haku: @keyword C++ / yhteensä: 23
viite: 1 / 23
« edellinen | seuraava »
| Tekijä: | Sarbinowski, Pawel |
| Työn nimi: | VTPin: Protecting Legacy Software from VTable Hijacking |
| Julkaisutyyppi: | Diplomityö |
| Julkaisuvuosi: | 2016 |
| Sivut: | (4) + 36 Kieli: eng |
| Koulu/Laitos/Osasto: | Perustieteiden korkeakoulu |
| Oppiaine: | Security and Mobile Computing (T3011) |
| Valvoja: | Aura, Tuomas |
| Ohjaaja: | Athanasopoulos, Elias ; Kemerlis, Vasileios |
| Elektroninen julkaisu: | http://urn.fi/URN:NBN:fi:aalto-201611025259 |
| Sijainti: | P1 Ark Aalto 5339 | Arkisto |
| Avainsanat: | vtable vulnerabilities binary c++ protection use-after-free |
| Tiivistelmä (eng): | VTable hijacking has lately been promoted to the de facto technique for exploiting C++ applications, and in particular web browsers. VTables can be manipulated without corrupting memory, simply by leveraging use-after-free vulnerabilities. In recent Pwn2Own competitions all major web browsers, as well as Adobe Flash player were compromised with exploits based on use-after-free vulnerabilities and most had VTable hijacking at some intermediate step of the attack. In this thesis, we propose VTPin: a system to protect against VTable hijacking, via use-after-free vulnerabilities, in large C++ binaries that cannot be re-compiled or rewritten. The main idea behind VTPin is to pin all the freed VTable pointers on a safe VTable under VTPin's control. Specifically, for every occurring object deallocation, free, VTPin quickly identifies if it is associated with a virtual object; in case it is not, VTPin outsources the deallocation to the program's allocator. Otherwise, VTPin deallocates all space allocated, but preserves and updates the VTable pointer with the address of the safe VTable. Hence, any dereferenced dangling pointer can only invoke a method provided by VTPin's safe object. Subsequently, all virtual-method calls due to dangling pointers are not simply neutralized, but they can be logged, tracked, and patched. Compared to other solutions that defend against VTable hijacking, VTPin exhibits certain characteristics that make it suitable for practical and instant deployment in production software. First, VTPin protects binaries, directly and transparently, without requiring source compilation or binary rewriting. Second, VTPin is not an allocator replacement, and thus it does not interfere with the allocation strategies and policies of the protected program; it intervenes in the deallocation process only when a virtual object is to be freed for preserving the VTable pointer. Third, VTPin is fast; Mozilla Firefox, protected with VTPin, experiences an average overhead of 1% to 4.1% when running popular browser benchmarks. |
| ED: | 2016-11-13 |
INSSI tietueen numero: 54794
+ lisää koriin
« edellinen | seuraava »
INSSI