HOBBIT: Hashed OBject Based InTegrity

Authors Matthias Bernad , Stefan Brunthaler



PDF
Thumbnail PDF

File

LIPIcs.ECOOP.2024.7.pdf
  • Filesize: 0.99 MB
  • 25 pages

Document Identifiers

Author Details

Matthias Bernad
  • μCSRL – Munich Computer Systems Research Lab, Research Institute CODE, University of the Bundeswehr Munich, Neubiberg, Germany
Stefan Brunthaler
  • μCSRL – Munich Computer Systems Research Lab, Research Institute CODE, University of the Bundeswehr Munich, Neubiberg, Germany

Cite AsGet BibTex

Matthias Bernad and Stefan Brunthaler. HOBBIT: Hashed OBject Based InTegrity. In 38th European Conference on Object-Oriented Programming (ECOOP 2024). Leibniz International Proceedings in Informatics (LIPIcs), Volume 313, pp. 7:1-7:25, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2024)
https://doi.org/10.4230/LIPIcs.ECOOP.2024.7

Abstract

C vulnerabilities usually hold verbatim for C++ programs. The counterfeit-object-oriented programming attack demonstrated that this relation is asymmetric, i.e., it only applies to C++. The problem pinpointed by this COOP attack is that C++ does not validate the integrity of its objects. By injecting malicious objects with manipulated virtual function table pointers, attackers can hijack control-flow of programs. The software security community addressed the COOP-problem in the years following its discovery, but together with the emergence of transient-execution attacks, such as Spectre, researchers also shifted their attention. We present Hobbit, a software-only solution to prevent COOP attacks by validating object integrity for virtual function pointer tables. Hobbit does not require any hardware specific features, scales to multi-million lines of C++ source code, and our LLVM-based implementation offers a configurable performance impact between 121.63% and 2.80% on compute-intensive SPEC CPU C++ benchmarks. Hobbit’s security analysis indicates strong resistance to brute forcing attacks and demonstrates additional benefits of using execute-only memory.

Subject Classification

ACM Subject Classification
  • Security and privacy → Software security engineering
  • Software and its engineering → Compilers
Keywords
  • software security
  • code-reuse attacks
  • language-based security
  • counterfeit-object-oriented programming
  • object integrity
  • compiler security

Metrics

  • Access Statistics
  • Total Accesses (updated on a weekly basis)
    0
    PDF Downloads

