论文标题
魔鬼是虚拟的:逆转C ++二进制文件中的虚拟继承
Devil is Virtual: Reversing Virtual Inheritance in C++ Binaries
论文作者
论文摘要
由C ++(例如虚拟调度和动态类型铸件)实施的复杂性引起了攻击者和捍卫者的注意。 二进制级别的防御取决于给定程序的类继承树的完全且精确的恢复。 尽管当前的解决方案着重于从二进制中恢复单一和多个继承,但它们却忽略了虚拟继承。二进制级别防御之间的传统智慧是,虚拟继承并不常见和/或对单个和多个继承的支持为虚拟继承提供了隐含的支持。在本文中,我们既不是真实的。 具体而言,(1)我们提出了一种有效的技术来检测C ++二进制文件中的虚拟继承,并通过一项研究表明,可以在不可忽略的数字中找到虚拟继承的数字(Linux上的10 \%以上,窗口上的12.5 \%),包括MySQL和Libstdc+++++++++++++++++++++++++++++sporiation。 (2)我们表明,不处理虚拟继承会在层次结构中引入误报和假否定性。当恢复的层次结构用于执行CFI策略时,这些误报和负面因素要么引入攻击表面,要么使层次结构难以理解何时需要进行程序理解时(例如,在解码过程中)。 (3)我们提出了一种从COTS二进制文件中恢复虚拟继承的解决方案。我们最多恢复了虚拟遗传树中虚拟和中间碱的最多95 \%和95.5 \%(GCC -O0)和最小77.5 \%和73.8 \%(Clang -O2)。
Complexities that arise from implementation of object-oriented concepts in C++ such as virtual dispatch and dynamic type casting have attracted the attention of attackers and defenders alike. Binary-level defenses are dependent on full and precise recovery of class inheritance tree of a given program. While current solutions focus on recovering single and multiple inheritances from the binary, they are oblivious to virtual inheritance. Conventional wisdom among binary-level defenses is that virtual inheritance is uncommon and/or support for single and multiple inheritances provides implicit support for virtual inheritance. In this paper, we show neither to be true. Specifically, (1) we present an efficient technique to detect virtual inheritance in C++ binaries and show through a study that virtual inheritance can be found in non-negligible number (more than 10\% on Linux and 12.5\% on Windows) of real-world C++ programs including Mysql and libstdc++. (2) we show that failure to handle virtual inheritance introduces both false positives and false negatives in the hierarchy tree. These false positves and negatives either introduce attack surface when the hierarchy recovered is used to enforce CFI policies, or make the hierarchy difficult to understand when it is needed for program understanding (e.g., during decompilation). (3) We present a solution to recover virtual inheritance from COTS binaries. We recover a maximum of 95\% and 95.5\% (GCC -O0) and a minimum of 77.5\% and 73.8\% (Clang -O2) of virtual and intermediate bases respectively in the virtual inheritance tree.
