logo

CastGuard: Mitigating Type Confusion in C++

Conference:  Black Hat USA 2022

2022-08-11

Summary

The presentation discusses the development of CastGuard, a technology aimed at solving illegal static downcasts in C++ to mitigate type confusion vulnerabilities. The technology is performant and has minimal impact on binary size and optimization. It is currently being tested in Hyper-V and will be rolled out to other Windows components in the future.
  • Type confusion vulnerabilities are a significant bug class that can weaken security and bypass mitigations like memory tagging and hardware solutions.
  • CastGuard is a technology developed to solve illegal static downcasts in C++ to mitigate type confusion vulnerabilities.
  • Dynamic cast, the current solution for downcasts, is difficult to apply to a large code base and has significant overhead.
  • CastGuard is performant, has minimal impact on binary size and optimization, and can potentially be used to accelerate Dynamic cast.
  • CastGuard is currently being tested in Hyper-V and will be rolled out to other Windows components in the future.
The speaker explains that Dynamic cast, the current solution for downcasts, has significant overhead and can cause binary size bloat. They provide an example where turning on runtime type information (RTTI) for a DLL in Windows caused an 80% binary size regression. CastGuard, on the other hand, has a tiny binary size impact and optimizes well, making it a better solution for mitigating type confusion vulnerabilities.

Abstract

Type confusion vulnerabilities offer incredibly powerful primitives to exploit writers. Many traditional types of memory safety issues (bounds violations, temporal safety) can be automatically detected and prevented in some manner, even if it comes at a performance cost (such as using memory tagging or ASAN). Type confusion is different – the issue lies with how a legal (in bounds, still live) allocation is interpreted by the software. While you may be able to detect the side effects of a type confusion (such as an integer being treated as a pointer and crashing), the type confusion itself cannot be deterministically detected.Building mitigations to generically prevent type confusion is difficult since it typically requires some "identifier" to determine what the type of some object is. Adding identifiers changes object layout which is an unacceptable breaking change in an operating system with a stable API and ABI surface.This talk introduces a new mitigation called CastGuard which uses a tiny instruction sequence in combination with the virtual function table pointer of an object to deterministically prevent illegal static down-casts in C++ code. CastGuard is currently being deployed to a set of Windows components with more coming in the future.

Materials:

Tags: