dongseokjang zachary(tatlock( sorinlernerztatlock/pubs/sd-jang... · 2020-04-06 · dongseokjang...
TRANSCRIPT
![Page 1: DongseokJang Zachary(Tatlock( SorinLernerztatlock/pubs/sd-jang... · 2020-04-06 · DongseokJang Zachary(Tatlock( SorinLerner UC!San!Diego! University!of! Washington! UC!San!Diego!](https://reader034.vdocuments.pub/reader034/viewer/2022042410/5f2872cf10260e1ac51f7206/html5/thumbnails/1.jpg)
Dongseok Jang Zachary Tatlock Sorin Lerner UC San Diego University of
Washington UC San Diego
![Page 2: DongseokJang Zachary(Tatlock( SorinLernerztatlock/pubs/sd-jang... · 2020-04-06 · DongseokJang Zachary(Tatlock( SorinLerner UC!San!Diego! University!of! Washington! UC!San!Diego!](https://reader034.vdocuments.pub/reader034/viewer/2022042410/5f2872cf10260e1ac51f7206/html5/thumbnails/2.jpg)
Vulnerable
![Page 3: DongseokJang Zachary(Tatlock( SorinLernerztatlock/pubs/sd-jang... · 2020-04-06 · DongseokJang Zachary(Tatlock( SorinLerner UC!San!Diego! University!of! Washington! UC!San!Diego!](https://reader034.vdocuments.pub/reader034/viewer/2022042410/5f2872cf10260e1ac51f7206/html5/thumbnails/3.jpg)
Control Flow Hijacking Lead Program to Jump to Unexpected Code
That does what a7acker wants
Example: Stack Buffer Overflow ALacks Well studied and hard to be cri=cal by itself
New FronNer : Vtable Hijacking
![Page 4: DongseokJang Zachary(Tatlock( SorinLernerztatlock/pubs/sd-jang... · 2020-04-06 · DongseokJang Zachary(Tatlock( SorinLerner UC!San!Diego! University!of! Washington! UC!San!Diego!](https://reader034.vdocuments.pub/reader034/viewer/2022042410/5f2872cf10260e1ac51f7206/html5/thumbnails/4.jpg)
Vtable Pointers Mechanism for Virtual FuncNons
class C { virtual int foo(); virtual int bar(); int fld; }; ... C *x = new C();
vptr fld
foo bar
x
foo’s impl bar’s impl
heap obj vtable
![Page 5: DongseokJang Zachary(Tatlock( SorinLernerztatlock/pubs/sd-jang... · 2020-04-06 · DongseokJang Zachary(Tatlock( SorinLerner UC!San!Diego! University!of! Washington! UC!San!Diego!](https://reader034.vdocuments.pub/reader034/viewer/2022042410/5f2872cf10260e1ac51f7206/html5/thumbnails/5.jpg)
Vtable Pointers Virtual Call : 2-‐Step Dereferencing for Callee
x->foo();
vptr fld
foo bar
x
foo’s impl bar’s impl
heap obj vtable
vptr = *((FPTR**)x); f = *(vptr + 0); f(x);
![Page 6: DongseokJang Zachary(Tatlock( SorinLernerztatlock/pubs/sd-jang... · 2020-04-06 · DongseokJang Zachary(Tatlock( SorinLerner UC!San!Diego! University!of! Washington! UC!San!Diego!](https://reader034.vdocuments.pub/reader034/viewer/2022042410/5f2872cf10260e1ac51f7206/html5/thumbnails/6.jpg)
Vtable Hijacking
bad fld
foo bar
x
foo’s impl bar’s impl
heap obj vtable
Arbitrary Code
fake vtable x->foo();
vptr = *((FPTR**)x); f = *(vptr + 0); f(x);
![Page 7: DongseokJang Zachary(Tatlock( SorinLernerztatlock/pubs/sd-jang... · 2020-04-06 · DongseokJang Zachary(Tatlock( SorinLerner UC!San!Diego! University!of! Washington! UC!San!Diego!](https://reader034.vdocuments.pub/reader034/viewer/2022042410/5f2872cf10260e1ac51f7206/html5/thumbnails/7.jpg)
Vtable Hijacking via Use-‐aSer-‐Free
C *x = new C(); x->foo(); delete x; // forget x = NULL; ... D *y = new D(); y->buf[0] = input(); ... x->foo();
C::vptr x’s fld
x
y
candidate for realloca3on
buf[0] buf[1]
corrupted buf[1]
x Use Corrupted Data for x’s vptr
![Page 8: DongseokJang Zachary(Tatlock( SorinLernerztatlock/pubs/sd-jang... · 2020-04-06 · DongseokJang Zachary(Tatlock( SorinLerner UC!San!Diego! University!of! Washington! UC!San!Diego!](https://reader034.vdocuments.pub/reader034/viewer/2022042410/5f2872cf10260e1ac51f7206/html5/thumbnails/8.jpg)
Vtable Hijacking: Real Case Vtable Hijacking of Chrome via Use-‐aSer-‐Free
Pinkie Pie’s demonstra=on at Pwn2Own Used to trigger ROP for sandbox escaping of Chrome
Found in IE, Firefox, Chrome
![Page 9: DongseokJang Zachary(Tatlock( SorinLernerztatlock/pubs/sd-jang... · 2020-04-06 · DongseokJang Zachary(Tatlock( SorinLerner UC!San!Diego! University!of! Washington! UC!San!Diego!](https://reader034.vdocuments.pub/reader034/viewer/2022042410/5f2872cf10260e1ac51f7206/html5/thumbnails/9.jpg)
How to Prevent Vtable Hijacking?
With Accuracy & Low Overhead?
![Page 10: DongseokJang Zachary(Tatlock( SorinLernerztatlock/pubs/sd-jang... · 2020-04-06 · DongseokJang Zachary(Tatlock( SorinLerner UC!San!Diego! University!of! Washington! UC!San!Diego!](https://reader034.vdocuments.pub/reader034/viewer/2022042410/5f2872cf10260e1ac51f7206/html5/thumbnails/10.jpg)
Code InstrumentaNon C *x = ... Check(x); x->foo();
![Page 11: DongseokJang Zachary(Tatlock( SorinLernerztatlock/pubs/sd-jang... · 2020-04-06 · DongseokJang Zachary(Tatlock( SorinLerner UC!San!Diego! University!of! Washington! UC!San!Diego!](https://reader034.vdocuments.pub/reader034/viewer/2022042410/5f2872cf10260e1ac51f7206/html5/thumbnails/11.jpg)
Code InstrumentaNon C *x = ... ASSERT(VPTR(x) ∈ Valid(C)); x->foo();
Valid(C) = { vptr of C or C’s subclasses } Obtained by class hierarchy analysis (CHA)
![Page 12: DongseokJang Zachary(Tatlock( SorinLernerztatlock/pubs/sd-jang... · 2020-04-06 · DongseokJang Zachary(Tatlock( SorinLerner UC!San!Diego! University!of! Washington! UC!San!Diego!](https://reader034.vdocuments.pub/reader034/viewer/2022042410/5f2872cf10260e1ac51f7206/html5/thumbnails/12.jpg)
Code InstrumentaNon C *x = ... ASSERT(VPTR(x) ∈ Valid(C)); x->foo();
Simple ImplementaNon Can Be Slow Involved data structure lookup/func=on calls
![Page 13: DongseokJang Zachary(Tatlock( SorinLernerztatlock/pubs/sd-jang... · 2020-04-06 · DongseokJang Zachary(Tatlock( SorinLerner UC!San!Diego! University!of! Washington! UC!San!Diego!](https://reader034.vdocuments.pub/reader034/viewer/2022042410/5f2872cf10260e1ac51f7206/html5/thumbnails/13.jpg)
Inlining OpNmizaNon C *x = ... ASSERT(VPTR(x) ∈ Valid(C)); x->foo(); vptr = *((FPTR**)x); f = *(vptr + 0); f(x);
x->foo()
![Page 14: DongseokJang Zachary(Tatlock( SorinLernerztatlock/pubs/sd-jang... · 2020-04-06 · DongseokJang Zachary(Tatlock( SorinLerner UC!San!Diego! University!of! Washington! UC!San!Diego!](https://reader034.vdocuments.pub/reader034/viewer/2022042410/5f2872cf10260e1ac51f7206/html5/thumbnails/14.jpg)
