HexType: Efficient Detection of Type Confusion Errors for C++ Yuseok Jeon Priyam Biswas Scott A. Carr Byoungyoung Lee Mathias Payer

Similar documents
Type Confusion: Discovery, Abuse, Protection. Mathias

Guarding Vulnerable Code: Module 1: Sanitization. Mathias Payer, Purdue University

TypeSan: Practical Type Confusion Detection

Advanced Systems Security: New Threats

Identifying Memory Corruption Bugs with Compiler Instrumentations. 이병영 ( 조지아공과대학교

EffectiveSan: Type and Memory Error Detection using Dynamically Typed C/C++

Control-Flow Hijacking: Are We Making Progress? Mathias Payer, Purdue University

Lightweight Memory Tracing

CFIXX: Object Type Integrity. Nathan Burow, Derrick McKee, Scott A. Carr, Mathias Payer

CMPSC 497 Other Memory Vulnerabilities

Memory Corruption Vulnerabilities, Part II

A program execution is memory safe so long as memory access errors never occur:

QUIZ. Write the following for the class Bar: Default constructor Constructor Copy-constructor Overloaded assignment oper. Is a destructor needed?

Preventing Use-after-free with Dangling Pointers Nullification

CS527 Software Security

Cling: A Memory Allocator to Mitigate Dangling Pointers. Periklis Akritidis

Generating Low-Overhead Dynamic Binary Translators. Mathias Payer and Thomas R. Gross Department of Computer Science ETH Zürich

ECE 3574: Dynamic Polymorphism using Inheritance

Memory corruption: Why we can t have nice things. Mathias Payer

Adding Alignment Support to the C++ Programming Language / Consolidated

UniSan: Proactive Kernel Memory Initialization to Eliminate Data Leakages

C-style casts Static and Dynamic Casts reinterpret cast const cast PVM. Casts

SECURING SOFTWARE AGAINST LIBRARY ATTACKS

A Fast Instruction Set Simulator for RISC-V

Runtime Defenses against Memory Corruption

CCured. One-Slide Summary. Lecture Outline. Type-Safe Retrofitting of C Programs

C++ Programming: Polymorphism

High System-Code Security with Low Overhead

secubt Hacking the Hackers with User Space Virtualization

Ironclad C++ A Library-Augmented Type-Safe Subset of C++

Overview. Constructors and destructors Virtual functions Single inheritance Multiple inheritance RTTI Templates Exceptions Operator Overloading

High Performance Computing and Programming, Lecture 3

CS C Primer. Tyler Szepesi. January 16, 2013

New features in AddressSanitizer. LLVM developer meeting Nov 7, 2013 Alexey Samsonov, Kostya Serebryany

Dynamic Memory: Alignment and Fragmentation

Modern C++ for Computer Vision and Image Processing. Igor Bogoslavskyi

ROSE-CIRM Detecting C-Style Errors in UPC Code

Advanced Debugging and the Address Sanitizer

CS11 Advanced C++ Fall Lecture 7

SoK: Sanitizing for Security

SoK: Sanitizing for Security

Inheritance, Polymorphism and the Object Memory Model

Kruiser: Semi-synchronized Nonblocking Concurrent Kernel Heap Buffer Overflow Monitoring

SafeDispatch Securing C++ Virtual Calls from Memory Corruption Attacks by Jang, Dongseok and Tatlock, Zachary and Lerner, Sorin

Baggy bounds with LLVM

SoK: Eternal War in Memory Laszlo Szekeres, Mathias Payer, Tao Wei, and Dawn Song In: Oakland 14

An Insight Into Inheritance, Object Oriented Programming, Run-Time Type Information, and Exceptions PV264 Advanced Programming in C++

Homework 3 CS161 Computer Security, Fall 2008 Assigned 10/07/08 Due 10/13/08

Polymorphism. Miri Ben-Nissan (Kopel) Miri Kopel, Bar-Ilan University

CS61C Machine Structures. Lecture 4 C Structs & Memory Management. 9/5/2007 John Wawrzynek. www-inst.eecs.berkeley.edu/~cs61c/

Cpt S 122 Data Structures. Course Review Midterm Exam # 2

HA2lloc: Hardware-Assisted Secure Allocator

Abstract Classes Interfaces CSCI 201 Principles of Software Development

Abstract Classes Interfaces CSCI 201 Principles of Software Development

DEBUGGING: DYNAMIC PROGRAM ANALYSIS

Overview AEG Conclusion CS 6V Automatic Exploit Generation (AEG) Matthew Stephen. Department of Computer Science University of Texas at Dallas

Class Information ANNOUCEMENTS

Final CSE 131B Spring 2004

Defeat Exploit Mitigation Heap Attacks. compass-security.com 1

OBJECT ORIENTED PROGRAMMING USING C++

CSE 431S Type Checking. Washington University Spring 2013

CS241 Computer Organization Spring Data Alignment

IntFlow: Integer Error Handling With Information Flow Tracking

UW CSE 351, Summer 2013 Final Exam

Software Security: Buffer Overflow Attacks

Data Representation and Storage. Some definitions (in C)

Section - Computer Science. int main() {! int a=10,b=20;! printf("a:%d B:%d\n",a,b);! a=(a+b)-(b=a);! printf("a:%d B:%d\n",a,b);!

Program Security and Vulnerabilities Class 2

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask

ECE 15B COMPUTER ORGANIZATION

CS61C Machine Structures. Lecture 5 C Structs & Memory Mangement. 1/27/2006 John Wawrzynek. www-inst.eecs.berkeley.edu/~cs61c/

Memory Safety for Embedded Devices with nescheck

Lecture 14. No in-class files today. Homework 7 (due on Wednesday) and Project 3 (due in 10 days) posted. Questions?

Fall 2018 Discussion 2: September 3, 2018

Black Hat Webcast Series. C/C++ AppSec in 2014

Stream Computing using Brook+

Call Paths for Pin Tools

Protecting Dynamic Code by Modular Control-Flow Integrity

CS24: INTRODUCTION TO COMPUTING SYSTEMS. Spring 2017 Lecture 7

Inheritance. OOP components. Another Example. Is a Vs Has a. Virtual Destructor rule. Virtual Functions 4/13/2017

C++ Objects Overloading Other C++ Peter Kristensen

CS 330 Lecture 18. Symbol table. C scope rules. Declarations. Chapter 5 Louden Outline

Software Security: Buffer Overflow Defenses and Miscellaneous

CSC 405 Introduction to Computer Security Fuzzing

The Java Language Implementation

(13-2) Dynamic Data Structures I H&K Chapter 13. Instructor - Andrew S. O Fallon CptS 121 (November 17, 2017) Washington State University

Overview. Constructors and destructors Virtual functions Single inheritance Multiple inheritance RTTI Templates Exceptions Operator Overloading

Dynamic code analysis tools

Pointers, Dynamic Data, and Reference Types

Checked C. Michael Hicks The University of Maryland joint work with David Tarditi (MSR), Andrew Ruef (UMD), Sam Elliott (UW)

A brief introduction to C programming for Java programmers

Memory Management I. two kinds of memory: stack and heap

Baggy bounds checking. Periklis Akri5dis, Manuel Costa, Miguel Castro, Steven Hand

DAY 3. CS3600, Northeastern University. Alan Mislove

Handling Self Modifying Code Using Software Dynamic Translation

Putting the Checks into Checked C

Buffer overflow background

COMP26120: Linked List in C (2018/19) Lucas Cordeiro

Tokens, Expressions and Control Structures

CS527 Software Security

Transcription:

HexType: Efficient Detection of Type Confusion Errors for C++ Yuseok Jeon Priyam Biswas Scott A. Carr Byoungyoung Lee Mathias Payer

Motivation C++ is a popular programming language Google Chrome, Firefox, and Java Virtual Machine Type confusion bugs are emerging attack vectors Google Chrome (CVE-2017-5023) Adobe Flash (CVE-2017-2095) Existing sanitizers are incomplete and impractical 2

Outline Motivation Type Confusion Problem HexType Conclusion 3

C++ Casting Operators static_cast<toclass>(object) Compile time check No runtime type information dynamic_cast<toclass>(object) Runtime check Requires Runtime Type Information (RTTI) Not used in performance critical code 4

Type Confusion Problem Downcast (Unsafe) Shape Upcast (Safe) Square Triangle Upcast: from a derived class to its parent class Downcast: from a parent class to a derived class 5

Type Confusion Example Parent P C class Parent { int p_data; virtual void print (void){ }; }; class Child: public Parent { int c_data; void print (void) override{ }; }; Access scope Access of Parent* scope of Child* Access scope of Child* vtable_ptr p_data vtable_ptr.. vtable_ptr p_data p_data C_data C_data Child Parent *Pptr = new Parent; Child *Cptr = static_cast<child*>(pptr); Cptr c_data = 0x12345678; Undefined Memory corruptions Behavior /! Type Confusion Problem! 6

Outline Motivation Type Confusion Problem HexType Design Optimization Coverage Conclusion 7

HexType Overview Source code Instrumentation (Type casting verification) Clang HexType Hardend Binary Type Hierarchy Information LLVM Pass HexType Runtime Library Link 8

Type Casting Verification [Source code].. B *pb = new B; Update_objTypeMap(pB, B); Object to Type Mapping Table 0x1232 Type1 C *pc = static_cast<c*>(pb); Verify_type_casting(pB, C); 0x2312 0x2333 Type2 Type3 [Runtime library] Verify_type_casting (Ptr *SrcPtr, TypeInfo Dst) { TypeInfo Src = getsrctype(srcptr); istypeconfusioncast(src, Dst); } Type relation information B P F K C Z K 9

Outline Motivation Type Confusion Problem HexType Design Optimization Coverage Conclusion 10

Previous Works Selective Object Tracing Casting Replace Compile time Verification Data Structure UBSAN X X X RTTI CaVer (SEC 2015) X X Shadow Memory + RB Tree TypeSan (CCS 2016) X X Shadow Memory HexType (CCS 2017) HashMap + RB Tree 11

Optimized ObjTypeMap Index Fast-path Slot Slow-path Slot Per-entry RB-tree P *ptr = new P Index = Hash(ptr); C *ptr2 = new C Index = Hash(ptr2); Collision Object Alloc Info RB-tree Ref 1 Addr, Type 2 _ 3 _... _ N 12

Optimized ObjTypeMap Fast-path Slot Slow-path Slot Index Allocated Object Ref Hashvalue for Object Name Type Relationship Information Ref RB-tree Ref Per-entry RB-tree 1 0x417000 2341234 0x51723D 2 0x41563C 1312321 0x51724D - 3 0x41723D 7231234 0x51724D -... - - - - N 0x41563E 4232123 0x51623D 13

Optimized ObjTypeMap Program Benchmark Allocated objects stack heap global Fast-path Hit ratio (%) (update) Fast-path hit ratio (%) (lookup) SPEC CPU 2006 Firefox Omnetpp 1m 478m 0.001m 100.00 100.00 Xalancbmk 3,150m 45m 0.003m 100.00 100.00 DealII 497m 283m 0m 99.99 100.00 Soplex 21m 639m 197m 99.69 100.00 Povray - - - - - Astar - - - - - Namd - - - - - Octane 593m 7m 0.125m 98.82 98.65 Drom-js 2,775m 11m 0.125m 99.65 98.43 Drom-dom 34,900m 607m 0.125m 99.71 94.10 14

Selective Object Tracing Unsafe objects: casting related objects need to keep track of them Safe objects: never used for casting do not need to keep track of them 15

Collect Unsafe Object Set Code... B *pb = new B; C *pc = new C; Type hierarchy B A C static_cast<d*>(pb); D E F 1 Extract unsafe objects 2 Initialize unsafe object type set 3 Extract all children types 4 Extend unsafe object type set B,... B, D, E,... 16

