vfGuard, it can achieve over 97% target reduction, compared
to BinCFI. Even under suboptimal enforcement using Pin,
vfGuard showed an average overhead of 18.3% per module.
ACKNOWLEDGEMENT
We would like to thank anonymous reviewers for their
comments. We would also like to thank Pallavi Iyengar,
Masters student at Syracuse University for helping us evaluate
vfGuard. This research was supported in part by NSF Grant
#1018217, NSF Grant #1054605 and DARPA Cyber Grand
Challenge. Any opinions, findings and conclusions made in
this material are those of the authors and do not necessarily
reflect the views of the funding agencies.
REFERENCES
[1] M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti, “Control-flow
integrity,” in Proceedings of the 12th ACM Conference on Computer
and Communications Security (CCS’05), 2005, pp. 340–353.
[2] C. Zhang, T. Wei, Z. Chen, L. Duan, L. Szekeres, S. McCamant,
D. Song, and W. Zou, “Practical control flow integrity and random-
ization for binary executables,” in Proceedings of the IEEE Symposium
on Security and Privacy (Oakland’13), 2013, pp. 559–573.
[3] M. Zhang and R. Sekar, “Control flow integrity for COTS binaries,”
in Proceedings of the 22nd USENIX Security Symposium (Usenix
Security’13), 2013, pp. 337–352.
[4] B. Niu and G. Tan, “RockJIT: Securing just-in-time compilation using
modular control-flow integrity,” in Proceedings of 21st ACM Conference
on Computer and Communication Security (CCS ’14), 2014.
[5] ——, “Modular control-flow integrity,” in Proceedings of the 35th
ACM SIGPLAN Conference on Programming Language Design and
Implementation (PLDI’14), 2014.
[6] L. Davi, A. Dmitrienko, M. Egele, T. Fischer, T. Holz, R. Hund,
S. N
¨
urnberger, and A.-r. Sadeghi, “MoCFI: A framework to mitigate
control-flow attacks on smartphones,” in Proceedings of the 19th Annual
Network and Distributed System Security Symposium (NDSS’12), 2012.
[7] D. Jang, Z. Tatlock, and S. Lerner, “SafeDispatch: Securing C++ virtual
calls from memory corruption attacks,” in Proceedings of 21st Annual
Network and Distributed System Security Symposium (NDSS’14), 2014.
[8] C. Tice, T. Roeder, P. Collingbourne, S. Checkoway,
´
U. Erlingsson,
L. Lozano, and G. Pike, “Enforcing forward-edge control-flow integrity
in GCC & LLVM,” in Proceedings of 23rd USENIX Security Symposium
(USENIX Security’14), 2014, pp. 941–955.
[9] E. G
¨
oktas¸, E. Anthanasopoulos, H. Bos, and G. Portokalidis, “Out
of control: Overcoming control-flow integrity,” in Proceedings of 35th
IEEE Symposium on Security and Privacy (Oakland’14), 2014.
[10] N. Carlini and D. Wagner, “ROP is still dangerous: Breaking modern
defenses,” in 23rd USENIX Security Symposium (USENIX Security’14),
2014.
[11] “Stack Shield,” http://www.angelfire.com/sk/stackshield/.
[12] F. Chagnon, “IDA-Decompiler,” https://github.com/EiNSTeiN-/ida-
decompiler.
[13] “Itanium C++ ABI,” http://mentorembedded.github.io/cxx-abi/abi.html.
[14] J. Ray, “C++: Under the hood,”
http://www.openrce.org/articles/files/jangrayhood.pdf, March 1994.
[15] B. Stroustrup, The C++ Programming Language, 4th ed. Addison-
Wesley, 2013.
[16] “THISCALL calling convention,” http://msdn.microsoft.com/en-
us/library/ek8tkfbw.aspx, 2013.
[17] D. Dewey and J. T. Giffin, “Static detection of C++ vtable escape
vulnerabilities in binary code.” in Proceedings of 19th Annual Network
and Distributed System Security Symposium (NDSS’12), 2012.
[18] Nektra, “Vtbl – IDA plugin,” https://github.com/nektra/vtbl-ida-pro-
plugin, 2013.
[19] C.-K. Luk, R. Cohn, R. Muth, H. Patil, A. Klauser, G. Lowney,
S. Wallace, V. J. Reddi, and K. Hazelwood, “Pin: Building customized
program analysis tools with dynamic instrumentation,” in Proceedings
of the ACM SIGPLAN Conference on Programming Language Design
and Implementation (PLDI’05), 2005, pp. 190–200.
