On Design Inference from Binaries Compiled using Modern C++ Defenses

Due to the use of code pointers, polymorphism in C++ has been targeted by attackers and defenders alike. Vulnerable programs that violate the runtime object type integrity have been successfully exploited. Particularly, the virtual dispatch mechanism and the type confusion during casting have been targeted.

As a consequence, multiple defenses have been proposed in recent years to defend against attacks that target polymorphism. Particularly, compiler-based defenses incorporate design information—specifically class-hierarchy-related information—into the binary, and enforce runtime security policies to assert type integrity.

In this paper, we perform a systematic evaluation of the side-effects and unintended consequences of compiler-based security. Specifically, we show that application of modern defenses makes reverse engineering and semantic recovery easy. In particular, we show that modern defenses “leak" class hierarchy information, i.e., design information, thereby deter adoption in closed-source software. We consider a comprehensive set of 10 modern C++ defenses and show that 9 out of the 10 at least partially reveal design information as an unintended consequence of the defense. We argue a necessity for design-leakage-sensitive defenses that are preferable for closed-source use.