Only Tracing Unsafe Objects Program SPEC CPU 2006 Firefox Benchmark # of objects Safe objects ratio (%) Omnetpp 480m 54.77 Xalancbmk 3,196m 99.42 DealII 781m 83.81 Soplex 858m 97.87 Povray 6,550m 100.00 Astar 28m 100.00 Namd 2m 100.00 Octane 600m 44.11 Drom-js 2,491m 40.26 Drom-dom 37,538m 21.54 17

Replace Dynamic Cast Replaced dynamic_cast to use our fast check Evaluated SPEC CPU2006 C++ benchmarks dealii performs a large number of dynamic_cast (206m) reduced dealii s performance overhead by 4% 18

Compile Time Verification 19

Performance Overhead Program SPEC CPU 2006 Firefox Benchmark CaVer TypeSan HexType % % % X1 X2 Omnetpp - 49.13 9.69 NA 5.07 Xalancbmk 29.60 41.35 1.25 23.68 33.08 DealII - 78.23 13.13 NA 5.96 Soplex 20.00 1.16 0.76 26.32 1.53 Povray - 0.36 0.34 NA 1.06 Astar - 0.16-0.37 NA 1.00 Namd - 26.73 0.80 NA 33.41 Octane 45.00 19.37 30.87 1.45-1.59 Drom-js 40.00 25.18 25.89 1.55-1.03 Drom-dom 55.00 97.15 126.03-2.29-1.30 20

Outline Motivation Type Confusion Problem HexType Design Optimization Coverage Conclusion 21

Increase Detection Coverage The state of the art still has low coverage Firefox 10% ~ 45% Assume that objects are allocated individually Malloc or C++ s operator new Need to handle allocation using memory pools 22

Typecasting Coverage Program SPEC CPU 2006 Firefox Benchmark # of casting Type San HexType % % X Omnetpp 2,014m 1 1 1 Xalancbmk 283m 0.9 1 1.1 DealII 3,596m 1 1 1 Soplex 0.209m 1 1 1 Povray 0 - - - Astar 0 - - - Namd 0 - - - ff-octane 623m 0.1 0.7 7 ff-drom-js 4,229m 0.2 0.8 4 ff-drom-dom 10,786m 0.5 0.9 1.8 23

Newly Discovered Vulnerabilities Discovered four new type confusion vulnerabilities Qt base library Apache Xerces-C++ Confirmed and patched by the developers 24

New Type Confusion Bug (Apache Xerces-C++) DOMNode DOM Character Data DOM Text DOM TextImpl DOM Element DOM ElementImpl Type Confusion! == HexType Type confusion Report == xercesc/dom/impl/domcasts.hpp Line: 111 [From] DOMTextImpl [To] DOMElementImpl 25

New Type Confusion Bug (QT) QMapNode Base QMapNode Type Confusion! 26

Outline Motivation Type Confusion Problem HexType Conclusion 27

Conclusion HexType increases detection coverage Reduces overhead using several new optimizations Discovered four new type confusion bugs Open Source at https://github.com/hexhive/hextype 28

THANK YOU! Q&A Open Source at https://github.com/hexhive/hextype 29

Placement new / Reinterpret_cast handle template<std::size_t Len, std::size_t Align> struct aligned_storage { typedef struct { alignas(align) unsigned char data[len]; } type; }; template<class T, std::size_t N> class static_vector { size_t Size = sizeof(t); size_t Align = alignof(t); typename std::aligned_storage<size, Align>::type d[n]; public: template<typename...args> void insert(args&& args) { new(d+m_size) T(std::forward<args> ); } const T& operator[](std::size_t pos) const { return &reinterpret_cast<const T*>(d+pos); } }; 30

Type Confusion Report P gobj; // declare global variable int main() {... // stack object testing P sobj; P* spobj = &sobj; // Type Confusion! (line 25) C* stest = static_cast<c*>(spobj); // global object testing P* gpobj = &gobj; // Type Confusion! (line 29) C* glotest = static_cast<c*>(gpobj); } // heap object testing P* hpobj = new P; // Type Confusion! (line 33) C* htest = static_cast<c*>(hpobj);... 31

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback