基于动态二进制检测的c++二进制程序虚拟函数表劫持防御方案

2015 10th International Conference on P2P, Parallel, Grid, Cloud and Internet Computing (3PGCIC) Pub Date : 2015-11-04 DOI:10.1109/3PGCIC.2015.102

Yong Wang, Ming Li, Hailin Yan, Zhenyan Liu, Jingfeng Xue, Changzhen Hu

{"title":"基于动态二进制检测的c++二进制程序虚拟函数表劫持防御方案","authors":"Yong Wang, Ming Li, Hailin Yan, Zhenyan Liu, Jingfeng Xue, Changzhen Hu","doi":"10.1109/3PGCIC.2015.102","DOIUrl":null,"url":null,"abstract":"Memory corruption bugs are one of the most critical vulnerabilities in software security, which can be exploited to overwrite virtual tables (vtables) or virtual table pointers (vfptrs) and finally gain control over the programs at virtual function call sites (vtable hijacking). In this paper, we propose a novel approach to detect vtable hijacking attacks against C++ binary executables. We first analyze the programs to get vtable information of each class, and backup the original vtables and vfptrs at runtime, then instrument security checks dynamically before virtual function dispatches to validate vtables' integrity. We implement the proposed approach as a tool and use it to successfully detect vtable hijacking attacks on the version 11 of Microsoft's Internet Explorer.","PeriodicalId":395401,"journal":{"name":"2015 10th International Conference on P2P, Parallel, Grid, Cloud and Internet Computing (3PGCIC)","volume":"67 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2015-11-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"Dynamic Binary Instrumentation Based Defense Solution against Virtual Function Table Hijacking Attacks at C++ Binary Programs\",\"authors\":\"Yong Wang, Ming Li, Hailin Yan, Zhenyan Liu, Jingfeng Xue, Changzhen Hu\",\"doi\":\"10.1109/3PGCIC.2015.102\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Memory corruption bugs are one of the most critical vulnerabilities in software security, which can be exploited to overwrite virtual tables (vtables) or virtual table pointers (vfptrs) and finally gain control over the programs at virtual function call sites (vtable hijacking). In this paper, we propose a novel approach to detect vtable hijacking attacks against C++ binary executables. We first analyze the programs to get vtable information of each class, and backup the original vtables and vfptrs at runtime, then instrument security checks dynamically before virtual function dispatches to validate vtables' integrity. We implement the proposed approach as a tool and use it to successfully detect vtable hijacking attacks on the version 11 of Microsoft's Internet Explorer.\",\"PeriodicalId\":395401,\"journal\":{\"name\":\"2015 10th International Conference on P2P, Parallel, Grid, Cloud and Internet Computing (3PGCIC)\",\"volume\":\"67 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2015-11-04\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2015 10th International Conference on P2P, Parallel, Grid, Cloud and Internet Computing (3PGCIC)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/3PGCIC.2015.102\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2015 10th International Conference on P2P, Parallel, Grid, Cloud and Internet Computing (3PGCIC)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/3PGCIC.2015.102","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 0

摘要

内存损坏漏洞是软件安全中最关键的漏洞之一，它可以被利用来覆盖虚拟表(vtables)或虚拟表指针(vfptrs)，并最终获得对虚拟函数调用站点的程序的控制(vtable劫持)。在本文中，我们提出了一种新的方法来检测针对c++二进制可执行文件的虚表劫持攻击。首先对程序进行分析，获取每个类的虚表信息，并在运行时对原始虚表和虚表进行备份，然后在虚函数调度前进行动态安全检查，验证虚表的完整性。我们将提出的方法作为一种工具来实现，并使用它成功地检测了针对微软Internet Explorer 11版本的虚表劫持攻击。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Dynamic Binary Instrumentation Based Defense Solution against Virtual Function Table Hijacking Attacks at C++ Binary Programs

Memory corruption bugs are one of the most critical vulnerabilities in software security, which can be exploited to overwrite virtual tables (vtables) or virtual table pointers (vfptrs) and finally gain control over the programs at virtual function call sites (vtable hijacking). In this paper, we propose a novel approach to detect vtable hijacking attacks against C++ binary executables. We first analyze the programs to get vtable information of each class, and backup the original vtables and vfptrs at runtime, then instrument security checks dynamically before virtual function dispatches to validate vtables' integrity. We implement the proposed approach as a tool and use it to successfully detect vtable hijacking attacks on the version 11 of Microsoft's Internet Explorer.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

2015 10th International Conference on P2P, Parallel, Grid, Cloud and Internet Computing (3PGCIC)

自引率

0.00%

发文量