References

  1. Martín Abadi, Mihai Budiu, Úlfar Erlingsson, and Jay Ligatti. Control-flow integrity. In Vijay Atluri, Catherine Meadows, and Ari Juels, editors, Proceedings of the 12th ACM Conference on Computer and Communications Security, CCS 2005, Alexandria, VA, USA, November 7-11, 2005, pages 340-353, New York, New York, USA, April 2005. ACM. URL: https://doi.org/10.1145/1102120.1102165.
  2. Martín Abadi, Mihai Budiu, Úlfar Erlingsson, and Jay Ligatti. Control-flow integrity principles, implementations, and applications. ACM Trans. Inf. Syst. Secur., 13(1):4:1-4:40, November 2009. URL: https://doi.org/10.1145/1609956.1609960.
  3. Jyrki Alakuijala, Bill Cox, and Jan Wassenberg. Fast keyed hash/pseudo-random function using SIMD multiply and permute. CoRR, abs/1612.06257, December 2016. URL: https://doi.org/10.48550/arXiv.1612.06257.
  4. Michael Backes, Thorsten Holz, Benjamin Kollenda, Philipp Koppe, Stefan Nürnberger, and Jannik Pewny. You can run but you can't read: Preventing disclosure exploits in executable code. In Gail-Joon Ahn, Moti Yung, and Ninghui Li, editors, Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, Scottsdale, AZ, USA, November 3-7, 2014, pages 1342-1353, New York, New York, USA, 2014. ACM. URL: https://doi.org/10.1145/2660267.2660378.
  5. Markus Bauer and Christian Rossow. Novt: Eliminating C++ virtual calls to mitigate vtable hijacking. In IEEE European Symposium on Security and Privacy, EuroS&P 2021, Vienna, Austria, September 6-10, 2021, pages 650-666. IEEE, September 2021. URL: https://doi.org/10.1109/EuroSP51992.2021.00049.
  6. Felix Berlakovich and Stefan Brunthaler. R2C: aocr-resilient diversity with reactive and reflective camouflage. In Giuseppe Antonio Di Luna, Leonardo Querzoni, Alexandra Fedorova, and Dushyanth Narayanan, editors, Proceedings of the Eighteenth European Conference on Computer Systems, EuroSys 2023, Rome, Italy, May 8-12, 2023, pages 488-504, New York, NY, USA, May 2023. ACM. URL: https://doi.org/10.1145/3552326.3587439.
  7. Matthias Bernad. HOBBIT implementation. Software (visited on 2024-08-29). URL: https://github.com/mbernad/hobbit-artifact.
  8. Matthias Bernad and Stefan Brunthaler. HOBBIT. Software (visited on 2024-08-29). URL: https://doi.org/10.5281/zenodo.11046716.
  9. BLAKE3/c at master · BLAKE3-team/BLAKE3. URL: https://github.com/BLAKE3-team/BLAKE3/tree/master/c.
  10. Tyler K. Bletsch, Xuxian Jiang, Vincent W. Freeh, and Zhenkai Liang. Jump-oriented programming: a new class of code-reuse attack. In Bruce S. N. Cheung, Lucas Chi Kwong Hui, Ravi S. Sandhu, and Duncan S. Wong, editors, Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, ASIACCS 2011, Hong Kong, China, March 22-24, 2011, pages 30-40, New York, New York, USA, 2011. ACM. URL: https://doi.org/10.1145/1966913.1966919.
  11. Nathan Burow, Scott A. Carr, Joseph Nash, Per Larsen, Michael Franz, Stefan Brunthaler, and Mathias Payer. Control-flow integrity: Precision, security, and performance. ACM Comput. Surv., 50(1):16:1-16:33, April 2017. URL: https://doi.org/10.1145/3054924.
  12. Nathan Burow, Derrick Paul McKee, Scott A. Carr, and Mathias Payer. CFIXX: object type integrity for C++. In 25th Annual Network and Distributed System Security Symposium, NDSS 2018, San Diego, California, USA, February 18-21, 2018, Reston, VA, February 2018. The Internet Society. URL: https://doi.org/10.14722/ndss.2018.23279.
  13. C++ Containers. URL: https://cplusplus.com/reference/stl/.
  14. CFIXX Suite. URL: https://github.com/HexHive/CFIXX/tree/master/CFIXX-Suite.
  15. Stephen Checkoway, Lucas Davi, Alexandra Dmitrienko, Ahmad-Reza Sadeghi, Hovav Shacham, and Marcel Winandy. Return-oriented programming without returns. In Ehab Al-Shaer, Angelos D. Keromytis, and Vitaly Shmatikov, editors, Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS 2010, Chicago, Illinois, USA, October 4-8, 2010, pages 559-572, New York, New York, USA, 2010. ACM. URL: https://doi.org/10.1145/1866307.1866370.
