Nicolas Badoux (EPFL), Flavio Toffalini (Ruhr-Universität Bochum, EPFL), Yuseok Jeon (UNIST), Mathias Payer (EPFL)

Type confusion, or bad casting, is a common C++ attack vector. Such vulnerabilities cause a program to interpret an object as belonging to a different type, enabling powerful attacks, like control-flow hijacking. C++ limits runtime checks to polymorphic classes because only those have inline type information. The lack of runtime type information throughout an object’s lifetime makes it challenging to enforce continuous checks and thereby prevent type confusion during downcasting. Current solutions either record type information for all objects disjointly, incurring prohibitive runtime overhead, or restrict protection to a fraction of all objects.
Our C++ dialect, type++, enforces the paradigm that each allocated object involved in downcasting carries type information throughout its lifetime, ensuring correctness by enabling type checks wherever and whenever necessary. As not just polymorphic objects but all objects are typed, all down-to casts can now be dynamically verified. Compared to existing solutions, our strategy greatly reduces runtime cost and enables type++ usage both during testing and as mitigation. Targeting SPEC CPU2006 and CPU2017, we compile and run 2,040 kLoC, while changing only 314 LoC. To help developers, our static analysis warns where code changes in target programs may be necessary. Running the compiled benchmarks results in negligible performance overhead (1.19% on SPEC CPU2006 and 0.82% on SPEC CPU2017) verifying a total of 90B casts (compared to 3.8B for the state-of-the-art, a 23× improvement). type++ discovers 122 type confusion issues in the SPEC CPU benchmarks among which 62 are new. Targeting Chromium, we change 229 LoC out of 35 MLoC to protect 94.6% of the classes that could be involved in downcasting vulnerabilities, while incurring only 0.98% runtime overhead compared to the baseline.

View More Papers

Automatic Insecurity: Exploring Email Auto-configuration in the Wild

Shushang Wen (School of Cyber Science and Technology, University of Science and Technology of China), Yiming Zhang (Tsinghua University), Yuxiang Shen (School of Cyber Science and Technology, University of Science and Technology of China), Bingyu Li (School of Cyber Science and Technology, Beihang University), Haixin Duan (Tsinghua University; Zhongguancun Laboratory), Jingqiang Lin (School of Cyber…

Read More

VeriBin: Adaptive Verification of Patches at the Binary Level

Hongwei Wu (Purdue University), Jianliang Wu (Simon Fraser University), Ruoyu Wu (Purdue University), Ayushi Sharma (Purdue University), Aravind Machiry (Purdue University), Antonio Bianchi (Purdue University)

Read More

MineShark: Cryptomining Traffic Detection at Scale

Shaoke Xi (Zhejiang University), Tianyi Fu (Zhejiang University), Kai Bu (Zhejiang University), Chunling Yang (Zhejiang University), Zhihua Chang (Zhejiang University), Wenzhi Chen (Zhejiang University), Zhou Ma (Zhejiang University), Chongjie Chen (HANG ZHOU CITY BRAIN CO., LTD), Yongsheng Shen (HANG ZHOU CITY BRAIN CO., LTD), Kui Ren (Zhejiang University)

Read More

Mysticeti: Reaching the Latency Limits with Uncertified DAGs

Kushal Babel (Cornell Tech & IC3), Andrey Chursin (Mysten Labs), George Danezis (Mysten Labs & University College London (UCL)), Anastasios Kichidis (Mysten Labs), Lefteris Kokoris-Kogias (Mysten Labs & IST Austria), Arun Koshy (Mysten Labs), Alberto Sonnino (Mysten Labs & University College London (UCL)), Mingwei Tian (Mysten Labs)

Read More