Technical Report: Towards Automated Integrity Protection of C++ Virtual Function Tables in Binary Programs

Robert Gawlik, Thorsten Holz

TR-HGI-2014-004, Ruhr-Uni­ver­si­tät Bo­chum, Horst Görtz In­sti­tut für IT-Si­cher­heit (HGI), December 2014


Web browsers are one of the most used, complex and popular software systems nowadays. They are prone to use-after-free vulnerabilities and this is the de-facto way to exploit them. From a technical point of view, an attacker uses a technique called vtable hijacking to exploit such bugs. More specifically, she crafts bogus virtual tables and lets a freed C++ object point to it in order to gain control over the program at virtual function call sites.

In this paper, we present a novel approach towards mitigating and detecting such attacks against C++ binary code. We propose a static binary analysis technique to extract virtual function call site information in an automated way. Leveraging this information, we instrument the given binary executable and add runtime policy enforcements to thwart the illegal usage of these call sites. We implemented the proposed techniques in a prototype called T-VIP and successfully hardened three versions of Microsoft’s Internet Explorer and Mozilla Firefox. An evaluation with several zero-day exploits demonstrates that our method prevents all of them. Performance benchmarks both on micro and macro level indicate that the overhead is reasonable with about 2.2%, which is slightly higher compared to recent compiler-based approaches that address this problem.


tags: bi­na­ry ana­ly­sis, in­te­gri­ty pro­tec­tion