Layered object-oriented programming : advanced VTable reuse attacks on binary-level defense
Vtable reuse attack, as a novel type of code reuse attacks, is introduced to bypass most binary-level control flow integrity enforcement and vtable integrity enforcement. So far, two binary-level defenses (TypeArmor and vfGuard) are proposed to defend against vtable reuse attacks. Both techniques us...
Saved in:
Main Authors: | , , , |
---|---|
Other Authors: | |
Format: | Article |
Language: | English |
Published: |
2021
|
Subjects: | |
Online Access: | https://hdl.handle.net/10356/151282 |
Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
Institution: | Nanyang Technological University |
Language: | English |
id |
sg-ntu-dr.10356-151282 |
---|---|
record_format |
dspace |
spelling |
sg-ntu-dr.10356-1512822021-06-16T04:02:26Z Layered object-oriented programming : advanced VTable reuse attacks on binary-level defense Wang, Chenyu Chen, Bihuan Liu, Yang Wu, Hongjun School of Physical and Mathematical Sciences School of Computer Science and Engineering Engineering::Computer science and engineering Vtable Reuse Attacks Control Flow Integrity Vtable reuse attack, as a novel type of code reuse attacks, is introduced to bypass most binary-level control flow integrity enforcement and vtable integrity enforcement. So far, two binary-level defenses (TypeArmor and vfGuard) are proposed to defend against vtable reuse attacks. Both techniques use semantic information as the control flow integrity enforcement policy, i.e., TypeArmor and vfGuard utilize argument register count and dispatch offset at virtual callsite as the signature to check the validity of target functions, respectively. In this paper, we propose layered object-oriented programming (LOOP), an advanced vtable reuse attack, to show that the coarse-grained control flow integrity strategies are still vulnerable to vtable reuse attacks. In LOOP, we introduce argument expansion gadgets and transfer gadgets to, respectively, bypass TypeArmor and vfGuard. We generalize the characteristics of both gadgets and develop a tool to discover them at the binary level. We demonstrated that under the protection of TypeArmor and vfGuard, Firefox, Adobe Flash Player, and Internet Explorer are all vulnerable to LOOP attacks. Furthermore, we show the availability of argument expansion gadgets and transfer gadgets in common software or libraries. National Research Foundation (NRF) This work was supported in part by the National Research Foundation, Prime Ministers’ Office, Singapore, through the National Cybersecurity Research and Development Program under Grant NRF2016NCR-NCR002-026 and in part by the Shanghai Science and Technology Development Funds under Grant 16JC1400801. 2021-06-16T04:02:26Z 2021-06-16T04:02:26Z 2018 Journal Article Wang, C., Chen, B., Liu, Y. & Wu, H. (2018). Layered object-oriented programming : advanced VTable reuse attacks on binary-level defense. IEEE Transactions On Information Forensics and Security, 14(3), 693-708. https://dx.doi.org/10.1109/TIFS.2018.2855648 1556-6013 0000-0002-1973-4464 https://hdl.handle.net/10356/151282 10.1109/TIFS.2018.2855648 2-s2.0-85049964510 3 14 693 708 en NRF2016NCR-NCR002-026 IEEE Transactions on Information Forensics and Security © 2018 IEEE. All rights reserved. |
institution |
Nanyang Technological University |
building |
NTU Library |
continent |
Asia |
country |
Singapore Singapore |
content_provider |
NTU Library |
collection |
DR-NTU |
language |
English |
topic |
Engineering::Computer science and engineering Vtable Reuse Attacks Control Flow Integrity |
spellingShingle |
Engineering::Computer science and engineering Vtable Reuse Attacks Control Flow Integrity Wang, Chenyu Chen, Bihuan Liu, Yang Wu, Hongjun Layered object-oriented programming : advanced VTable reuse attacks on binary-level defense |
description |
Vtable reuse attack, as a novel type of code reuse attacks, is introduced to bypass most binary-level control flow integrity enforcement and vtable integrity enforcement. So far, two binary-level defenses (TypeArmor and vfGuard) are proposed to defend against vtable reuse attacks. Both techniques use semantic information as the control flow integrity enforcement policy, i.e., TypeArmor and vfGuard utilize argument register count and dispatch offset at virtual callsite as the signature to check the validity of target functions, respectively. In this paper, we propose layered object-oriented programming (LOOP), an advanced vtable reuse attack, to show that the coarse-grained control flow integrity strategies are still vulnerable to vtable reuse attacks. In LOOP, we introduce argument expansion gadgets and transfer gadgets to, respectively, bypass TypeArmor and vfGuard. We generalize the characteristics of both gadgets and develop a tool to discover them at the binary level. We demonstrated that under the protection of TypeArmor and vfGuard, Firefox, Adobe Flash Player, and Internet Explorer are all vulnerable to LOOP attacks. Furthermore, we show the availability of argument expansion gadgets and transfer gadgets in common software or libraries. |
author2 |
School of Physical and Mathematical Sciences |
author_facet |
School of Physical and Mathematical Sciences Wang, Chenyu Chen, Bihuan Liu, Yang Wu, Hongjun |
format |
Article |
author |
Wang, Chenyu Chen, Bihuan Liu, Yang Wu, Hongjun |
author_sort |
Wang, Chenyu |
title |
Layered object-oriented programming : advanced VTable reuse attacks on binary-level defense |
title_short |
Layered object-oriented programming : advanced VTable reuse attacks on binary-level defense |
title_full |
Layered object-oriented programming : advanced VTable reuse attacks on binary-level defense |
title_fullStr |
Layered object-oriented programming : advanced VTable reuse attacks on binary-level defense |
title_full_unstemmed |
Layered object-oriented programming : advanced VTable reuse attacks on binary-level defense |
title_sort |
layered object-oriented programming : advanced vtable reuse attacks on binary-level defense |
publishDate |
2021 |
url |
https://hdl.handle.net/10356/151282 |
_version_ |
1703971153574363136 |