Type confusion bug (or bad casting) is a popular vulnerability class that attacks C++ software like web browser, document reader. This bug occurs once a program typecasts and uses an object as an incompatible type. An attacker can exploit this vulnerability to execute malicious code in the target software.
Previous research to detect type confusion bugs has been performed at the source-level. It inserts codes that verify type compatibility in the typecasting operator to perform detection at runtime. These approaches cannot be applied in binary-level, because high-level information such as class hierarchy and the typecasting operator does not exist in the compiled binary. However, many popular software such as Adobe Reader, Microsoft Office, third-party software, and legacy software are provided in binary format.
In this talk, we propose BinTyper, a type confusion detection tool that can be used in binary-level. BinTyper splits internal layout of classes into multiple areas via static analysis. After that BinTyper recovers the minimum type information required for the binary to be executed without triggering the type confusion bug via dynamic analysis. Based on this information, the target binary can be executed with the verification to detect the type confusion bug.