Defending Against Code Reuse Attack With Class Hierarchy

With the increasing development of code reuse attack defense technology, code reuse attacks become more and more difficult to detect. Especially in C++ programs, a large number of virtual function calls introduced by the dynamic binding mechanism become the main weekness to code reuse attack. The main challenge of the current virtual function call protection is that, in the absence of source code, it’s hard to determine the legitimate destinations of the virtual function calls and defense against the code reuse attack aim at the C++ programs. Because the C++ high-level semantics is very difficult to recover from the executable file, the current defense technology use all virtual functions as a legitimate set for virtual function calls. In this paper, we utilized C++ABI to restore the inheritance relationship between the virtual function tables from the executable file, and increase the effectiveness of code reuse attack defense.The main work is as follows:(1) By analyzing and summarizing the existing researches on code reuse attacks and its defense,concluded that the most practical problem is that there is no very effective defense technology for code reuse attack aim at C++ programs when there is no source code.On this basis, analyzed the existing code reuse attacks aim at virtual function calls and their defense technology, summed up that the difficulty to protect virtual function calls is that to restore C++ high-level semantic information from executable file is very difficult.(2) To overcome the shortcomings of the existing work, established the method that restoring the inheritance relationship between the virtual function tables from the executable file to protect the virtual function call procedure more precisely and increase the effectiveness of code reuse attack defence.(3) Through study of C++ABI,found the method to restore virtual function call points, virtual function tables and inheritance relationships between virtual function tables from the executable file. And based on the information restored from the executable file, generated a policy to protect the virtual function call procedures at run time and detect code reuse attack.(4) A prototype of defending against code reuse attack with class hierarchy called VCFI was designed and implemented. The capability of VCFI to detect code reuse attack was verified. The experimental results showed that VCFI prevent code reuse attack effectively.