Posters > 2016
HexType: fast type safety for C++ programs
Yuseok Jeon, Hui peng, Mathias Payer
The low-level C++ programming language is used in many areas because of its modularity and performance. Type-casting is an important concept in object-oriented programming to convert a pointer from one object type into another. However, down-casting (converting a base class pointer to a derived class pointer) has critical security implications. Due to missing type and memory safety in C++ a down-casted pointer can violate a programmer's intended pointer semantics, and an attacker can corrupt memory beyond the true boundary of the underlying object. This vulnerability class has recently received increasing attention and is known as type confusion (unsafe down-casting). Several existing approaches detect different forms of type confusion, but these solutions are severely limited due to both high runtime performance and low coverage (e.g., UBSAN only handles type-casting between polymorphic classes, a small subset of all casts).
We introduce a practical technique that has a low runtime performance and broad coverage, covering all type casts in an application. The source for high runtime overhead of existing approaches is the combination of expensive class relation checks and tracking type information for different memory areas. Our approach is novel in three ways: (i) full coverage, checking the type information of all casts, (ii) a fast general type check that leverages an indexed per-object metadata table and local information at the current program location, and (iii) low tracking overhead by leveraging architectural features.