Inlining OpNmizaNon C *x = ... ASSERT(VPTR(x) ∈ Valid(C)); vptr = *((FPTR**)x); f = *(vptr + 0); f(x);
ASSERT(vptr ∈ Valid(C));
//
![Page 15: DongseokJang Zachary(Tatlock( SorinLernerztatlock/pubs/sd-jang... · 2020-04-06 · DongseokJang Zachary(Tatlock( SorinLerner UC!San!Diego! University!of! Washington! UC!San!Diego!](https://reader034.vdocuments.pub/reader034/viewer/2022042410/5f2872cf10260e1ac51f7206/html5/thumbnails/15.jpg)
Inlining OpNmizaNon C *x = ... ASSERT(VPTR(x) ∈ Valid(C)); vptr = *((FPTR**)x); ASSERT(vptr ∈ Valid(C)); f = *(vptr + 0); f(x);
Say that C has only one subclass D à SpecializaNon of Checks
//
ASSERT(vptr ∈ {C::vptr, D::vptr});
//
![Page 16: DongseokJang Zachary(Tatlock( SorinLernerztatlock/pubs/sd-jang... · 2020-04-06 · DongseokJang Zachary(Tatlock( SorinLerner UC!San!Diego! University!of! Washington! UC!San!Diego!](https://reader034.vdocuments.pub/reader034/viewer/2022042410/5f2872cf10260e1ac51f7206/html5/thumbnails/16.jpg)
Inlining OpNmizaNon C *x = ... ASSERT(VPTR(x) ∈ Valid(C)); vptr = *((FPTR**)x); ASSERT(vptr ∈ Valid(C)); ASSERT(vptr ∈ {C::vptr, D::vptr});
//
f = *(vptr + 0); f(x);
SAFE:
// //
![Page 17: DongseokJang Zachary(Tatlock( SorinLernerztatlock/pubs/sd-jang... · 2020-04-06 · DongseokJang Zachary(Tatlock( SorinLerner UC!San!Diego! University!of! Washington! UC!San!Diego!](https://reader034.vdocuments.pub/reader034/viewer/2022042410/5f2872cf10260e1ac51f7206/html5/thumbnails/17.jpg)
Inlining OpNmizaNon C *x = ... ASSERT(VPTR(x) ∈ Valid(C)); vptr = *((FPTR**)x); ASSERT(vptr ∈ Valid(C)); ASSERT(vptr ∈ {C::vptr, D::vptr});
//
f = *(vptr + 0); f(x);
SAFE:
if (vptr == C::vptr) goto SAFE; if (vptr == D::vptr) goto SAFE; exit(-1);
// //
![Page 18: DongseokJang Zachary(Tatlock( SorinLernerztatlock/pubs/sd-jang... · 2020-04-06 · DongseokJang Zachary(Tatlock( SorinLerner UC!San!Diego! University!of! Washington! UC!San!Diego!](https://reader034.vdocuments.pub/reader034/viewer/2022042410/5f2872cf10260e1ac51f7206/html5/thumbnails/18.jpg)
Inlining OpNmizaNon C *x = ... ASSERT(VPTR(x) ∈ Valid(C)); vptr = *((FPTR**)x); ASSERT(vptr ∈ Valid(C)); ASSERT(vptr ∈ {C::vptr, D::vptr});
//
f = *(vptr + 0); f(x);
SAFE:
if (vptr == C::vptr) goto SAFE; if (vptr == D::vptr) goto SAFE; exit(-1);
// //
How to Order Inlined Checked? à Profile-‐guided Inlining
![Page 19: DongseokJang Zachary(Tatlock( SorinLernerztatlock/pubs/sd-jang... · 2020-04-06 · DongseokJang Zachary(Tatlock( SorinLerner UC!San!Diego! University!of! Washington! UC!San!Diego!](https://reader034.vdocuments.pub/reader034/viewer/2022042410/5f2872cf10260e1ac51f7206/html5/thumbnails/19.jpg)
Method Pointer Checking C *x = ... vptr = *((FPTR**)x); ASSERT(vptr ∈ {C::vptr, D::vptr}); f = *(vptr + 0);
x->foo()
f(x)
![Page 20: DongseokJang Zachary(Tatlock( SorinLernerztatlock/pubs/sd-jang... · 2020-04-06 · DongseokJang Zachary(Tatlock( SorinLerner UC!San!Diego! University!of! Washington! UC!San!Diego!](https://reader034.vdocuments.pub/reader034/viewer/2022042410/5f2872cf10260e1ac51f7206/html5/thumbnails/20.jpg)
Method Pointer Checking C *x = ... vptr = *((FPTR**)x); ASSERT(vptr ∈ {C::vptr, D::vptr}); f = *(vptr + 0); f(x)
ASSERT(f ∈ ValidM(C,foo));
//
Checking Callee Before It Is Called Provides same security as vtable checking
![Page 21: DongseokJang Zachary(Tatlock( SorinLernerztatlock/pubs/sd-jang... · 2020-04-06 · DongseokJang Zachary(Tatlock( SorinLerner UC!San!Diego! University!of! Washington! UC!San!Diego!](https://reader034.vdocuments.pub/reader034/viewer/2022042410/5f2872cf10260e1ac51f7206/html5/thumbnails/21.jpg)
Method Pointer Checking C *x = ... vptr = *((FPTR**)x); ASSERT(vptr ∈ {C::vptr, D::vptr}); f = *(vptr + 0);
f(x)
ASSERT(f ∈ ValidM(C,foo));
//
Say that C has one subclass D and D doesn’t override C::foo()
//
ASSERT(f ∈ {C::foo});
Save Checks for Shared Methods
![Page 22: DongseokJang Zachary(Tatlock( SorinLernerztatlock/pubs/sd-jang... · 2020-04-06 · DongseokJang Zachary(Tatlock( SorinLerner UC!San!Diego! University!of! Washington! UC!San!Diego!](https://reader034.vdocuments.pub/reader034/viewer/2022042410/5f2872cf10260e1ac51f7206/html5/thumbnails/22.jpg)
Member Pointers in C++ A *x = ... // m: index into a vtable // x->*m can be any methods of A (x->*m)()
Say that A has 1000 methods à Up to 1000 method ptr checks! Vtable Checking Can Be Faster
![Page 23: DongseokJang Zachary(Tatlock( SorinLernerztatlock/pubs/sd-jang... · 2020-04-06 · DongseokJang Zachary(Tatlock( SorinLerner UC!San!Diego! University!of! Washington! UC!San!Diego!](https://reader034.vdocuments.pub/reader034/viewer/2022042410/5f2872cf10260e1ac51f7206/html5/thumbnails/23.jpg)
Method Pointer Checking Fewer Checks for Usual Virtual Calls
More Checks for Member Pointer Calls
![Page 24: DongseokJang Zachary(Tatlock( SorinLernerztatlock/pubs/sd-jang... · 2020-04-06 · DongseokJang Zachary(Tatlock( SorinLerner UC!San!Diego! University!of! Washington! UC!San!Diego!](https://reader034.vdocuments.pub/reader034/viewer/2022042410/5f2872cf10260e1ac51f7206/html5/thumbnails/24.jpg)
Hybrid Checking Method Checking for Usual Virtual Calls
Vtable Checking for Member Pointer Calls
![Page 25: DongseokJang Zachary(Tatlock( SorinLernerztatlock/pubs/sd-jang... · 2020-04-06 · DongseokJang Zachary(Tatlock( SorinLerner UC!San!Diego! University!of! Washington! UC!San!Diego!](https://reader034.vdocuments.pub/reader034/viewer/2022042410/5f2872cf10260e1ac51f7206/html5/thumbnails/25.jpg)
Tamper Resistance Inserted Checks in Read-‐Only Memory
Checking Data in Read-‐Only Memory
![Page 26: DongseokJang Zachary(Tatlock( SorinLernerztatlock/pubs/sd-jang... · 2020-04-06 · DongseokJang Zachary(Tatlock( SorinLerner UC!San!Diego! University!of! Washington! UC!San!Diego!](https://reader034.vdocuments.pub/reader034/viewer/2022042410/5f2872cf10260e1ac51f7206/html5/thumbnails/26.jpg)
Performance: Benchmark
Chromium Browser Realis=c : ≈ 3 millions of C++/C LOC Popular target of vtable hijacking
Running On JS, HTML5 Benchmark
![Page 27: DongseokJang Zachary(Tatlock( SorinLernerztatlock/pubs/sd-jang... · 2020-04-06 · DongseokJang Zachary(Tatlock( SorinLerner UC!San!Diego! University!of! Washington! UC!San!Diego!](https://reader034.vdocuments.pub/reader034/viewer/2022042410/5f2872cf10260e1ac51f7206/html5/thumbnails/27.jpg)
