Chengbin Pang,Yunlan Du,Bing Mao,Shanqing Guo

DOI: https://doi.org/10.1145/3274694.3274719

2018-01-01

Abstract:The features of modularity and inheritance in C++ facilitate the developers' usage, but also give rise to the problem of type confusion. As an ancestor class may have a different data layout from its descendant class, a dangerous downcasting operation from the ancestor to its descendant can lead to a critical attack, such as control flow hijacking, out-of-bounds access to neighbor memory area, etc. As reported in CVE, such vulnerabilities have been found in various common-used software, including Google Chrome, Firefox and Adobe Flash Player, and have a trend of increase in recent years. The urgency of addressing type confusion problems quickens the pace of researchers coming to corresponding solutions. However, the existing works either handle the problem partially, or suffer from the high performance and memory overhead, especially to the large-scale projects.We present Bitype to check the validity explicitly when a type is downcasting to another, maintaining high coverage and reducing overhead and compilation time massively. The core of our design is a Safe Encoding Scheme, which encodes all of the classes by mapping them to bits. With this scheme, Bitype treats the classes and their safe convertible classes as codes and verifies typecastings in an xor operation, both decreasing the performance overhead of check and the memory overhead. Besides, we implement a Clang Tool to avoid the repeated collection of inheritance relationships and deploy a two-level lookup table to trace objects efficiently. Evaluated on SPEC CPU2006 benchmarks and Firefox browser, Bitype shows a slightly higher coverage of typecasting compared to the state-of-the-art HexType[22], but reduces the performance overhead by 2 to 16 times, the memory overhead by 2 to 3 times, the compilation time by 21 to 223 times. As a result, our solution is a practical and efficient typecasting checker for commodity software.

Mengchen Cao,Xiantong Hou,Tao Wang,Hunter Qu,Yajin Zhou,Xiaolong Bai,Fuwei Wang

DOI: https://doi.org/10.1145/3319535.3345654

2019-01-01

Abstract:The use of uninitialized variables is a common issue. It could cause kernel information leak, which defeats the widely deployed security defense, i.e., kernel address space layout randomization (KASLR). Though a recent system called Bochspwn Reloaded reported multiple memory leaks in Windows kernels, how to effectively detect this issue is still largely behind.

Mustakimur Khandaker,Abu Naser,Wenqing Liu,Zhi Wang,Yajin Zhou,Yueqiang Cheng

DOI: https://doi.org/10.1109/eurosp.2019.00017

2019-01-01

Abstract:Low-level languages like C/C++ are widely used in various applications for their performance and flexibility. Unfortunately, these languages are prone to memory corruption vulnerabilities, leading to control-flow hijacking attacks. Control flow integrity (CFI) is a general principle to enforce run-time control flow of a program to a pre-computed control-flow graph (CFG). While the traditional context-insensitive CFI falls short in protecting critical control transfers, recent context-sensitive CFI research shows promising improvements but has various limitations. We present Control Flow Integrity with Look Back (CFI-LB), a call-site sensitive CFI in which a conventional source-target control transfer is strengthened by a look back into its call-sites (return addresses). CFI-LB features the adaptive call-site sensitivity in which each indirect call has its own level of sensitivity and the multi-scope CFG to improve the security even if a precise context-sensitive static CFG is not available, especially for large programs such as GCC and NGINX. One of the CFGs is constructed by our localized concolic execution, which significantly extends the dynamic CFG with very low false positives. In addition, CFI-LB is the first CFI system explicitly designed to protect its reference monitors from race conditions. We have built a prototype of CFI-LB. The evaluation with SPEC CPU2006 benchmarks and NGINX indicates that CFI-LB has a low-performance overhead (less than 5% on average for the full protection) while increasing the security.

Haibin Shen,Jimin Wang,Lingdi Ping,Kang Sun

DOI: https://doi.org/10.1007/11689522_32

2006-01-01

Abstract:Flexible features of C can be misused and result in potential vulnerabilities which are hard to detect by performing only static checking. Existing tools either give up run-time type checking or employ a type system whose granularity is too coarse (it does not differentiate between pointer types) so that many errors may go undetected. This paper presents a dynamic checking approach to conquer them. A type system that is based on the physical layout of data types and has the proper granularity has been employed. Rules for propagating dynamic types and checking for compatibility of types during execution of the target program are also set up. Then a model of dynamic type checking on this type system to capture run-time type errors is built. Experimental results show that it can catch most errors, including those may become system vulnerabilities and the overhead is moderate.

