HexType: Efficient Detection of Type Confusion Errors for C++ Yuseok Jeon Priyam Biswas Scott A. Carr Byoungyoung Lee Mathias Payer

Size: px

Start display at page:

Download "HexType: Efficient Detection of Type Confusion Errors for C++ Yuseok Jeon Priyam Biswas Scott A. Carr Byoungyoung Lee Mathias Payer"

Caren Berry
5 years ago
Views:

1 HexType: Efficient Detection of Type Confusion Errors for C++ Yuseok Jeon Priyam Biswas Scott A. Carr Byoungyoung Lee Mathias Payer

2 Motivation C++ is a popular programming language Google Chrome, Firefox, and Java Virtual Machine Type confusion bugs are emerging attack vectors Google Chrome (CVE ) Adobe Flash (CVE ) Existing sanitizers are incomplete and impractical 2

3 Outline Motivation Type Confusion Problem HexType Conclusion 3

4 C++ Casting Operators static_cast<toclass>(object) Compile time check No runtime type information dynamic_cast<toclass>(object) Runtime check Requires Runtime Type Information (RTTI) Not used in performance critical code 4

5 Type Confusion Problem Downcast (Unsafe) Shape Upcast (Safe) Square Triangle Upcast: from a derived class to its parent class Downcast: from a parent class to a derived class 5

6 Type Confusion Example Parent P C class Parent { int p_data; virtual void print (void){ }; }; class Child: public Parent { int c_data; void print (void) override{ }; }; Access scope Access of Parent* scope of Child* Access scope of Child* vtable_ptr p_data vtable_ptr.. vtable_ptr p_data p_data C_data C_data Child Parent *Pptr = new Parent; Child *Cptr = static_cast<child*>(pptr); Cptr c_data = 0x ; Undefined Memory corruptions Behavior /! Type Confusion Problem! 6

7 Outline Motivation Type Confusion Problem HexType Design Optimization Coverage Conclusion 7

8 HexType Overview Source code Instrumentation (Type casting verification) Clang HexType Hardend Binary Type Hierarchy Information LLVM Pass HexType Runtime Library Link 8

9 Type Casting Verification [Source code].. B *pb = new B; Update_objTypeMap(pB, B); Object to Type Mapping Table 0x1232 Type1 C *pc = static_cast<c*>(pb); Verify_type_casting(pB, C); 0x2312 0x2333 Type2 Type3 [Runtime library] Verify_type_casting (Ptr *SrcPtr, TypeInfo Dst) { TypeInfo Src = getsrctype(srcptr); istypeconfusioncast(src, Dst); } Type relation information B P F K C Z K 9

10 Outline Motivation Type Confusion Problem HexType Design Optimization Coverage Conclusion 10

11 Previous Works Selective Object Tracing Casting Replace Compile time Verification Data Structure UBSAN X X X RTTI CaVer (SEC 2015) X X Shadow Memory + RB Tree TypeSan (CCS 2016) X X Shadow Memory HexType (CCS 2017) HashMap + RB Tree 11

12 Optimized ObjTypeMap Index Fast-path Slot Slow-path Slot Per-entry RB-tree P *ptr = new P Index = Hash(ptr); C *ptr2 = new C Index = Hash(ptr2); Collision Object Alloc Info RB-tree Ref 1 Addr, Type 2 _ 3 _... _ N 12

13 Optimized ObjTypeMap Fast-path Slot Slow-path Slot Index Allocated Object Ref Hashvalue for Object Name Type Relationship Information Ref RB-tree Ref Per-entry RB-tree 1 0x x51723D 2 0x41563C x51724D - 3 0x41723D x51724D N 0x41563E x51623D 13

14 Optimized ObjTypeMap Program Benchmark Allocated objects stack heap global Fast-path Hit ratio (%) (update) Fast-path hit ratio (%) (lookup) SPEC CPU 2006 Firefox Omnetpp 1m 478m 0.001m Xalancbmk 3,150m 45m 0.003m DealII 497m 283m 0m Soplex 21m 639m 197m Povray Astar Namd Octane 593m 7m 0.125m Drom-js 2,775m 11m 0.125m Drom-dom 34,900m 607m 0.125m

15 Selective Object Tracing Unsafe objects: casting related objects need to keep track of them Safe objects: never used for casting do not need to keep track of them 15

16 Collect Unsafe Object Set Code... B *pb = new B; C *pc = new C; Type hierarchy B A C static_cast<d*>(pb); D E F 1 Extract unsafe objects 2 Initialize unsafe object type set 3 Extract all children types 4 Extend unsafe object type set B,... B, D, E,... 16

17 Only Tracing Unsafe Objects Program SPEC CPU 2006 Firefox Benchmark # of objects Safe objects ratio (%) Omnetpp 480m Xalancbmk 3,196m DealII 781m Soplex 858m Povray 6,550m Astar 28m Namd 2m Octane 600m Drom-js 2,491m Drom-dom 37,538m

18 Replace Dynamic Cast Replaced dynamic_cast to use our fast check Evaluated SPEC CPU2006 C++ benchmarks dealii performs a large number of dynamic_cast (206m) reduced dealii s performance overhead by 4% 18

19 Compile Time Verification 19

20 Performance Overhead Program SPEC CPU 2006 Firefox Benchmark CaVer TypeSan HexType % % % X1 X2 Omnetpp NA 5.07 Xalancbmk DealII NA 5.96 Soplex Povray NA 1.06 Astar NA 1.00 Namd NA Octane Drom-js Drom-dom

21 Outline Motivation Type Confusion Problem HexType Design Optimization Coverage Conclusion 21

22 Increase Detection Coverage The state of the art still has low coverage Firefox 10% ~ 45% Assume that objects are allocated individually Malloc or C++ s operator new Need to handle allocation using memory pools 22

23 Typecasting Coverage Program SPEC CPU 2006 Firefox Benchmark # of casting Type San HexType % % X Omnetpp 2,014m Xalancbmk 283m DealII 3,596m Soplex 0.209m Povray Astar Namd ff-octane 623m ff-drom-js 4,229m ff-drom-dom 10,786m

24 Newly Discovered Vulnerabilities Discovered four new type confusion vulnerabilities Qt base library Apache Xerces-C++ Confirmed and patched by the developers 24

25 New Type Confusion Bug (Apache Xerces-C++) DOMNode DOM Character Data DOM Text DOM TextImpl DOM Element DOM ElementImpl Type Confusion! == HexType Type confusion Report == xercesc/dom/impl/domcasts.hpp Line: 111 [From] DOMTextImpl [To] DOMElementImpl 25

26 New Type Confusion Bug (QT) QMapNode Base QMapNode Type Confusion! 26

27 Outline Motivation Type Confusion Problem HexType Conclusion 27

28 Conclusion HexType increases detection coverage Reduces overhead using several new optimizations Discovered four new type confusion bugs Open Source at 28

29 THANK YOU! Q&A Open Source at 29

30 Placement new / Reinterpret_cast handle template<std::size_t Len, std::size_t Align> struct aligned_storage { typedef struct { alignas(align) unsigned char data[len]; } type; }; template<class T, std::size_t N> class static_vector { size_t Size = sizeof(t); size_t Align = alignof(t); typename std::aligned_storage<size, Align>::type d[n]; public: template<typename...args> void insert(args&& args) { new(d+m_size) T(std::forward<args> ); } const T& operator[](std::size_t pos) const { return &reinterpret_cast<const T*>(d+pos); } }; 30

31 Type Confusion Report P gobj; // declare global variable int main() {... // stack object testing P sobj; P* spobj = &sobj; // Type Confusion! (line 25) C* stest = static_cast<c*>(spobj); // global object testing P* gpobj = &gobj; // Type Confusion! (line 29) C* glotest = static_cast<c*>(gpobj); } // heap object testing P* hpobj = new P; // Type Confusion! (line 33) C* htest = static_cast<c*>(hpobj);... 31

Type Confusion: Discovery, Abuse, Protection. Mathias

Type Confusion: Discovery, Abuse, Protection Mathias Payer, @gannimo http://hexhive.github.io Type confusion leads to RCE Attack surface is huge Google Chrome: 76 MLoC Gnome: 9 MLoC Xorg: glibc: Linux