(2021) NoVT: Eliminating C++ Virtual Calls to Mitigate Vtable Hijacking.
|
Text
NoVT-for-EuroSP-2021-cr1.pdf Download (363kB) | Preview |
Abstract
The vast majority of nowadays remote code execution attacks target virtual function tables (vtables). Attackers hijack vtable pointers to change the control flow of a vulnerable program to their will, resulting in full control over the underlying system. In this paper, we present NoVT, a compiler-based defense against vtable hijacking. Instead of protecting vtables for virtual dispatch, our solution replaces them with switch-case constructs that are inherently control-flow safe, thus preserving control flow integrity of C++ virtual dispatch. NoVT extends Clang to perform a class hierarchy analysis on C++ source code. Instead of a vtable, each class gets unique identifier numbers which are used to dispatch the correct method implementation. Thereby, NoVT inherently protects all usages of a vtable, not just virtual dispatch. We evaluate NoVT on common benchmark applications and real-world programs including Chromium. Despite its strong security guarantees, NoVT improves runtime performance of most programs (mean overhead -0.5%, -3.7% min, 2% max). In addition, protected binaries are slightly smaller than unprotected ones. NoVT works on different CPU architectures and protects complex C++ programs against strong attacks like COOP and ShrinkWrap.
| Item Type: | Conference or Workshop Item (A Paper) (Paper) |
|---|---|
| Divisions: | Christian Rossow (System Security Group, SysSec) |
| Conference: | EuroS&P IEEE European Symposium on Security and Privacy |
| Depositing User: | Markus Bauer |
| Date Deposited: | 15 Feb 2021 15:46 |
| Last Modified: | 15 Feb 2021 15:46 |
| Primary Research Area: | NRA3: Threat Detection and Defenses |
| URI: | https://publications.cispa.saarland/id/eprint/3364 |
Actions
Actions (login required)
 |
View Item |