  16. Kaixiang Chen, Chao Zhang, Tingting Yin, Xingman Chen, and Lei Zhao. Vscape: Assessing and escaping virtual call protections. In Michael D. Bailey and Rachel Greenstadt, editors, 30th USENIX Security Symposium, USENIX Security 2021, August 11-13, 2021, pages 1719-1736. USENIX Association, August 2021. URL: https://www.usenix.org/conference/usenixsecurity21/presentation/chen-kaixiang.
  17. Release LLVM 17.0.3 · llvm/llvm-project. URL: https://github.com/llvm/llvm-project/releases/tag/llvmorg-17.0.3.
  18. Fernando J. Corbató and Victor A. Vyssotsky. Introduction and overview of the multics system. In Robert W. Rector, editor, Proceedings of the 1965 fall joint computer conference, part I, AFIPS 1965 (Fall, part I), Las Vegas, Nevada, USA, November 30 - December 1, 1965, pages 185-196. ACM, November 1965. URL: https://doi.org/10.1145/1463891.1463912.
  19. Stephen Crane, Christopher Liebchen, Andrei Homescu, Lucas Davi, Per Larsen, Ahmad-Reza Sadeghi, Stefan Brunthaler, and Michael Franz. Readactor: Practical code randomization resilient to memory disclosure. In 2015 IEEE Symposium on Security and Privacy, SP 2015, San Jose, CA, USA, May 17-21, 2015, volume 2015-July, pages 763-780. IEEE Computer Society, May 2015. URL: https://doi.org/10.1109/SP.2015.52.
  20. Stephen J. Crane, Stijn Volckaert, Felix Schuster, Christopher Liebchen, Per Larsen, Lucas Davi, Ahmad-Reza Sadeghi, Thorsten Holz, Bjorn De Sutter, and Michael Franz. It’s a trap: Table randomization and protection against function-reuse attacks. In Indrajit Ray, Ninghui Li, and Christopher Kruegel, editors, Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, Denver, CO, USA, October 12-16, 2015, pages 243-255, New York, New York, USA, 2015. ACM. URL: https://doi.org/10.1145/2810103.2813682.
  21. Solar Designer. lpr LIBC RETURN exploit, August 1997. URL: https://insecure.org/sploits/linux.libc.return.lpr.sploit.html.
  22. Mohamed Elsabagh, Dan Fleck, and Angelos Stavrou. Strict virtual call integrity checking for C++ binaries. In Ramesh Karri, Ozgur Sinanoglu, Ahmad-Reza Sadeghi, and Xun Yi, editors, Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, AsiaCCS 2017, Abu Dhabi, United Arab Emirates, April 2-6, 2017, pages 140-154, New York, NY, USA, April 2017. ACM. URL: https://doi.org/10.1145/3052973.3052976.
  23. Robert Gawlik and Thorsten Holz. Towards automated integrity protection of C++ virtual function tables in binary programs. In Charles N. Payne Jr., Adam Hahn, Kevin R. B. Butler, and Micah Sherr, editors, Proceedings of the 30th Annual Computer Security Applications Conference, ACSAC 2014, New Orleans, LA, USA, December 8-12, 2014, pages 396-405, New York, New York, USA, 2014. ACM. URL: https://doi.org/10.1145/2664243.2664249.
  24. Jason Gionta, William Enck, and Peng Ning. Hidem: Protecting the contents of userspace memory in the face of disclosure vulnerabilities. In Jaehong Park and Anna Cinzia Squicciarini, editors, Proceedings of the 5th ACM Conference on Data and Application Security and Privacy, CODASPY 2015, San Antonio, TX, USA, March 2-4, 2015, pages 325-336. ACM, March 2015. URL: https://doi.org/10.1145/2699026.2699107.
  25. Itanium C++ ABI. URL: https://itanium-cxx-abi.github.io/cxx-abi/abi.html.
  26. Dongseok Jang, Zachary Tatlock, and Sorin Lerner. Safedispatch: Securing C++ virtual calls from memory corruption attacks. In 21st Annual Network and Distributed System Security Symposium, NDSS 2014, San Diego, California, USA, February 23-26, 2014. The Internet Society, 2014. URL: https://doi.org/10.14722/ndss.2014.23287.
  27. Kraken JavaScript Benchmark (version 1.1). URL: https://mozilla.github.io/krakenbenchmark.mozilla.org/index.html.
