Memory corruption in C/C++ plagues systems since the dawn of computing. While attacks have become harder with the rise of defense techniques like stack cookies, ASLR, and DEP, control-flow hijack attacks are still prevalent. Attacks rely on code reuse, often leveraging some form of information disclosure and type confusion. Stronger defense mechanisms have been proposed but none have seen wide deployment so far due to (i) the time it takes to deploy a security mechanism, (ii) incompatibility with systems/software, and (iii) performance overhead. In this talk, we evaluate the security benefits and limitations of the status quo and look into two upcoming compiler-based defense mechanisms (and their weaknesses): Control-Flow Integrity and Type Sanitization.

Control-Flow Integrity (CFI), an upcoming mitigation, guarantees that the runtime control flow follows the statically determined control-flow graph. CFI requires heavy compiler support to achieve reasonable tight bounds as attackers may reuse any of the valid transitions at any control-flow transfer. CFI stops program execution before a corrupted code pointer is dereferenced but is oblivious to the memory corruption itself, leaving the adversary some leeway.

Type Sanitization protects software against type confusion vulnerabilities where a base class is downcast into a derived class. A type sanitizer tracks the types of all objects and makes type casts explicit through a runtime check to ensure that valid objects are used in casts. Type sanitization prohibits memory corruption for vulnerabilities that leverage type confusion. Combining type awareness with CFI will protect systems against control-flow hijacking that is initiated through type confusion (the majority of today’s attacks). Challenges for combined defenses are performance overhead and compatibility issues.

Mathias Payer is a security researcher and an assistant professor in computer science at Purdue university, leading the HexHive group. He is interested in system and software security. His research focuses on protecting applications in the presence of vulnerabilities, with a focus on memory corruption, control-flow hijacking, and type confusion. Before joining Purdue in 2014, he spent two years as PostDoc in Dawn Song’s BitBlaze group at UC Berkeley. He graduated from ETH Zurich with a Dr. sc. ETH in 2012. In 2014, he founded the b01lers Purdue CTF team. All implementation prototypes from his group are open-source.