Wang Ji-min,Ping Ling-di,Pan Xue-zeng,Shen Hai-bin,Yan Xiao-lang

DOI: https://doi.org/10.1007/bf02842479

2005-01-01

Journal of Zhejiang University SCIENCE A

Abstract:The C programming language is expressive and flexible, but not safe; as its expressive power and flexibility are obtained through unsafe language features, and improper use of these features can lead to program bugs whose causes are hard to identify. Since C is widely used, and it is impractical to rewrite all existing C programs in safe languages, so ways must be found to make C programs safe. This paper deals with the unsafe features of C and presents a survey on existing solutions to make C programs safe. We have studied binary-level instrumentation tools, source checkers, source-level instrumentation tools and safe dialects of C, and present a comparison of different solutions, summarized the strengths and weaknesses of different classes of solutions, and show measures that could possibly improve the accuracy or alleviate the overhead of existing solutions.

Yu Wang,Fengjuan Gao,Lingyun Situ,Lingzhang Wang,Bihuan Chen,Yang Liu,Jianhua Zhao,Xuandong Li

DOI: https://doi.org/10.1145/3275219.3275231

2018-01-01

Abstract:Dangling pointers have become an important class of software bugs that can lead to use-after-free and double-free vulnerabilities. So far, only a few approaches have been proposed to protect against dangling pointers, while most of them suffer from high overhead. In this paper, we propose a lightweight approach, named DangDone, to eliminate dangling pointers at compile time. Built upon the root cause of a dangling pointer, i.e., a pointer and its aliases are not nullified but the memory area they point to is deallocated, DangDone realizes the protection by inserting an intermediate pointer between the pointers (i.e., a pointer and its aliases) and the memory area they point to. Hence, nullifying the intermediate pointer will nullify the pointer and its aliases, which mitigates the vulnerabilities caused by dangling pointers. Experimental results have demonstrated that DangDone can protect target programs (i.e., the SPEC CPU benchmarks and the programs with known CVEs) with negligible runtime overhead (i.e., around 1% on average).

Weixin Liang,Kai Bu,Ke Li,Jinhong Li,Arya Tavakoli

DOI: https://doi.org/10.1145/3274694.3274695

2018-01-01

Abstract:Access patterns over untrusted memory have long been exploited to infer sensitive information like program types or even secret keys. Most existing obfuscation solutions hide real memory accesses among a sufficiently large number of dummy memory accesses. Such solutions lead to a heavy communication overhead and more often apply to the client/server scenario instead of the CPU/memory architecture. Sporadic obfuscation solutions strive for an affordable memory bandwidth cost at the expense of security degradation. For example, they may have to obfuscate accesses over a limited range of memory space to control the overhead.

Bing Swen

DOI: https://doi.org/10.3321/j.issn:0254-4164.2004.11.008

2004-01-01

Jisuanji Xuebao/Chinese Journal of Computers

Abstract:A thorough and in-depth analysis of the underlying ideas and methodology of object-orientation and generic programming is presented, elaborating the aims, technological characteristics, advantages and disadvantages of both, with the emphasis on the significant innovation introduced by generic programming to compensate object-orientation for its insufficiency. The paper also details the author's work on further enhancing generic programming by providing direct language support and compiler checking for static type requirements, which leads to a new programming mechanism called named type constraint. As the first example of generic programming languages in the literatures, a generic programming extension of C++ is also discussed.

James Roney,Troy Appel,Prateek Pinisetti,James Mickens

DOI: https://doi.org/10.1109/spw53761.2021.00057

2021-05-01

Abstract:Historically, attackers have sought to manipulate programs through the corruption of return addresses, function pointers, and other control flow data. However, as protections like ASLR, stack canaries, and no-execute bits have made such attacks more difficult, data-oriented exploits have received increasing attention. Such exploits try to subvert a program by reading or writing non-control data, without introducing any foreign code or violating the program’s legitimate control flow graph. Recently, a data-oriented exploitation technique called memory cartography was introduced, in which an attacker navigates between allocated memory regions using a precompiled map to disclose sensitive program data. The efficacy of memory cartography is dependent on inter-region pointers being located at constant offsets within memory regions; thus, cartographic attacks are difficult to launch against memory regions like heaps and stacks that have nondeterministic layouts. In this paper, we lower the barrier to successful attacks against nondeterministic memory, demonstrating that pointers between regions of memory often possess unique “signatures” that allow attackers to identify them with high accuracy. These signatures are accurate even when the pointers reside in non-deterministic memory areas. In many real-world programs, this allows an attacker that is capable of reading bytes from a single heap to access all of process memory. Our findings underscore the importance of memory isolation via separate address spaces.

