Author(s): Chao Zhang, Chengyu Songz, Kevin Zhijie Chen, Zhaofeng Cheny, Dawn Song

Download: Paper (PDF)

Date: 8 Feb 2015

Document Type: Briefing Papers

Additional Documents: Slides

Associated Event: NDSS Symposium 2015


Since researchers have proposed lots of defenses to protect control data (e.g., return addresses saved on the stack) from corruption, most traditional control flow hijacking attacks become infeasible. Attackers, however, can bypass these defenses by launching advanced attacks that corrupt other data, e.g., pointers to control data. Virtual table pointers (vfptr) in C++ objects, which point to virtual function tables (vtable) consisting of virtual function pointers, now become popular targets to corrupt. Attackers can exploit use-after-free or other vulnerabilities to overwrite the vfptr to point to a fake vtable, causing further virtual function calls to be hijacked (vtable hijacking). In this paper we propose a lightweight defense solution VTint to defend binary executables against vtable hijacking attacks. It uses binary rewriting to instrument security checks before virtual function dispatches to validate vtables’ integrity. Experiments show that it only introduces a small performance overhead (less than 2%), and it can effectively protect real-world vtable hijacking attacks.