Title | NoVT: Eliminating C++ Virtual Calls to Mitigate Vtable Hijacking |
Publication Type | Conference Paper |
Year of Publication | 2021 |
Authors | Bauer, Markus, Rossow, Christian |
Conference Name | 2021 IEEE European Symposium on Security and Privacy (EuroS P) |
Keywords | C++ languages, CFI, Chromium, codes, control systems, Human Behavior, human factors, LLVM, Metrics, NoVT, Policy Based Governance, Program processors, pubcrawl, resilience, Resiliency, Runtime, Safe Coding, Switches, vtable hijacking, vtables |
Abstract | The vast majority of nowadays remote code execution attacks target virtual function tables (vtables). Attackers hijack vtable pointers to change the control flow of a vulnerable program to their will, resulting in full control over the underlying system. In this paper, we present NoVT, a compiler-based defense against vtable hijacking. Instead of protecting vtables for virtual dispatch, our solution replaces them with switch-case constructs that are inherently control-flow safe, thus preserving control flow integrity of C++ virtual dispatch. NoVT extends Clang to perform a class hierarchy analysis on C++ source code. Instead of a vtable, each class gets unique identifier numbers which are used to dispatch the correct method implementation. Thereby, NoVT inherently protects all usages of a vtable, not just virtual dispatch. We evaluate NoVT on common benchmark applications and real-world programs including Chromium. Despite its strong security guarantees, NoVT improves runtime performance of most programs (mean overhead 0.5%, 3.7% min, 2% max). In addition, protected binaries are slightly smaller than unprotected ones. NoVT works on different CPU architectures and protects complex C++ programs against strong attacks like COOP and ShrinkWrap. |
DOI | 10.1109/EuroSP51992.2021.00049 |
Citation Key | bauer_novt_2021 |