Constantin Cezar Petrescu,Sam Smith,Rafail Giavrimis,Santanu Kumar Dash

DOI: https://doi.org/10.1016/j.jss.2023.111693

IF: 3.5

2023-04-08

Journal of Systems and Software

Abstract:Developers relax restrictions on a type to reuse methods with other types. While type casts are prevalent, in weakly typed languages such as C++, they are also extremely permissive. Assignments where a source expression is cast into a new type and assigned to a target variable of the new type, can lead to software bugs if performed without care. In this paper, we propose an information-theoretic approach to identify poor implementations of explicit cast operations. Our approach measures accord between the source expression and the target variable using conditional entropy. We collect casts from 34 components of the Chromium project, which collectively account for 27MLOC and random-uniformly sample this dataset to create a manually labelled dataset of 271 casts. Information-theoretic vetting of these 271 casts achieves a peak precision of 81% and a recall of 90%. We additionally present the findings of an in-depth investigation of notable explicit casts, two of which were fixed in recent releases of the Chromium project.

computer science, theory & methods, software engineering

Chenyu Wang,Bihuan Chen,Yang Liu,Hongjun Wu

DOI: https://doi.org/10.1109/tifs.2018.2855648

IF: 7.231

2018-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Vtable reuse attack, as a novel type of code reuse attacks, is introduced to bypass most binary-level control flow integrity enforcement and vtable integrity enforcement. So far, two binary-level defenses (TypeArmor and vfGuard) are proposed to defend against vtable reuse attacks. Both techniques use semantic information as the control flow integrity enforcement policy, i.e., TypeArmor and vfGuard utilize argument register count and dispatch offset at virtual callsite as the signature to check the validity of target functions, respectively. In this paper, we propose layered object-oriented programming (LOOP), an advanced vtable reuse attack, to show that the coarse-grained control flow integrity strategies are still vulnerable to vtable reuse attacks. In LOOP, we introduce argument expansion gadgets and transfer gadgets to, respectively, bypass TypeArmor and vfGuard. We generalize the characteristics of both gadgets and develop a tool to discover them at the binary level. We demonstrated that under the protection of TypeArmor and vfGuard, Firefox, Adobe Flash Player, and Internet Explorer are all vulnerable to LOOP attacks. Furthermore, we show the availability of argument expansion gadgets and transfer gadgets in common software or libraries.

Benoît Sonntag,Dominique Colnet

DOI: https://doi.org/10.48550/arXiv.2310.15632

2023-10-24

Abstract:The 64-bit architectures that have become standard today offer unprecedented low-level programming possibilities. For the first time in the history of computing, the size of address registers far exceeded the physical capacity of their <a class="link-external link-http" href="http://bus.After" rel="external noopener nofollow">this http URL</a> a brief reminder of the possibilities offered by the small size of addresses compared to the available 64 bits,we develop three concrete examples of how the vacant bits of these registers can be <a class="link-external link-http" href="http://used.Among" rel="external noopener nofollow">this http URL</a> these examples, two of them concern the implementation of a library for a new statically typed programming <a class="link-external link-http" href="http://language.Firstly" rel="external noopener nofollow">this http URL</a>, the implementation of multi-precision integers, with the aim of improving performance in terms of both calculation speed and RAM <a class="link-external link-http" href="http://savings.The" rel="external noopener nofollow">this http URL</a> second example focuses on the library's handling of UTF-8 character <a class="link-external link-http" href="http://strings.Here" rel="external noopener nofollow">this http URL</a>, the idea is to make indexing easier by ignoring the physical size of each UTF-8 <a class="link-external link-http" href="http://characters.Finally" rel="external noopener nofollow">this http URL</a>, the third example is a possible enhancement of garbage collectors, in particular the mark \& sweep for the object marking phase.