  28. Per Larsen, Andrei Homescu, Stefan Brunthaler, and Michael Franz. Sok: Automated software diversity. In 2014 IEEE Symposium on Security and Privacy, SP 2014, Berkeley, CA, USA, May 18-21, 2014, pages 276-291. IEEE Computer Society, May 2014. URL: https://doi.org/10.1109/SP.2014.25.
  29. “libc++” C++ Standard Library - libc++ documentation. URL: https://libcxx.llvm.org/.
  30. LLVM: Control Flow Integrity. URL: https://clang.llvm.org/docs/ControlFlowIntegrity.html.
  31. Ali José Mashtizadeh, Andrea Bittau, Dan Boneh, and David Mazières. CCFI: cryptographically enforced control flow integrity. In Indrajit Ray, Ninghui Li, and Christopher Kruegel, editors, Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, Denver, CO, USA, October 12-16, 2015, volume 2015-October, pages 941-951. ACM, October 2015. URL: https://doi.org/10.1145/2810103.2813676.
  32. Mostly mangling: Stronger, better, morer, Moremur; a better Murmur3-type mixer. URL: https://mostlymangling.blogspot.com/2019/12/stronger-better-morer-moremur-better.html.
  33. MotionMark 1.0. URL: https://browserbench.org/MotionMark/.
  34. Paul Muntean, Richard Viehoever, Zhiqiang Lin, Gang Tan, Jens Grossklags, and Claudia Eckert. itop: Automating counterfeit object-oriented programming attacks. In Leyla Bilge and Tudor Dumitras, editors, RAID '21: 24th International Symposium on Research in Attacks, Intrusions and Defenses, San Sebastian, Spain, October 6-8, 2021, pages 162-176. ACM, October 2021. URL: https://doi.org/10.1145/3471621.3471847.
  35. Nergal. Advanced return-into-lib(c) exploits (PaX case study), December 2001. URL: http://phrack.org/issues/58/4.html#article.
  36. Octane 2.0 JavaScript Benchmark. URL: https://chromium.github.io/octane/.
  37. Kaan Onarlioglu, Leyla Bilge, Andrea Lanzi, Davide Balzarotti, and Engin Kirda. G-free: defeating return-oriented programming through gadget-less binaries. In Carrie Gates, Michael Franz, and John P. McDermott, editors, Twenty-Sixth Annual Computer Security Applications Conference, ACSAC 2010, Austin, Texas, USA, 6-10 December 2010, pages 49-58, New York, New York, USA, 2010. ACM. URL: https://doi.org/10.1145/1920261.1920269.
  38. Aleph One. Smashing the stack for fun and profit. Phrack magazine, 7(49):14-16, 1996. Google Scholar
  39. Taemin Park, Julian Lettner, Yeoul Na, Stijn Volckaert, and Michael Franz. Bytecode corruption attacks are real - and how to defend against them. In Cristiano Giuffrida, Sébastien Bardin, and Gregory Blanc, editors, Detection of Intrusions and Malware, and Vulnerability Assessment - 15th International Conference, DIMVA 2018, Saclay, France, June 28-29, 2018, Proceedings, volume 10885 of Lecture Notes in Computer Science, pages 326-348. Springer, 2018. URL: https://doi.org/10.1007/978-3-319-93411-2_15.
  40. Andre Pawlowski, Victor van der Veen, Dennis Andriesse, Erik van der Kouwe, Thorsten Holz, Cristiano Giuffrida, and Herbert Bos. VPS: excavating high-level C++ constructs from low-level binaries to protect dynamic dispatching. In David M. Balenson, editor, Proceedings of the 35th Annual Computer Security Applications Conference, ACSAC 2019, San Juan, PR, USA, December 09-13, 2019, pages 97-112, New York, NY, USA, December 2019. ACM. URL: https://doi.org/10.1145/3359789.3359797.
  41. Aravind Prakash, Xunchao Hu, and Heng Yin. vfguard: Strict protection for virtual function calls in COTS C++ binaries. In 22nd Annual Network and Distributed System Security Symposium, NDSS 2015, San Diego, California, USA, February 8-11, 2015, Reston, VA, November 2015. The Internet Society. URL: https://doi.org/10.14722/ndss.2015.23297.
  42. Ryan Roemer, Erik Buchanan, Hovav Shacham, and Stefan Savage. Return-oriented programming: Systems, languages, and applications. ACM Trans. Inf. Syst. Secur., 15(1):2:1-2:34, March 2012. URL: https://doi.org/10.1145/2133375.2133377.
  43. getrusage(2) - Linux manual page. URL: https://man7.org/linux/man-pages/man2/getrusage.2.html.
