Abstract-Virtual function calls are one of the most popular control-flow hijack attack targets. Compilers use a virtual function pointer table, called a VTable, to dynamically dispatch virtual function calls. These VTables are read-only, but pointers to them are not. VTable pointers reside in objects that are writable, allowing attackers to overwrite them. As a result, attackers can divert the control-flow of virtual function calls and launch VTable hijacking attacks. Researchers have proposed several solutions to protect virtual calls. However, they either incur high performance overhead or fail to defeat some VTable hijacking attacks.In this paper, we propose a lightweight defense solution, VTrust, to protect all virtual function calls from VTable hijacking attacks. It consists of two independent layers of defenses: virtual function type enforcement and VTable pointer sanitization. Combined with modern compilers' default configuration, i.e., placing VTables in read-only memory, VTrust can defeat all VTable hijacking attacks and supports modularity, allowing us to harden applications module by module. We have implemented a prototype on the LLVM compiler framework. Our experiments show that this solution only introduces a low performance overhead, and it defeats real world VTable hijacking attacks.
Memory corruption errors in C/C++ programs remain the most common source of security vulnerabilities in today’s systems. Control-flow hijacking attacks exploit memory corruption vulnerabilities to divert program execution away from the intended control flow. Researchers have spent more than a decade studying and refining defenses based on Control-Flow Integrity (CFI); this technique is now integrated into several production compilers. However, so far, no study has systematically compared the various proposed CFI mechanisms nor is there any protocol on how to compare such mechanisms. We compare a broad range of CFI mechanisms using a unified nomenclature based on (i) a qualitative discussion of the conceptual security guarantees, (ii) a quantitative security evaluation, and (iii) an empirical evaluation of their performance in the same test environment. For each mechanism, we evaluate (i) protected types of control-flow transfers and (ii) precision of the protection for forward and backward edges. For open-source, compiler-based implementations, we also evaluate (iii) generated equivalence classes and target sets and (iv) runtime performance.
C++ relies on object type information for dynamic dispatch and casting. The association of type information to an object is implemented via the virtual table pointer, which is stored in the object itself. As C++ has neither memory nor type safety, adversaries may therefore overwrite an object's type. If the corrupted type is used for dynamic dispatch, the attacker has hijacked the application's control flow. This vulnerability is widespread and commonly exploited. Firefox, Chrome, and other major C++ applications are network facing, commonly attacked, and make significant use of dynamic dispatch. Control-Flow Integrity (CFI) is the state of the art policy for efficient mitigation of control-flow hijacking attacks. CFI mechanisms determine statically (i.e., at compile time) the set of functions that are valid at a given call site, based on C++ semantics. We propose an orthogonal policy, Object Type Integrity (OTI), that dynamically tracks object types. Consequently, instead of allowing a set of targets for each dynamic dispatch on an object, only the single, correct target for the object's type is allowed. To show the efficacy of OTI, we present CFIXX, which enforces OTI. CFIXX enforces OTI by dynamically tracking the type of each object and enforcing its integrity against arbitrary writes. CFIXX has minimal overhead on CPU bound applications such as SPEC CPU2006-4.98%. On key applications like Chromium, CFIXX has negligible overhead on JavaScript benchmarks: 2.03% on Octane, 1.99% on Kraken, and 2.80% on JetStream. We show that CFIXX can be deployed in conjunction with CFI, providing a significant security improvement.
This article presents a new technique for identifying cracks in wind turbine blades undergoing operational loads using the Vibro-Acoustic Modulation technique. Vibro-Acoustic Modulation utilizes a low-frequency pumping excitation signal in conjunction with a high-frequency probing excitation signal to create the modulation that is used to identify cracks. Wind turbines provide the ideal conditions in which Vibro-Acoustic Modulation can be utilized because wind turbines experience large low-frequency structural vibrations during operation which can serve as the low-frequency pumping excitation signal. In this article, the theory for the vibro-acoustic technique is described, and the proposed crack detection technique is demonstrated with Vibro-Acoustic Modulation experiments performed on a small Whisper 100 wind turbine in operation. The experimental results are also compared with two other conventional vibro-acoustic techniques in order to validate the new technique. Finally, a computational study is demonstrated for choosing a proper probing signal with a finite element model of the cracked blade to maximize the sensitivity of the technique for detecting cracks.
An analysis of the 1997 Geoacoustic Inversion Workshop test case data was carried out to benchmark the performance of a Genetic Algorithm (GA) inversion code called SAGA_INV.1 The inversion program made use of Westwood's ORCA propagation model,2 FORTRAN subroutines, and Interactive Data Language (Research Systems Inc. IDL). SAGA_INV is capable of performing inversions with either Simulated Annealing (SA) or GA optimization schemes; however, only the GA portion of the code has been benchmarked with the workshop test cases at the present time. Not all of the workshop test cases were processed: this study was concerned only with the CAL, SD, SO, AT, and WA data sets. The CAL data was processed using three different cost functions: (i) standard Bartlett processor, (ii) a broadband coherent processor, and (iii) a transmission loss mismatch function. These processors were applied to three frequency bands: (i) 76 frequencies between 25 Hz and 100 Hz, (ii) nine frequencies between 28 Hz and 36 Hz, and (iii) 13 frequencies between 44 Hz and 56 Hz. The latter two frequency regimes were intended to simulate 1/3-octave bands centered at 32 Hz and 50 Hz, respectively. Four different receiving arrays were simulated: (i) a 1550 m aperture horizontal, bottom mounted array at approximately 1-km range, (ii) a similar array at approximately 4.2-km range, (iii) a 55-m aperture 12-element vertical array located at 1-km range, and (iv) a similar vertical array at 5-km range. In addition to processing the CAL data set, all three subcases of the SD, SO, AT, and WA data sets were also processed; however, only the transmission loss cost function and the two simulated 1/3-octave bands were considered for these test cases.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.
customersupport@researchsolutions.com
10624 S. Eastern Ave., Ste. A-614
Henderson, NV 89052, USA
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Copyright © 2024 scite LLC. All rights reserved.
Made with 💙 for researchers
Part of the Research Solutions Family.