Paper: COUN­TER­FEIT OB­JECT-ORI­EN­TED PRO­GRAMMING: ON THE DIF­FI­CUL­TY OF PREVEN­TING CODE REUSE AT­TACKS IN C++ AP­P­LI­CA­TI­ONS

Code reuse at­tacks such as re­turn-ori­en­ted pro­gramming (ROP) have be­co­me pre­va­lent tech­ni­ques to ex­ploit me­mo­ry cor­rup­ti­on vul­nerabi­li­ties in soft­ware pro­grams. A va­rie­ty of cor­re­spon­ding de­fen­ses has been pro­po­sed, of which some have al­re­a­dy been suc­cess­ful­ly by­pas­sed—and the arms race con­ti­nues.
In this paper, we per­form a sys­te­ma­tic as­sess­ment of re­cent­ly pro­po­sed CFI so­lu­ti­ons and other de­fen­ses against code reuse at­tacks in the con­text of C++. We de­mons­tra­te that many of these de­fen­ses that do not con­s­i­der ob­ject-ori­en­ted C++ se­man­ti­cs pre­cise­ly can be ge­ne­ri­cal­ly by­pas­sed in prac­tice. Our novel at­tack tech­ni­que, de­no­ted as coun­ter­feit ob­ject-ori­en­ted pro­gramming (COOP), in­du­ces ma­li­cious pro­gram be­ha­vi­or by only in­vo­king chains of exis­ting C++ vir­tu­al func­tions in a pro­gram through cor­re­spon­ding exis­ting call sites. COOP is Tu­ring com­ple­te in rea­lis­tic at­tack sce­na­ri­os and we show its via­bi­li­ty by de­ve­lo­ping so­phis­ti­ca­ted, re­al-world ex­ploits for In­ter­net Ex­plo­rer 10 on Win­dows and Fi­re­fox 36 on Linux. Mo­re­over, we show that even re­cent­ly pro­po­sed de­fen­ses (CPS, T-VIP, vf­Guard, and VTint) that spe­ci­fi­cal­ly tar­get C++ are vul­nerable to COOP. We ob­ser­ve that con­struc­ting de­fen­ses resi­li­ent to COOP that do not re­qui­re ac­cess to sour­ce code seems to be chal­len­ging. We be­lie­ve that our in­ves­ti­ga­ti­on and re­sults are hel­pful cont­ri­bu­ti­ons to the de­sign and im­ple­men­ta­ti­on of fu­ture de­fen­ses against con­trol-flow hi­ja­cking at­tacks.

more here...........http://syssec.rub.de/media/emma/veroeffentlichungen/2015/03/28/COOP-Oakland15.pdf