The vast majority of nowadays remote code execution attacks target virtual function tables (vtables).
Attackers hijack vtable pointers to change the control flow of a vulnerable program to their will, resulting in full control over the underlying system.
In this paper, we present NoVT, a compiler-based defense against vtable hijacking.
Instead of protecting vtables for virtual dispatch, our solution replaces them with switch-case constructs that are inherently control-flow safe, thus preserving control flow integrity of C++ virtual dispatch.
NoVT extends Clang to perform a class hierarchy analysis on C++ source code.
Instead of a vtable, each class gets unique identifier numbers which are used to dispatch the correct method implementation.
Thereby, NoVT inherently protects all usages of a vtable, not just virtual dispatch.
We evaluate NoVT on common benchmark applications and real-world programs including Chromium.
Despite its strong security guarantees, NoVT improves runtime performance of most programs (mean overhead -0.5%, -3.7% min, 2% max).
In addition, protected binaries are slightly smaller than unprotected ones.
NoVT works on different CPU architectures and protects complex C++ programs against strong attacks like COOP and ShrinkWrap.
History
Preferred Citation
Markus Bauer and Christian Rossow. NoVT: Eliminating C++ Virtual Calls to Mitigate Vtable Hijacking. In: IEEE European Symposium on Security and Privacy (EuroS&P). 2021.
Primary Research Area
Threat Detection and Defenses
Name of Conference
IEEE European Symposium on Security and Privacy (EuroS&P)
Legacy Posted Date
2021-02-15
Open Access Type
Unknown
BibTeX
@inproceedings{cispa_all_3364,
title = "NoVT: Eliminating C++ Virtual Calls to Mitigate Vtable Hijacking",
author = "Bauer, Markus and Rossow, Christian",
booktitle="{IEEE European Symposium on Security and Privacy (EuroS&P)}",
year="2021",
}