BinTyper: Type Confusion Detection for C++ Binaries

Presented at Black Hat Europe 2020 Virtual, Dec. 10, 2020, 10:20 a.m. (30 minutes).

Type confusion bug (or bad casting) is a popular vulnerability class that attacks C++ software like web browser, document reader. This bug occurs once a program typecasts and uses an object as an incompatible type. An attacker can exploit this vulnerability to execute malicious code in the target software.

Previous research to detect type confusion bugs has been performed at the source-level. It inserts codes that verify type compatibility in the typecasting operator to perform detection at runtime. These approaches cannot be applied in binary-level, because high-level information such as class hierarchy and the typecasting operator does not exist in the compiled binary. However, many popular software such as Adobe Reader, Microsoft Office, third-party software, and legacy software are provided in binary format.

In this talk, we propose BinTyper, a type confusion detection tool that can be used in binary-level. BinTyper splits internal layout of classes into multiple areas via static analysis. After that BinTyper recovers the minimum type information required for the binary to be executed without triggering the type confusion bug via dynamic analysis. Based on this information, the target binary can be executed with the verification to detect the type confusion bug.


Presenters:

  • Dongju Kim - Masters Student, Korea University
    <span>Dongju Kim is a graduate student at SANE LAB, Korea University. His research areas focus on static binary analysis and software vulnerability analysis.</span>
  • Seungjoo Kim - Professor, Korea University
    Seungjoo (Gabriel) Kim is a professor at the School of Cybersecurity in Korea University from 2011 and his research areas focus on secure SDLC, security engineering, cryptography and blockchain. For the past seven years, he was an associate professor of Sungkyunkwan University and has five years of back ground of team leader of Cryptographic Technology Team and also IT Security Evaluation Team of KISA(Korea Internet & Security Agency). In addition to being a professor, he is positioning a head of SANE(Security Assessment aNd Engineering) Lab, an adviser of undergraduate hacking club 'CyKor', a founder/advisory director of an international security & hacking conference 'SECUINSIDE'. Since 2018, he has been a review board member of Black Hat Asia.

Links:

Similar Presentations: