Dynamic Binary Instrumentation Based Defense Solution against Virtual Function Table Hijacking Attacks at C++ Binary Programs

Yong Wang; Ming Li; Hailin Yan; Zhenyan Liu; Jingfeng Xue; Changzhen Hu

doi:10.1109/3PGCIC.2015.102

Dynamic Binary Instrumentation Based Defense Solution against Virtual Function Table Hijacking Attacks at C++ Binary Programs

Yong Wang, Ming Li^*, Hailin Yan, Zhenyan Liu, Jingfeng Xue, Changzhen Hu

^*此作品的通讯作者

科研成果: 书/报告/会议事项章节 › 会议稿件 › 同行评审

摘要

Memory corruption bugs are one of the most critical vulnerabilities in software security, which can be exploited to overwrite virtual tables (vtables) or virtual table pointers (vfptrs) and finally gain control over the programs at virtual function call sites (vtable hijacking). In this paper, we propose a novel approach to detect vtable hijacking attacks against C++ binary executables. We first analyze the programs to get vtable information of each class, and backup the original vtables and vfptrs at runtime, then instrument security checks dynamically before virtual function dispatches to validate vtables' integrity. We implement the proposed approach as a tool and use it to successfully detect vtable hijacking attacks on the version 11 of Microsoft's Internet Explorer.

源语言	英语
主期刊名	Proceedings - 2015 10th International Conference on P2P, Parallel, Grid, Cloud and Internet Computing, 3PGCIC 2015
编辑	Fabrizio Messina, Fatos Xhafa, Marek R. Ogiela, Leonard Barolli
出版商	Institute of Electrical and Electronics Engineers Inc.
页	430-434
页数	5
ISBN（电子版）	9781467394734
DOI	https://doi.org/10.1109/3PGCIC.2015.102
出版状态	已出版 - 2015
活动	10th International Conference on P2P, Parallel, Grid, Cloud and Internet Computing, 3PGCIC 2015 - Krakow, 波兰期限: 4 11月 2015 → 6 11月 2015

出版系列

姓名	Proceedings - 2015 10th International Conference on P2P, Parallel, Grid, Cloud and Internet Computing, 3PGCIC 2015

会议

会议	10th International Conference on P2P, Parallel, Grid, Cloud and Internet Computing, 3PGCIC 2015
国家/地区	波兰
市	Krakow
时期	4/11/15 → 6/11/15

访问文件

10.1109/3PGCIC.2015.102

其它文件与链接

链接到 Scopus 的出版物

引用此

Wang, Y., Li, M., Yan, H., Liu, Z., Xue, J., & Hu, C. (2015). Dynamic Binary Instrumentation Based Defense Solution against Virtual Function Table Hijacking Attacks at C++ Binary Programs. 在 F. Messina, F. Xhafa, M. R. Ogiela, & L. Barolli (编辑), Proceedings - 2015 10th International Conference on P2P, Parallel, Grid, Cloud and Internet Computing, 3PGCIC 2015 (页码 430-434). 文章 7424602 (Proceedings - 2015 10th International Conference on P2P, Parallel, Grid, Cloud and Internet Computing, 3PGCIC 2015). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/3PGCIC.2015.102

Wang, Yong ; Li, Ming ; Yan, Hailin 等. / Dynamic Binary Instrumentation Based Defense Solution against Virtual Function Table Hijacking Attacks at C++ Binary Programs. Proceedings - 2015 10th International Conference on P2P, Parallel, Grid, Cloud and Internet Computing, 3PGCIC 2015. 编辑 / Fabrizio Messina ; Fatos Xhafa ; Marek R. Ogiela ; Leonard Barolli. Institute of Electrical and Electronics Engineers Inc., 2015. 页码 430-434 (Proceedings - 2015 10th International Conference on P2P, Parallel, Grid, Cloud and Internet Computing, 3PGCIC 2015).

@inproceedings{bf189fb1b15d420f938e989564dfed91,

title = "Dynamic Binary Instrumentation Based Defense Solution against Virtual Function Table Hijacking Attacks at C++ Binary Programs",

abstract = "Memory corruption bugs are one of the most critical vulnerabilities in software security, which can be exploited to overwrite virtual tables (vtables) or virtual table pointers (vfptrs) and finally gain control over the programs at virtual function call sites (vtable hijacking). In this paper, we propose a novel approach to detect vtable hijacking attacks against C++ binary executables. We first analyze the programs to get vtable information of each class, and backup the original vtables and vfptrs at runtime, then instrument security checks dynamically before virtual function dispatches to validate vtables' integrity. We implement the proposed approach as a tool and use it to successfully detect vtable hijacking attacks on the version 11 of Microsoft's Internet Explorer.",

keywords = "C++ binary executable, Internet Explorer, dynamic binary instrumentation, virtual function table hijacking",

author = "Yong Wang and Ming Li and Hailin Yan and Zhenyan Liu and Jingfeng Xue and Changzhen Hu",

note = "Publisher Copyright: {\textcopyright} 2015 IEEE.; 10th International Conference on P2P, Parallel, Grid, Cloud and Internet Computing, 3PGCIC 2015 ; Conference date: 04-11-2015 Through 06-11-2015",

year = "2015",

doi = "10.1109/3PGCIC.2015.102",

language = "English",

series = "Proceedings - 2015 10th International Conference on P2P, Parallel, Grid, Cloud and Internet Computing, 3PGCIC 2015",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

pages = "430--434",

editor = "Fabrizio Messina and Fatos Xhafa and Ogiela, {Marek R.} and Leonard Barolli",

