Marx Uncovering Class Hierarchies in C++ Programs

Size: px

Start display at page:

Download "Marx Uncovering Class Hierarchies in C++ Programs"

Damian Wilkins
6 years ago
Views:

Thorsten Holz, Herbert Bos, Elias Anthonasopoulos, Cristiano Giuffrida

1 Marx Uncovering Class Hierarchies in C++ Programs NDSS 2017, San Diego Andre Pawlowski, Moritz Contag, Victor van der Veen, Chris Ouwehand, Thorsten Holz, Herbert Bos, Elias Anthonasopoulos, Cristiano Giuffrida Ruhr-Universität Bochum Vrije Universiteit Amsterdam University of Cyprus

2 Introduction

3 Introduction We present Marx, a tool to extract class hierarchies from legacy binaries. This eases static analysis of C++ applications. We use the results for security-related use cases: 1. Control-Flow Integrity 2. Type-safe Object Reuse Marx Uncovering Class Hierarchies in C++ Programs 1

4 Motivation C++ applications are hard to analyze statically. Class inheritance. Objects allocated on the heap. Indirect function calls (polymorphism). Marx Uncovering Class Hierarchies in C++ Programs 2

5 Motivation C++ applications are hard to analyze statically. Class inheritance. Objects allocated on the heap. Indirect function calls (polymorphism). Solving these problems aids in the reverse engineering process. Exploit mitigations would profit from solutions to these problems. Counterfeit Object-oriented Programming. Fine-grained control over forward edge. Marx Uncovering Class Hierarchies in C++ Programs 2

6 Control-Flow Integrity

7 Control-Flow Integrity Code Function X new object A mov rdi, object call [[rdi] + offset] Marx Uncovering Class Hierarchies in C++ Programs 3

8 Control-Flow Integrity Code High Level Function X Object A vtblptr Class A function_a1 Class B new object A var_0 function_a2 mov rdi, object call [[rdi] + offset] Marx Uncovering Class Hierarchies in C++ Programs 3

9 Control-Flow Integrity Code High Level Function X Object A vtblptr Class A function_a1 Class B new object A var_0 function_a2 mov rdi, object call [[rdi] + offset] Class Malicious shellcode_0 shellcode_1 Marx Uncovering Class Hierarchies in C++ Programs 3

10 Control-Flow Integrity Code High Level Function X Object A vtblptr Class A function_a1 Class B new object A var_0 function_a2 mov rdi, object call [[rdi] + offset] Class Malicious shellcode_0 shellcode_1 Marx Uncovering Class Hierarchies in C++ Programs 3

11 Control-Flow Integrity Code High Level Function X Object A vtblptr Class A function_a1 Class B new object A var_0 function_a2 mov rdi, object call [[rdi] + offset] Class Malicious shellcode_0 shellcode_1 Marx Uncovering Class Hierarchies in C++ Programs 3

12 Control-Flow Integrity Code High Level Function X Object A vtblptr Class A function_a1 Class B new object A var_0 function_a2 mov rdi, object object in hierarchy? call [[rdi] + offset] Marx Uncovering Class Hierarchies in C++ Programs 4

13 Control-Flow Integrity Code High Level Function X Object A vtblptr Class A function_a1 Class B new object A var_0 function_a2 mov rdi, object object in hierarchy? call [[rdi] + offset] Class Malicious shellcode_0 shellcode_1 Marx Uncovering Class Hierarchies in C++ Programs 4

14 Control-Flow Integrity Code High Level Function X Object A vtblptr Class A function_a1 Class B new object A var_0 function_a2 mov rdi, object object in hierarchy? call [[rdi] + offset] Class Malicious shellcode_0 shellcode_1 Marx Uncovering Class Hierarchies in C++ Programs 4

15 Control-Flow Integrity Code High Level Function X Object A vtblptr Class A function_a1 Class B new object A var_0 function_a2 mov rdi, object object in hierarchy? call [[rdi] + offset] Class Malicious shellcode_0 shellcode_1 Marx Uncovering Class Hierarchies in C++ Programs 4

16 Approach

17 Approach Code High Level Function X mov rdi, object call [[rdi] + offset] Class A function_a1 function_a2 Class B function_b1 function_b2 Class C function_c1 function_c2 Source Code objectfunction_a1() Indirect function calls are prominent C++ artifacts on binary level. Marx Uncovering Class Hierarchies in C++ Programs 5

