VScape: Assessing and Escaping Virtual Call Protections

Authors: 

Kaixiang Chen, Institute for Network Science and Cyberspace, Tsinghua University; Chao Zhang, Institute for Network Science and Cyberspace, Tsinghua University/Beijing National Research Center for Information Science and Technology/Tsinghua University-QI-ANXIN Group JCNS; Tingting Yin and Xingman Chen, Institute for Network Science and Cyberspace, Tsinghua University; Lei Zhao, School of Cyber Science and Engineering, Wuhan University

Abstract: 

Many control-flow integrity (CFI) solutions have been proposed to protect indirect control transfers (ICT), including C++ virtual calls. Assessing the security guarantees of these defenses is thus important but hard. In practice, for a (strong) defense, it usually requires abundant manual efforts to assess whether it could be bypassed, when given a specific (weak) vulnerability. Existing automated exploit generation solutions, which are proposed to assess the exploitability of vulnerabilities, have not addressed this issue yet.

In this paper, we point out that a wide range of virtual call protections, which do not break the C++ ABI (application binary interface), are vulnerable to an advanced attack COOPLUS, even if the given vulnerabilities are weak. Then, we present a solution VScape to assess the effectiveness of virtual call protections against this attack. We developed a prototype of VScape, and utilized it to assess 11 CFI solutions and 14 C++ applications (including Firefox and PyQt) with known vulnerabilities. Results showed that real-world applications have a large set of exploitable virtual calls, and VScape could be utilized to generate working exploits to bypass deployed defenses via weak vulnerabilities.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {272276,
author = {Kaixiang Chen and Chao Zhang and Tingting Yin and Xingman Chen and Lei Zhao},
title = {{VScape}: Assessing and Escaping Virtual Call Protections},
booktitle = {30th USENIX Security Symposium (USENIX Security 21)},
year = {2021},
isbn = {978-1-939133-24-3},
pages = {1719--1736},
url = {https://www.usenix.org/conference/usenixsecurity21/presentation/chen-kaixiang},
publisher = {USENIX Association},
month = aug
}

Presentation Video