Computation and Language

Jianhao Xu,Luca Di Bartolomeo,Flavio Toffalini,Bing Mao,Mathias Payer

DOI: https://doi.org/10.1109/SP46215.2023.10179433

2023-01-01

Abstract:Code-reuse attacks are dangerous threats that attracted the attention of the security community for years. These attacks aim at corrupting important control-flow transfers for taking control of a process without injecting code. Nowadays, the combinations of multiple mitigations (e.g., ASLR, DEP, and CFI) drastically reduced this attack surface, making running code-reuse exploits more challenging. Unfortunately, security mitigations are combined with compiler optimizations, that do not distinguish between securityrelated and application code. Blindly deploying code optimizations over code-reuse mitigations may undermine their security guarantees. For instance, compilers may introduce doublefetch vulnerabilities that lead to concurrency issues such as Time-Of-Check to Time-Of-Use (TOCTTOU) attacks. In this work, we propose a new attack vector, called WarpAttack, that exploits compiler-introduced double-fetch optimizations to mount TOCTTOU attacks and bypass codereuse mitigations. We study the mechanism underlying this attack and present a practical proof-of-concept exploit against the last version of Firefox. Additionally, we propose a lightweight analysis to locate vulnerable double-fetch code (with 3% false positives) and conduct research over six popular applications, five operating systems, and four architectures (32 and 64 bits) to study the diffusion of this threat. Moreover, we study the implication of our attack against six CFI implementations. Finally, we investigate possible research lines for addressing this threat and propose practical solutions to be deployed in existing projects.

Jie Yin,Gang Tan,XiaoLong Bai,ShiMin Hu

DOI: https://doi.org/10.1007/s11432-015-5285-y

2015-01-01

Abstract:For security, most web applications are developed in some type-safe language, such as JavaScript or Java. However, there is a huge amount of legacy codes developed in unsafe languages, which provide rich functionality and are more efficient than their type-safe counterparts. To allow browsers to incorporate type-safe components in a secure way, previous approaches use the software-based fault isolation (SFI) to isolate untrusted legacy code. The SFI approach performs machine-code transformation for security, but the downside is the loss of architecture independence. We propose WebC, a system that allows legacy code transmitted over the web via the Low Level Virtual Machine (LLVM) bitcode format. The untrusted bitcode is transformed by WebC into code in the WebC security language, which enforces both memory isolation and control-flow integrity. Compared with previous approaches, WebC is more portable, provides stronger security, and allows more flexible memory management. Experimental results show that the average runtime overhead of WebC is modest.

孙斌

DOI: https://doi.org/10.3969/j.issn.1671-1815.2005.02.009

2005-01-01

Abstract:A thorough and in-depth analysis of the underlying ideas and methodology of object-orientation and generic programming, elaborating the aims, technological characteristics, advantages and disadvantages of both are presented. On further enhancing generic programming by providing direct language support and compiler checking for static type requirements, which leads to a new programming mechanism called named type constraint. As the first example of type-constrained programming (TCP) languages in the literatures, a TCP extension of C+ + , C , are discussed, illustrating how to efficiently and economically implement the mechanism.

Bingchen Lan,Yan Li,Hao Sun,Chao Su,Yao Liu,Qingkai Zeng

DOI: https://doi.org/10.1109/trustcom.2015.374

2015-01-01

Abstract:Code reuse attacks have become one of the most popular exploitation techniques, and coarse-grained control flow integrity (CFI) is a practical approach used to prevent such attacks. Recently, some new approaches have been proposed to construct call-preceded-ROP attacks to bypass coarse-grained CFI, however, we find that they still fail to bypass shadow stack, which enforces caller-callee semantics to strengthen CFI that constrains the control flow in a much stricter way. Therefore, in this paper, we propose a new code reuse attack, named loop-oriented programming (LOP), aiming to bypass both coarse-grained CFI and shadow stack. Quite different from previous code reuse attacks, LOP collects entire functions as basic building blocks (i.e., gadgets), and chains these gadgets in a way that the control flows strictly follow the process of call-ret-pairing. Specifically, LOP selects a particular function with a loop statement, called loop gadget, to chain all the available gadgets. To demonstrate the effectiveness of LOP, we construct a proof-of-concept exploit against Internet Explorer 8 on 32-bit x86 platform.