18 Approach Code High Level Function X mov rdi, object call [[rdi] + offset] Class A function_a1 function_a2 Class B function_b1 function_b2 Class C function_c1 function_c2 At high level, a class may inherit from another. Marx Uncovering Class Hierarchies in C++ Programs 5

19 Approach Code Memory Function X mov rdi, object call [[rdi] + offset] Class A function_a1 function_a2 X Class B function_b1 function_b2 Class C function_c1 function_c2 Inheritance relationships are not readily available in the binary. Marx Uncovering Class Hierarchies in C++ Programs 5

20 Approach Code Memory Function X mov rdi, object call [[rdi] + offset] vtable A function_a1 function_a2 X vtable B function_b1 function_b2 vtable C function_c1 function_c2 Classes are (loosely) represented by vtables instead. Marx Uncovering Class Hierarchies in C++ Programs 5

21 Approach Marx statically recovers the class hierarchy from an x86-64 binary (Itanium ABI). Represents class hierarchy as set of vtables. Ties set of vtables to indirect function call. Marx Uncovering Class Hierarchies in C++ Programs 6

22 Approach Marx statically recovers the class hierarchy from an x86-64 binary (Itanium ABI). Represents class hierarchy as set of vtables. Ties set of vtables to indirect function call. Analysis steps: 1. Identify vtables, 2. inspect their usages, 3. refine results using heuristics, 4. merge results across modules. Marx Uncovering Class Hierarchies in C++ Programs 6

23 Approach 1. Vtable Candidates

24 Approach Vtable Identification Heap or Stack Object A vtblptr A Data Memory Vtable A 0x10 metadata_0 0x08 metadata_1 0x00 A::func_a1 0x08 A::func_a2... Marx Uncovering Class Hierarchies in C++ Programs 7

25 Approach Vtable Identification Heap or Stack Object A vtblptr A Data Memory Vtable A 0x10 metadata_0 0x08 metadata_1 0x00 A::func_a1 0x08 A::func_a2... Marx Uncovering Class Hierarchies in C++ Programs 7

26 Approach Vtable Identification Heap or Stack Object A vtblptr A Data Memory Vtable A 0x10 metadata_0 0x08 metadata_1 0x00 A::func_a1 0x08 A::func_a2... resides in readonly memory (e.g.,.rodata) Marx Uncovering Class Hierarchies in C++ Programs 7

27 Approach Vtable Identification Heap or Stack Object A vtblptr A Data Memory Vtable A 0x10 metadata_0 0x08 metadata_1 0x00 A::func_a1 0x08 A::func_a2... only first function entry is referenced Marx Uncovering Class Hierarchies in C++ Programs 7

28 Approach Vtable Identification Heap or Stack Object A vtblptr A Data Memory Vtable A 0x10 metadata_0 0x08 metadata_1 0x00 A::func_a1 0x08 A::func_a2... metadata fields are within defined range or 0 Marx Uncovering Class Hierarchies in C++ Programs 7

29 Approach Vtable Identification Heap or Stack Object A vtblptr A Data Memory Vtable A 0x10 metadata_0 0x08 metadata_1 0x00 A::func_a1 0x08 A::func_a2... point into code section or are relocation entries Marx Uncovering Class Hierarchies in C++ Programs 7

30 Approach 2. Vtable Usages

31 Approach Overwrite Analysis Hierarchy A B Object Function X new object B call constructor B Constructor B call constructor A write vtblptr B return Code init. variable_1 Constructor A write vtblptr A return Marx Uncovering Class Hierarchies in C++ Programs 8

32 Approach Overwrite Analysis Hierarchy Object Code A B Object B vtblptr variable_1 Function X new object B call constructor B Constructor B call constructor A write vtblptr B init. variable_1 return Constructor A write vtblptr A return Marx Uncovering Class Hierarchies in C++ Programs 8

33 Approach Overwrite Analysis Hierarchy Object Code A B Object B vtblptr variable_1 Function X new object B call constructor B Constructor B call constructor A write vtblptr B init. variable_1 return Constructor A write vtblptr A return Marx Uncovering Class Hierarchies in C++ Programs 8

