Defending method based on virtual function table hijacking

A virtual function table and virtual function technology, applied in the defense field based on virtual function table hijacking, can solve the problems of high system overhead and small binary file system overhead, and achieve the effect of low overhead and fast speed

Inactive Publication Date: 2016-08-17
BEIJING INSTITUTE OF TECHNOLOGYGY
View PDF5 Cites 11 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0008] Although the automatic reverse analysis is fast and convenient in speed and does not require manual intervention, the subsequent security scheme to protect the binary files causes a large system overhead; while the protected binary files generated by the VTint defense method have a small system overhead, but the entire analysis process Manual intervention is not required

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Defending method based on virtual function table hijacking
  • Defending method based on virtual function table hijacking

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0025] The present invention will be further described below in conjunction with the accompanying drawings.

[0026] Analysis of attack characteristics and overview of defense methods:

[0027] (1) The ultimate goal of the virtual function table hijacking attack is to directly or indirectly modify the virtual function pointer to replace the called virtual function, thereby changing the control flow of the program. Therefore, the virtual function table hijacking attack will definitely cause the address of the final called virtual function to be different from the address in the original virtual function table when the object is generated. By comparing whether the values ​​of the two are consistent, it can be determined whether the virtual function call is normal;

[0028] (2) The virtual function table pointer of the object is located in the front position of the object memory layout, the virtual function table pointer points to the virtual function table, the virtual function ...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention provides a defense method based on virtual function table hijacking, which can determine the utilization and further attack of potential use-after-free type loopholes in binary executable files. Step 1. Use the static instruction fragmentation and extraction framework to disassemble an executable file as input and generate a control flow graph and assembly language; Step 2. Compress and simplify the assembly language obtained in Step 1; Step 3. vEXTRACTOR in Step 2 Execute backward program slicing on the obtained intermediate language; step 4, extract all low-level semantics satisfying virtual function scheduling from the first three steps, and take out the virtual function scheduling part; step 5, rewrite and configure ID; All reference parameters of the function table are changed to new addresses of vtables, and VRewriter equips each virtual function with a security check to verify the integrity of the target virtual table; step 7, put the execution code equipped with security check into a new The code segment, to ensure that most of the original code department intact.

Description

technical field [0001] The invention belongs to the technical field of memory safety and relates to a defense method based on virtual function table hijacking. Background technique [0002] The memory safety technology can protect the system from various memory damage attacks, and the complete memory safety technology can prevent the occurrence of various memory errors without missing a report. Type-safe languages ​​ensure that memory errors do not occur by checking object boundaries and using automatic garbage collection. Memory safety technology is an attempt to add protection to the program to simulate the nature of type-safe languages. In recent years, researchers have proposed a large number of memory security technologies to protect system security, but due to compatibility, performance overhead and other reasons, they have not been widely used. CCured and Cyclone use "fat pointers" to store additional pointer information, including pointer range and other data, to pr...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Applications(China)
IPC IPC(8): G06F21/57
CPCG06F21/577G06F2221/033
Inventor 胡昌振单纯王子祥马锐胡晶晶
Owner BEIJING INSTITUTE OF TECHNOLOGYGY
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap