CISPA
Browse
- No file added yet -

NoVT: Eliminating C++ Virtual Calls to Mitigate Vtable Hijacking

Download (355.04 kB)
conference contribution
posted on 2023-11-29, 18:16 authored by Markus Bauer, Christian RossowChristian Rossow
The vast majority of nowadays remote code execution attacks target virtual function tables (vtables). Attackers hijack vtable pointers to change the control flow of a vulnerable program to their will, resulting in full control over the underlying system. In this paper, we present NoVT, a compiler-based defense against vtable hijacking. Instead of protecting vtables for virtual dispatch, our solution replaces them with switch-case constructs that are inherently control-flow safe, thus preserving control flow integrity of C++ virtual dispatch. NoVT extends Clang to perform a class hierarchy analysis on C++ source code. Instead of a vtable, each class gets unique identifier numbers which are used to dispatch the correct method implementation. Thereby, NoVT inherently protects all usages of a vtable, not just virtual dispatch. We evaluate NoVT on common benchmark applications and real-world programs including Chromium. Despite its strong security guarantees, NoVT improves runtime performance of most programs (mean overhead -0.5%, -3.7% min, 2% max). In addition, protected binaries are slightly smaller than unprotected ones. NoVT works on different CPU architectures and protects complex C++ programs against strong attacks like COOP and ShrinkWrap.

History

Preferred Citation

Markus Bauer and Christian Rossow. NoVT: Eliminating C++ Virtual Calls to Mitigate Vtable Hijacking. In: IEEE European Symposium on Security and Privacy (EuroS&P). 2021.

Primary Research Area

  • Threat Detection and Defenses

Name of Conference

IEEE European Symposium on Security and Privacy (EuroS&P)

Legacy Posted Date

2021-02-15

Open Access Type

  • Unknown

BibTeX

@inproceedings{cispa_all_3364, title = "NoVT: Eliminating C++ Virtual Calls to Mitigate Vtable Hijacking", author = "Bauer, Markus and Rossow, Christian", booktitle="{IEEE European Symposium on Security and Privacy (EuroS&P)}", year="2021", }

Usage metrics

    Categories

    No categories selected

    Exports

    RefWorks
    BibTeX
    Ref. manager
    Endnote
    DataCite
    NLM
    DC