D0 0040213C dd offset sub 4010A0 00402140 dd offset nullsub 1 00402144 dd offset sub 4010B0 00402148 dd offset dword 402274 0040214C off 40214C dd offset sub 4010D0 00402150 dd offset sub 4010A0 00402154 align 8 00402158 db 48h ; H 00402159 db 0 0040215A db 0 0040215B db 0 0040215C db 0 8

RECALL Reconstruct C++ objects from binary code Perform reaching definition analysis on object definitions to determine which object is being referenced at a given use point (make reverse engineering easier) Perform a congruence check to determine the safety of the use of a given object (detects vtable escape vulnerabilities) 9

High-level architecture of RECALL ClassTracker Type Mismatches LLVM IR llvm-bcwriter LLVM bitcode opt Assembly x86 Machine Code IDA Pro Resolved Methods 10

x86 to SSA First, we translate x86 machine code into an SSA-based IR We chose an SSA-based IR to make translation simpler x86 assembly is mostly triple-based Use-def chains are implicit (core requirement for reaching definitions) Problems with going to higher-level IR Chose the LLVM IR due to the robustness of the LLVM analysis framework LLVM is attractive from a licensing perspective 11

Object reaching definition analysis Where: GEN is the set of objects that are instantiated in a given basic block KILL is the set of objects that are deleted in a given basic block For interprocedural analysis, REACH IN at the entry of a function F is equal to REACH[c] at the call to F from a call site c 12

Indentifying object instantiation Stack-allocated Implement object structure heuristics Inline constructor Explicit constructor Heap-allocated new() operator Call to YAPAXI(uint size) Inline constructor Explicit constructor 13

Tracking object types For each object, create a structure mapping the structure of the object Tag each object type with the virtual address of the constructor Class2 ptr to VTable prop1 prop2 VTable void (Class1::*AddRef)() void (Class1::*print)() void (Class2::*voidFunc1) () void (Class2::*debug)() void Class1::AddRef() prop1++; void Class1::print() return; cout void << Class2::voidFunc1 I m in Class1 () << endl; return; void Class2::debug() return; cout<< In debug <<endl; return; 14

Congruence Check Class X ptr to VTable prop1 prop2 VTable void (Class1::*AddRef)() void (Class1::*print)() void (Class2::*voidFunc1)() void (Class2::*debug)() void Class1::AddRef() prop1++; void Class1::print() return; cout void << Class2::voidFunc1() I m in Class1 << endl; return; void Class2::debug() return; cout<< In debug <<endl; return; Do these align? ClassY Do these align? ptr to VTable prop1 prop2 VTable void (Class1::*AddRef)() void (Class1::*print)() void (Class2::*voidFunc1)() void (Class2::*debug)() void Class1::AddRef() prop1++; void Class1::print() return; cout void << Class2::voidFunc1() I m in Class1 << endl; return; void Class2::debug() return; cout<< In debug <<endl; return; 15

Caveats Not designed for the analysis of malware or obfuscated code Does not require RTTI or debug symbols Focus is on code compiled with Visual Studio, but techniques can be generalized to other compilers If an object is allocated and the class pointer is stored in a collection, when the pointer is retrieved, we cannot track the type (future work) 16

Results Able to reconstruct and analyze objects from sample code that models: [stack-allocated, heap-allocated] x [inlined ctor, explicit ctor] Able to identify vulnerabilities in microbenchmarks designed to simulate real vulnerabilities: Simulated CVE-2011-0611(Adobe Reader) Simulated CVE-2010-0258 (Microsoft Excel) 17

Why microbenchmarks? REACH IN : REACH: x REACH: x,y REACH: x Function_A: %3 = new() %6 = new() delete(%6) call Function_B(%3) Analysis is performed interprocedurally Procedures can be analyzed independent of their location in the binary Moving procedures does not impact the correctness of the analysis Function_B(void* a): %2 = new() %5 = new() delete(%2) Call [a+0x4] REACH IN : x REACH: x,z REACH: x,z,w REACH: x,w 18

Select Related Work D. F. Bacon and P. F. Sweeney. Fast static analysis of C++ virtual function calls. In Proceedings of the ACM SIGPLAN Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA), 1996. B. Calder and D. Grunwald. Reducing indirect function call overhead in C++ programs. In Proceedings of the ACM SIGPLAN- SIGACT Symposium on Principles of Programming Languages (POPL), Portland, Oregon, 1994. C. Meadows. A procedure for verifying security against type confusion attacks. In IEEE Computer Security Foundations Workshop (CSFW), Pacific Grove, California, June 2003. H. Pande and B. Ryder. Data-flow-based virtual function resolution. In Proceedings of the Third International Symposium on Static Analysis (SAS), 1996. H. D. Pande and B. G. Ryder. Static type determination for C++. In Proceedings of the 6th USENIX C++ Technical Conference, 1994. A. Slowinska, T. Stancescu, and H. Bos. Howard: A dynamic excavator for reverse engineering data structures. In Proceedings of the Network and Distributed Systems Security Symposium (NDSS), 2011. D. Song, D. Brumley, H. Yin, J. Caballero, I. Jager, M. Kang, Z. Liang, J. Newsome, P. Poosankam, and P. Saxena. BitBlaze: A new approach to computer security via binary analysis. In International Conference on Information Systems Security, 2008. J. Viega, J. T. Bloch, Y. Kohno, and G. McGraw. ITS4: A static vulnerability scanner for C and C++ code. In Proceedings of the 16th Annual Computer Security Applications Conference (ACSAC), 2000. 19

Conclusion In our paper, we make the following contributions: Resolve vtable dispatch calls in compiled binaries Programmatically identify vtable escape vulnerabilities introduced by C++ developers Construct a general C++ decompilation framework for use in other analyses 20

Questions? ddewey@gatech.edu giffin@gatech.edu 21

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information