booktitle = "Proceedings - 2015 10th International Conference on P2P, Parallel, Grid, Cloud and Internet Computing, 3PGCIC 2015",

address = "United States",

}

Wang, Y, Li, M, Yan, H, Liu, Z , Xue, J & Hu, C 2015, Dynamic Binary Instrumentation Based Defense Solution against Virtual Function Table Hijacking Attacks at C++ Binary Programs. 在 F Messina, F Xhafa, MR Ogiela & L Barolli (编辑), Proceedings - 2015 10th International Conference on P2P, Parallel, Grid, Cloud and Internet Computing, 3PGCIC 2015., 7424602, Proceedings - 2015 10th International Conference on P2P, Parallel, Grid, Cloud and Internet Computing, 3PGCIC 2015, Institute of Electrical and Electronics Engineers Inc., 页码 430-434, 10th International Conference on P2P, Parallel, Grid, Cloud and Internet Computing, 3PGCIC 2015, Krakow, 波兰, 4/11/15. https://doi.org/10.1109/3PGCIC.2015.102

Dynamic Binary Instrumentation Based Defense Solution against Virtual Function Table Hijacking Attacks at C++ Binary Programs. / Wang, Yong; Li, Ming; Yan, Hailin 等.
Proceedings - 2015 10th International Conference on P2P, Parallel, Grid, Cloud and Internet Computing, 3PGCIC 2015. 编辑 / Fabrizio Messina; Fatos Xhafa; Marek R. Ogiela; Leonard Barolli. Institute of Electrical and Electronics Engineers Inc., 2015. 页码 430-434 7424602 (Proceedings - 2015 10th International Conference on P2P, Parallel, Grid, Cloud and Internet Computing, 3PGCIC 2015).

科研成果: 书/报告/会议事项章节 › 会议稿件 › 同行评审

TY - GEN

T1 - Dynamic Binary Instrumentation Based Defense Solution against Virtual Function Table Hijacking Attacks at C++ Binary Programs

AU - Wang, Yong

AU - Li, Ming

AU - Yan, Hailin

AU - Liu, Zhenyan

AU - Xue, Jingfeng

AU - Hu, Changzhen

PY - 2015

Y1 - 2015

N2 - Memory corruption bugs are one of the most critical vulnerabilities in software security, which can be exploited to overwrite virtual tables (vtables) or virtual table pointers (vfptrs) and finally gain control over the programs at virtual function call sites (vtable hijacking). In this paper, we propose a novel approach to detect vtable hijacking attacks against C++ binary executables. We first analyze the programs to get vtable information of each class, and backup the original vtables and vfptrs at runtime, then instrument security checks dynamically before virtual function dispatches to validate vtables' integrity. We implement the proposed approach as a tool and use it to successfully detect vtable hijacking attacks on the version 11 of Microsoft's Internet Explorer.

AB - Memory corruption bugs are one of the most critical vulnerabilities in software security, which can be exploited to overwrite virtual tables (vtables) or virtual table pointers (vfptrs) and finally gain control over the programs at virtual function call sites (vtable hijacking). In this paper, we propose a novel approach to detect vtable hijacking attacks against C++ binary executables. We first analyze the programs to get vtable information of each class, and backup the original vtables and vfptrs at runtime, then instrument security checks dynamically before virtual function dispatches to validate vtables' integrity. We implement the proposed approach as a tool and use it to successfully detect vtable hijacking attacks on the version 11 of Microsoft's Internet Explorer.

KW - C++ binary executable

KW - Internet Explorer

KW - dynamic binary instrumentation

KW - virtual function table hijacking

UR - http://www.scopus.com/inward/record.url?scp=84964520939&partnerID=8YFLogxK

U2 - 10.1109/3PGCIC.2015.102

DO - 10.1109/3PGCIC.2015.102

M3 - Conference contribution

AN - SCOPUS:84964520939

T3 - Proceedings - 2015 10th International Conference on P2P, Parallel, Grid, Cloud and Internet Computing, 3PGCIC 2015

SP - 430

EP - 434

BT - Proceedings - 2015 10th International Conference on P2P, Parallel, Grid, Cloud and Internet Computing, 3PGCIC 2015

A2 - Messina, Fabrizio

A2 - Xhafa, Fatos

A2 - Ogiela, Marek R.

A2 - Barolli, Leonard

PB - Institute of Electrical and Electronics Engineers Inc.

T2 - 10th International Conference on P2P, Parallel, Grid, Cloud and Internet Computing, 3PGCIC 2015

Y2 - 4 November 2015 through 6 November 2015

ER -

Wang Y, Li M, Yan H, Liu Z , Xue J , Hu C. Dynamic Binary Instrumentation Based Defense Solution against Virtual Function Table Hijacking Attacks at C++ Binary Programs. 在 Messina F, Xhafa F, Ogiela MR, Barolli L, 编辑, Proceedings - 2015 10th International Conference on P2P, Parallel, Grid, Cloud and Internet Computing, 3PGCIC 2015. Institute of Electrical and Electronics Engineers Inc. 2015. 页码 430-434. 7424602. (Proceedings - 2015 10th International Conference on P2P, Parallel, Grid, Cloud and Internet Computing, 3PGCIC 2015). doi: 10.1109/3PGCIC.2015.102

Dynamic Binary Instrumentation Based Defense Solution against Virtual Function Table Hijacking Attacks at C++ Binary Programs

摘要

出版系列

会议

访问文件

其它文件与链接

指纹

引用此