  44. AliAkbar Sadeghi, Salman Niksefat, and Maryam Rostamipour. Pure-call oriented programming (PCOP): chaining the gadgets using call instructions. J. Comput. Virol. Hacking Tech., 14(2):139-156, May 2018. URL: https://doi.org/10.1007/s11416-017-0299-1.
  45. Felix Schuster, Thomas Tendyck, Christopher Liebchen, Lucas Davi, Ahmad-Reza Sadeghi, and Thorsten Holz. Counterfeit object-oriented programming: On the difficulty of preventing code reuse attacks in C++ applications. In 2015 IEEE Symposium on Security and Privacy, SP 2015, San Jose, CA, USA, May 17-21, 2015, volume 2015-July, pages 745-762. IEEE Computer Society, May 2015. URL: https://doi.org/10.1109/SP.2015.51.
  46. Hovav Shacham. The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In Peng Ning, Sabrina De Capitani di Vimercati, and Paul F. Syverson, editors, Proceedings of the 2007 ACM Conference on Computer and Communications Security, CCS 2007, Alexandria, Virginia, USA, October 28-31, 2007, pages 552-561, New York, New York, USA, 2007. ACM. URL: https://doi.org/10.1145/1315245.1315313.
  47. Zhuojia Shen, Komail Dharsee, and John Criswell. Fast execute-only memory for embedded systems. In IEEE Secure Development, SecDev 2020, Atlanta, GA, USA, September 28-30, 2020, pages 7-14. IEEE, September 2020. URL: https://doi.org/10.1109/SecDev45635.2020.00017.
  48. SLOCCount. URL: https://dwheeler.com/sloccount/.
  49. Kevin Z. Snow, Fabian Monrose, Lucas Davi, Alexandra Dmitrienko, Christopher Liebchen, and Ahmad-Reza Sadeghi. Just-in-time code reuse: On the effectiveness of fine-grained address space layout randomization. In 2013 IEEE Symposium on Security and Privacy, SP 2013, Berkeley, CA, USA, May 19-22, 2013, pages 574-588. IEEE Computer Society, May 2013. URL: https://doi.org/10.1109/SP.2013.45.
  50. Speedometer 2.1. URL: https://browserbench.org/Speedometer2.1/.
  51. Laszlo Szekeres, Mathias Payer, Tao Wei, and R. Sekar. Eternal war in memory. IEEE Secur. Priv., 12(3):45-53, May 2014. URL: https://doi.org/10.1109/MSP.2014.44.
  52. Arjan Van De Ven. New security enhancements in red hat enterprise linux v.3, update 3, 2004. URL: https://static.redhat.com/legacy/f/pdf/rhel/WHP0006US_Execshield.pdf.
  53. WebKit/WebKit at webkitgtk-2.41.1. URL: https://github.com/WebKit/WebKit/tree/webkitgtk-2.41.1.
  54. Mengyao Xie, Chenggang Wu, Yinqian Zhang, Jiali Xu, Yuanming Lai, Yan Kang, Wei Wang, and Zhe Wang. CETIS: retrofitting intel CET for generic and efficient intra-process memory isolation. In Heng Yin, Angelos Stavrou, Cas Cremers, and Elaine Shi, editors, Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, CCS 2022, Los Angeles, CA, USA, November 7-11, 2022, CCS '22, pages 2989-3002, New York, NY, USA, 2022. ACM. URL: https://doi.org/10.1145/3548606.3559344.
  55. ekpyron/xxhashct: Compile time implementation of the 64-bit xxhash algorithm as C++11 constexpr expression. URL: https://github.com/ekpyron/xxhashct.
  56. Chao Zhang, Chengyu Song, Kevin Zhijie Chen, Zhaofeng Chen, and Dawn Song. Vtint: Protecting virtual function tables' integrity. In 22nd Annual Network and Distributed System Security Symposium, NDSS 2015, San Diego, California, USA, February 8-11, 2015, pages 8-11, Reston, VA, 2015. The Internet Society. URL: https://doi.org/10.14722/ndss.2015.23099.
  57. Chao Zhang, Dawn Song, Scott A. Carr, Mathias Payer, Tongxin Li, Yu Ding, and Chengyu Song. Vtrust: Regaining trust on virtual calls. In 23rd Annual Network and Distributed System Security Symposium, NDSS 2016, San Diego, California, USA, February 21-24, 2016, Reston, VA, 2016. The Internet Society. URL: https://doi.org/10.14722/ndss.2016.23164.
Questions / Remarks / Feedback
X

Feedback for Dagstuhl Publishing


Thanks for your feedback!

Feedback submitted

Could not send message

Please try again later or send an E-mail