Visible to the public NoVT: Eliminating C++ Virtual Calls to Mitigate Vtable Hijacking

TitleNoVT: Eliminating C++ Virtual Calls to Mitigate Vtable Hijacking
Publication TypeConference Paper
Year of Publication2021
AuthorsBauer, Markus, Rossow, Christian
Conference Name2021 IEEE European Symposium on Security and Privacy (EuroS P)
KeywordsC++ languages, CFI, Chromium, codes, control systems, Human Behavior, human factors, LLVM, Metrics, NoVT, Policy Based Governance, Program processors, pubcrawl, resilience, Resiliency, Runtime, Safe Coding, Switches, vtable hijacking, vtables
AbstractThe vast majority of nowadays remote code execution attacks target virtual function tables (vtables). Attackers hijack vtable pointers to change the control flow of a vulnerable program to their will, resulting in full control over the underlying system. In this paper, we present NoVT, a compiler-based defense against vtable hijacking. Instead of protecting vtables for virtual dispatch, our solution replaces them with switch-case constructs that are inherently control-flow safe, thus preserving control flow integrity of C++ virtual dispatch. NoVT extends Clang to perform a class hierarchy analysis on C++ source code. Instead of a vtable, each class gets unique identifier numbers which are used to dispatch the correct method implementation. Thereby, NoVT inherently protects all usages of a vtable, not just virtual dispatch. We evaluate NoVT on common benchmark applications and real-world programs including Chromium. Despite its strong security guarantees, NoVT improves runtime performance of most programs (mean overhead 0.5%, 3.7% min, 2% max). In addition, protected binaries are slightly smaller than unprotected ones. NoVT works on different CPU architectures and protects complex C++ programs against strong attacks like COOP and ShrinkWrap.
DOI10.1109/EuroSP51992.2021.00049
Citation Keybauer_novt_2021