Aravind Machiry,John Kastner,Matt McCutchen,Aaron Eline,Kyle Headley,Michael Hicks

DOI: https://doi.org/10.1145/3527322

2022-12-08

Proceedings of the ACM on Programming Languages

Abstract:Owing to the continued use of C (and C++), spatial safety violations (e.g., buffer overflows) still constitute one of today's most dangerous and prevalent security vulnerabilities. To combat these violations, Checked C extends C with bounds-enforced checked pointer types. Checked C is essentially a gradually typed spatially safe C - checked pointers are backwards-binary compatible with legacy pointers, and the language allows them to be added piecemeal, rather than necessarily all at once, so that safety retrofitting can be incremental. This paper presents a semi-automated process for porting a legacy C program to Checked C. The process centers on 3C, a static analysis-based annotation tool. 3C employs two novel static analysis algorithms - typ3c and boun3c - to annotate legacy pointers as checked pointers, and to infer array bounds annotations for pointers that need them. 3C performs a root cause analysis to direct a human developer to code that should be refactored; once done, 3C can be re-run to infer further annotations (and updated root causes). Experiments on 11 programs totaling 319KLoC show 3C to be effective at inferring checked pointer types, and experience with previously and newly ported code finds 3C works well when combined with human-driven refactoring.

English Else

Xingchen Man,Jianfeng Zhu,Guihuan Song,Shouyi Yin,Shaojun Wei,Leibo Liu

DOI: https://doi.org/10.1145/3470496.3527426

2022-01-01

Abstract:Today, reconfigurable spatial architectures (RSAs) have sprung up as accelerators for compute- and data-intensive domains because they deliver energy and area efficiency close to ASICs and still retain sufficient programmability to keep the development cost low. The mapper, which is responsible for mapping algorithms onto RSAs, favors a systematic backtracking methodology because of high portability for evolving RSA designs. However, exponentially scaling compilation time has become the major obstacle. The key observation of this paper is that the key limiting factor to the systematic backtracking mappers is the waterfall mapping model which resolves all mapping variables and constraints at the same time using single-level intermediate representations (IRs).

Zhang Ying,Zhou Yu-ming,Xu Bao-wen,Liu Yuan

DOI: https://doi.org/10.1007/bf03160252

2001-01-01

Wuhan University Journal of Natural Sciences

Abstract:There exist a lot of legacy systems written in C language, which are difficult to understand, modify, maintain and reuse. How to improve the quality of these non object-oriented systems has become an important issue in software engineering area. A possible way is to transform these procedural systems into semantically equivalent object-oriented systems implemented in C++ language, which provides object-oriented features such as data abstraction, inheritance and polymorphism, makes software system more comprehensible, maintainable and reusable. A detailed discussion on polymorphism analysis, object discovery and possible inheritance relation extraction on C-to-C++ conversion problem is made, which is also suitable to the transformation on legacy systems implemented in other procedural languages to equivalent object-oriented systems.

YongGang Li,GuoYuan Lin,Yeh-Ching Chung,YaoWen Ma,Yi Lu,Yu Bao

DOI: https://doi.org/10.1016/j.future.2022.10.035

IF: 7.307

2023-03-01

Future Generation Computer Systems

Abstract:Address space layout randomization (ASLR) has been widely deployed in operating systems (OS) to hide memory layout, which mitigates code reuse attacks (CRAs). Unfortunately, the memory probing techniques can still provide attackers with enough information to bypass ASLR. Although the control flow integrity (CFI) methods are not affected by code probing, they face the precision problem of control flow graphs (CFG). To make matters worse, most methods rely on the source code of the targets to be protected, which leads to their restrictions on the protection of the objects without source code. To solve these problems, MagBox is proposed in this paper. It identifies the risk functions that can provide gadgets for CRAs by detecting and analyzing attackers’ code probing activities. If the function is probed, it will be moved to a new address space. After that, the control flow transfers of the function will be tracked and analyzed in real time to judge their legitimacy. Experiment results and analysis show that MagBox can mitigate CRAs, and only introduces 3.4% performance overhead to the CPU.

computer science, theory & methods