Paper Info
Title
TypeSan: Practical Type Confusion Detection.
Abstract
The low-level C++ programming language is ubiquitously used for its modularity and performance. Typecasting is a fundamental concept in C++ (and object-oriented programming in general) to convert a pointer from one object type into another. However, downcasting (converting a base class pointer to a derived class pointer) has critical security implications due to potentially different object memory layouts. Due to missing type safety in C++, a downcasted pointer can violate a programmer's intended pointer semantics, allowing an attacker to corrupt the underlying memory in a type-unsafe fashion. This vulnerability class is receiving increasing attention and is known as type confusion (or bad-casting). Several existing approaches detect different forms of type confusion, but these solutions are severely limited due to both high run-time performance overhead and low detection coverage. This paper presents TypeSan, a practical type-confusion detector which provides both low run-time overhead and high detection coverage. Despite improving the coverage of state-of-the-art techniques, TypeSan significantly reduces the type-confusion detection overhead compared to other solutions. TypeSan relies on an efficient per-object metadata storage service based on a compact memory shadowing scheme. Our scheme treats all the memory objects (i.e., globals, stack, heap) uniformly to eliminate extra checks on the fast path and relies on a variable compression ratio to minimize run-time performance and memory overhead. Our experimental results confirm that TypeSan is practical, even when explicitly checking almost all the relevant typecasts in a given C++ program. Compared to the state of the art, TypeSan yields orders of magnitude higher coverage at 4--10 times lower performance overhead on SPEC and 2 times on Firefox. As a result, our solution offers superior protection and is suitable for deployment in production software. Moreover, our highly efficient metadata storage back-end is potentially useful for other defenses that require memory object tracking.
Year
DOI
Venue
2016
10.1145/2976749.2978405
ACM Conference on Computer and Communications Security
Field
DocType
Citations 
Pointer (computer programming),Computer security,Computer science,Object type,Placement syntax,Heap (data structure),Spec#,Smart pointer,Type safety,Fast path,Distributed computing
Conference
13
PageRank 
References 
Authors
0.55
14
7
Name
Order
Citations
PageRank
Istvan Haller116611.21
Yuseok Jeon2130.55
Hui Peng3171.98
Mathias Payer474243.10
Cristiano Giuffrida587649.61
Herbert Bos62127122.81
Erik van der Kouwe7589.55