34 Approach Overwrite Analysis Hierarchy Object Code A B Object B vtblptr A variable_1 Function X new object B call constructor B Constructor B call constructor A write vtblptr B init. variable_1 return Constructor A write vtblptr A return Marx Uncovering Class Hierarchies in C++ Programs 8

35 Approach Overwrite Analysis Hierarchy Object Code A Object B vtblptr A variable_1 Function X new object B call constructor B B Constructor B call constructor A write vtblptr B init. variable_1 return Constructor A write vtblptr A return Marx Uncovering Class Hierarchies in C++ Programs 8

36 Approach Overwrite Analysis Hierarchy Object Code A Object B vtblptr A B variable_1 Function X new object B call constructor B B Constructor B call constructor A write vtblptr B init. variable_1 return Constructor A write vtblptr A return Marx Uncovering Class Hierarchies in C++ Programs 8

37 Approach Overwrite Analysis Hierarchy Object Code A Object B vtblptr B variable_1 Function X new object B call constructor B B Constructor B call constructor A write vtblptr B init. variable_1 return Constructor A write vtblptr A return Marx Uncovering Class Hierarchies in C++ Programs 8

38 Approach Path Generation In a function, build paths visiting 1. indirect calls, 2. direct calls to new, and 3. instructions operating on vtables. Resolve indirect function calls for known vtables in current context. Follows calls with a call depth of 2. Marx Uncovering Class Hierarchies in C++ Programs 9

39 Approach 3. Vtable Heuristics

40 Approach Function Heuristics Hierarchy Class A virt. func_a1() virt. func_a2() Class B virt. func_a1() virt. func_b1() Data Memory Vtable A 0x10 0 0x08 0 0x00 A::func_a1 0x08 A::func_a2 Vtable B 0x10 0 0x08 0 0x00 B::func_a1 0x08 A::func_a2 0x10 B::func_b1 Marx Uncovering Class Hierarchies in C++ Programs 10

41 Approach Function Heuristics Hierarchy Class A virt. func_a1() virt. func_a2() Class B virt. func_a1() virt. func_b1() Data Memory Vtable A 0x10 0 0x08 0 0x00 A::func_a1 0x08 A::func_a2 Vtable B 0x10 0 0x08 0 0x00 B::func_a1 0x08 A::func_a2 0x10 B::func_b1 Marx Uncovering Class Hierarchies in C++ Programs 10

42 Approach Function Heuristics Hierarchy Class A virt. func_a1() virt. func_a2() Class B virt. func_a1() virt. func_b1() Data Memory Vtable A 0x10 0 0x08 0 0x00 A::func_a1 0x08 A::func_a2 Vtable B 0x10 0 0x08 0 0x00 B::func_a1 0x08 A::func_a2 0x10 B::func_b1 Different pointer, yields no information Marx Uncovering Class Hierarchies in C++ Programs 10

43 Approach Function Heuristics Hierarchy Class A virt. func_a1() virt. func_a2() Class B virt. func_a1() virt. func_b1() Data Memory Vtable A 0x10 0 0x08 0 0x00 A::func_a1 0x08 A::func_a2 Vtable B 0x10 0 0x08 0 0x00 B::func_a1 0x08 A::func_a2 0x10 B::func_b1 Same function entry, probably same hierarchy Marx Uncovering Class Hierarchies in C++ Programs 10

44 Approach 4. Inter-Modular Dependencies

45 Approach Inter-Modular Dependencies Applications may consist of several modules. Shared Library Application Marx Uncovering Class Hierarchies in C++ Programs 11

46 Approach Inter-Modular Dependencies Independent analysis yields, e. g., three distinct hierarchies. Shared Library D E F Application G J H I K L Marx Uncovering Class Hierarchies in C++ Programs 11

47 Approach Inter-Modular Dependencies Unless we merge results across modules, we underestimate the hierarchy. Shared Library D E F Application G J H I K L Marx Uncovering Class Hierarchies in C++ Programs 11

48 Evaluation

49 Evaluation Class Hierarchy Reconstruction Application No. of Hierarchies Exactly Reconstructed Time (h) MySQL Server (88%) 11:36 MongoDB (87%) 1:08 Node.js (93%) 0:33 Marx Uncovering Class Hierarchies in C++ Programs 12

50 Evaluation Class Hierarchy Reconstruction Application No. of Hierarchies Exactly Reconstructed Time (h) MySQL Server (88%) 11:36 MongoDB (87%) 1:08 Node.js (93%) 0:33 Marx Uncovering Class Hierarchies in C++ Programs 12

51 Evaluation Class Hierarchy Reconstruction Application No. of Hierarchies Exactly Reconstructed Time (h) MySQL Server (88%) 11:36 MongoDB (87%) 1:08 Node.js (93%) 0:33 48 min analysis time on average for 5 real-world applications. Marx Uncovering Class Hierarchies in C++ Programs 12

52 Evaluation Class Hierarchy Reconstruction Application No. of Hierarchies Exactly Reconstructed Time (h) MySQL Server (88%) 11:36 MongoDB (87%) 1:08 Node.js (93%) 0:33 Application Overestimated Underestimated Not Found MySQL Server 1 (1%) 7 (9%) 1 (1%) MongoDB 0 8 (5%) 13 (8%) Node.js 2 (3%) 2 (3%) 0 48 min analysis time on average for 5 real-world applications. Marx Uncovering Class Hierarchies in C++ Programs 12

53 Evaluation Binary Hardening Use MARX results to harden legacy binaries. Marx Uncovering Class Hierarchies in C++ Programs 13

54 Evaluation Binary Hardening Use MARX results to harden legacy binaries. Implemented and tested two applications: 1. Control-Flow Integrity binary-level Vtable Verification (VTV) 2. Type-safe Object Reuse binary-level Cling, bucketing by hierarchy Lack of precision of analysis? Marx Uncovering Class Hierarchies in C++ Programs 13

55 Evaluation Precision Type-safe Object Reuse allows imprecision, lowered security. Control-Flow Integrity may break applications. Marx Uncovering Class Hierarchies in C++ Programs 14

56 Evaluation Precision Type-safe Object Reuse allows imprecision, lowered security. Control-Flow Integrity may break applications. Enrich static results with dynamic analysis (unit tests). Fall-back to computationally intensive slow path (PathArmor). Marx Uncovering Class Hierarchies in C++ Programs 14

57 Evaluation Precision Type-safe Object Reuse allows imprecision, lowered security. Control-Flow Integrity may break applications. Enrich static results with dynamic analysis (unit tests). Fall-back to computationally intensive slow path (PathArmor). Please refer to the paper for further details. Marx Uncovering Class Hierarchies in C++ Programs 14

58 Conclusion

59 Limitations Approach is compiler-dependent, optimizations may break assumptions. Abstract base classes may not yield a vtable for us to discover. Marx Uncovering Class Hierarchies in C++ Programs 15

60 Limitations Approach is compiler-dependent, optimizations may break assumptions. Abstract base classes may not yield a vtable for us to discover. Analysis is prone to path explosion (inter/intra-procedural path generation). Marx Uncovering Class Hierarchies in C++ Programs 15

61 Limitations Approach is compiler-dependent, optimizations may break assumptions. Abstract base classes may not yield a vtable for us to discover. Analysis is prone to path explosion (inter/intra-procedural path generation). Applications building upon results have to tolerate imprecision. Marx Uncovering Class Hierarchies in C++ Programs 15

62 Conclusion Marx succeeds in recovering the majority of class hierarchies. Large, real-world applications. Promising results. Results are applicable to security-related use cases on the binary level. Our C++ open-source implementation based on libvex is available at Marx Uncovering Class Hierarchies in C++ Programs 16

63 Thank you for your attention. Marx Uncovering Class Hierarchies in C++ Programs 16

64 Conclusion Marx succeeds in recovering the majority of class hierarchies. Large, real-world applications. Promising results. Results are applicable to security-related use cases on the binary level. Our C++ open-source implementation based on libvex is available at Marx Uncovering Class Hierarchies in C++ Programs 17

SafeDispatch Securing C++ Virtual Calls from Memory Corruption Attacks by Jang, Dongseok and Tatlock, Zachary and Lerner, Sorin

SafeDispatch Securing C++ Virtual Calls from Memory Corruption Attacks by Jang, Dongseok and Tatlock, Zachary and Lerner, Sorin in NDSS, 2014 Alexander Hefele Fakultät für Informatik Technische Universität