Performance UnopNmized (Avg: 23%)
0 5
10 15 20 25 30 35
JS HTML
RunN
me Overhead(%)
![Page 28: DongseokJang Zachary(Tatlock( SorinLernerztatlock/pubs/sd-jang... · 2020-04-06 · DongseokJang Zachary(Tatlock( SorinLerner UC!San!Diego! University!of! Washington! UC!San!Diego!](https://reader034.vdocuments.pub/reader034/viewer/2022042410/5f2872cf10260e1ac51f7206/html5/thumbnails/28.jpg)
Performance Profile-‐Guided Inlining (Avg: 6%)
0 5
10 15 20 25 30 35
JS HTML
RunN
me Overhead(%)
0 5
10 15 20 25 30 35
JS HTML
RunN
me Overhead(%)
![Page 29: DongseokJang Zachary(Tatlock( SorinLernerztatlock/pubs/sd-jang... · 2020-04-06 · DongseokJang Zachary(Tatlock( SorinLerner UC!San!Diego! University!of! Washington! UC!San!Diego!](https://reader034.vdocuments.pub/reader034/viewer/2022042410/5f2872cf10260e1ac51f7206/html5/thumbnails/29.jpg)
Performance Inlined Method Ptr Checking (3%)
0 5
10 15 20 25 30 35
JS HTML
RunN
me Overhead(%)
0 5
10 15 20 25 30 35
JS HTML
RunN
me Overhead(%)
0 5
10 15 20 25 30 35
JS HTML
RunN
me Overhead(%)
![Page 30: DongseokJang Zachary(Tatlock( SorinLernerztatlock/pubs/sd-jang... · 2020-04-06 · DongseokJang Zachary(Tatlock( SorinLerner UC!San!Diego! University!of! Washington! UC!San!Diego!](https://reader034.vdocuments.pub/reader034/viewer/2022042410/5f2872cf10260e1ac51f7206/html5/thumbnails/30.jpg)
Performance Hybrid Checking (Avg: 2%)
0 5
10 15 20 25 30 35
JS HTML
RunN
me Overhead(%)
![Page 31: DongseokJang Zachary(Tatlock( SorinLernerztatlock/pubs/sd-jang... · 2020-04-06 · DongseokJang Zachary(Tatlock( SorinLerner UC!San!Diego! University!of! Washington! UC!San!Diego!](https://reader034.vdocuments.pub/reader034/viewer/2022042410/5f2872cf10260e1ac51f7206/html5/thumbnails/31.jpg)
Code Size Overhead
7% Code Size Increase 8.3 MB out of 119 MB
Checking Data + Inlined Checks
![Page 32: DongseokJang Zachary(Tatlock( SorinLernerztatlock/pubs/sd-jang... · 2020-04-06 · DongseokJang Zachary(Tatlock( SorinLerner UC!San!Diego! University!of! Washington! UC!San!Diego!](https://reader034.vdocuments.pub/reader034/viewer/2022042410/5f2872cf10260e1ac51f7206/html5/thumbnails/32.jpg)
Future Work Separate CompilaNon Link-‐=me CHA / inlining
Dynamic Link Library
Run=me update of checking data
![Page 33: DongseokJang Zachary(Tatlock( SorinLernerztatlock/pubs/sd-jang... · 2020-04-06 · DongseokJang Zachary(Tatlock( SorinLerner UC!San!Diego! University!of! Washington! UC!San!Diego!](https://reader034.vdocuments.pub/reader034/viewer/2022042410/5f2872cf10260e1ac51f7206/html5/thumbnails/33.jpg)
Summary Vtable Hijacking
O\en happening in web browsers
Compiler-‐based Approach Code Instrumenta=on / sta=c Analysis
RealisNc Overhead Careful compiler op=miza=ons
![Page 34: DongseokJang Zachary(Tatlock( SorinLernerztatlock/pubs/sd-jang... · 2020-04-06 · DongseokJang Zachary(Tatlock( SorinLerner UC!San!Diego! University!of! Washington! UC!San!Diego!](https://reader034.vdocuments.pub/reader034/viewer/2022042410/5f2872cf10260e1ac51f7206/html5/thumbnails/34.jpg)
Thank you!
hLp://goto.ucsd.edu/safedispatch