[20] V. Bala, E. Duesterwald, and S. Banerjia, “Dynamo: A transparent
dynamic optimization system,” in Proceedings of the ACM SIGPLAN
2000 Conference on Programming Language Design and Implementa-
tion (PLDI’00), 2000, pp. 1–12.
[21] “The IDA Pro disassembler and debugger,” https://www.hex-
rays.com/products/ida/.
[22] M. Laurenzano, M. Tikir, L. Carrington, and A. Snavely, “PEBIL:
Efficient static binary instrumentation for linux,” in Proceedings of IEEE
International Symposium on Performance Analysis of Systems Software
(ISPASS’10), March 2010.
[23] S. S. Muchnick, Advanced Compiler Design and Implementation. San
Francisco, CA, USA: Morgan Kaufmann Publishers Inc., 1997.
[24] R. Cytron, J. Ferrante, B. K. Rosen, M. N. Wegman, and F. K. Zadeck,
“Efficiently computing static single assignment form and the control
dependence graph,” ACM Transactions on Programming Languages and
Systems (TOPLAS), 1991.
[25] A. Srivastava, A. Edwards, and H. Vo, “Vulcan: Binary transformation
in a distributed environment,” Microsoft Research, Tech. Rep. MSR-
TR-2001-50, April 2001.
[26] “Browser Helper Objects,” http://sysinfo.org/bhoinfo.html.
[27] “Using dllimport and dllexport in C++ classes,”
http://msdn.microsoft.com/en-us/library/81h27t8c.aspx.
[28] J. Criswell, N. Dautenhahn, and V. Adve, “KCoFI: Complete control-
flow integrity for commodity operating system kernels,” in Proceedings
of 35th IEEE Symposium on Security and Privacy (Oakland’14), 2014.
[29] S. McCamant and G. Morrisett, “Evaluating SFI for a CISC Architec-
ture,” in Proceedings of the 15th Annual USENIX Security Symposium
(Usenix Security’06), 2006.
[30] A. Prakash, H. Yin, and Z. Liang, “Enforcing system-wide control
flow integrity for exploit detection and diagnosis,” in Proceedings
of the 8th ACM SIGSAC Symposium on Information, Computer and
Communications Security (ASIACCS’13), 2013, pp. 311–322.
[31] M. Miller and K. Johnson, “Using virtual table protections to
prevent the exploitation of object corruption vulnerabilities,” Patent,
Jun. 7, 2012, US Patent App. 12/958,668. [Online]. Available:
http://www.google.com/patents/US20120144480
[32] R. Gawlik and T. Holz, “Towards automated integrity protection of
C++ virtual function tables in binary programs,” in Proceedings of 30th
Annual Computer Security Applications Conference (ACSAC’14), Dec
2014.
[33] C. Zhang, C. Song, Z. K. Chen, Z. Chen, and D. Song, “VTint: defend-
ing virtual function tables integrity,” in Proceedings of the 22nd Annual
Network and Distributed System Security Symposium (NDSS’15), 2015.
[34] J. H. Lee, T. Avgerinos, and D. Brumley, “Tie: Principled reverse engi-
neering of types in binary programs,” in Proceedings of the 18th Annual
Network and Distributed System Security Symposium (NDSS’11), 2011.
[35] Z. Lin, X. Zhang, and D. Xu, “Automatic reverse engineering of data
structures from binary execution,” in Proceedings of the 17th Annual
Network and Distributed System Security Symposium (NDSS’10), 2010.
[36] P. V. Sabanal and M. V. Yason, “Reversing C++,” Blackhat Security
Conference, 2007.
[37] A. Fokin, E. Derevenetc, A. Chernov, and K. Troshina, “Smartdec:
Approaching C++ decompilation,” in Reverse Engineering (WCRE),
2011 18th Working Conference on, 2011, pp. 347–356.
[38] W. Jin, C. Cohen, J. Gennari, C. Hines, S. Chaki, A. Gurfinkel,
J. Havrilla, and P. Narasimhan, “Recovering C++ objects from binaries
using inter-procedural data-flow analysis,” in Proceedings of ACM
SIGPLAN on Program Protection and Reverse Engineering Workshop
(PPREW’14), 2014, pp. 1–11.
[39] “Boomerang decompiler,” http://boomerang.sourceforge.net/.
[40] I. Skochinsky, “Practical C++ decompilation.” [Online]. Available:
https://archive.org/details/Recon
2011 Practical Cpp decompilation
15