Subversive-C: Abusing and Protecting Dynamic Message Dispatch

  • Julian Lettner
  • Benjamin Kollenda
  • Andrei Homescu
  • Per Larsen
  • Felix Schuster
  • Lucas Davi
  • Ahmad-Reza Sadeghi
  • Thorsten Holz
  • Michael Franz

2016 USENIX Annual Technical Conference (USENIX ATC 16) |

Published by USENIX Association

The lower layers in the modern computing infrastructure are written in languages threatened by exploitation of memory management errors. Recently deployed exploit mitigations such as control-flow integrity (CFI) can prevent traditional return-oriented programming (ROP) exploits but are much less effective against newer techniques such as Counterfeit Object-Oriented Programming (COOP) that execute a chain of C++ virtual methods. Since these methods are valid control-flow targets, COOP attacks are hard to distinguish from benign computations. Code randomization is likewise ineffective against COOP. Until now, however, COOP attacks have been limited to vulnerable C++ applications which makes it unclear whether COOP is as general and portable a threat as ROP. This paper demonstrates the first COOP-style exploit for Objective-C, the predominant programming language on Apple’s OS X and iOS platforms. We also retrofit the Objective-C runtime with the first practical and efficient defense against our novel attack. Our defense is able to protect complex, real-world software such as iTunes without recompilation. Our performance experiments show that the overhead of our defense is low in practice.