-
Notifications
You must be signed in to change notification settings - Fork 122
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vtable verification during compiling C++ code #341
Comments
I'm supportive! Do you want to try to create a pull request? |
This creates a small overhead on every method call that uses vtables. It is likely to be okay, but I'd like to know a little more about the attacks vs. the performance impact. Are there samples of the attacks & the performance impacts? |
I know about vtable Hijacking attack. This kind of attack is based on memory corruption such as heap overflow to overwrite pointer of a c++objects. These pointers are mostly C++ virtual function address (Class method). Controlling one of these pointers, attackers have full access to the flow of control of an application. GCC offers option to add verification of vtable pointers at run time (-fvtable-verify) so the performance impacts exist. This performance impact is proportional to the objects complexity of a C++ application : The more class methods, the greater the performance impacts. Yes, I want to create a pull request on this topic. This is the first time I've done this, I need help. I think I should clone your repository and apply my modification? Regards, |
@Flo4152 You'll have the easiest time if you first fork the ossf/wg-best-practices-os-developer repo to your own Github profile, apply your changes to your local fork, then create a pull request. You can clone the repository and edit it locally and push your changes to your fork, but Github also supports [editing files online] (https://docs.github.com/en/repositories/working-with-files/managing-files/editing-files). |
The performance impact isn't just on startup, but on every C++ virtual call:
Is there a way to characterize the performance impact? Basically, is it so large that this is test-only, or small enough to realistically use in production? I've not used this option, so I don't have experience with it. |
Caroline Tice played an important role in integrating the vtable verification (VTV) by submitting the commit of this feature in GCC 4.9: https://gcc.gnu.org/git/?p=gcc.git;a=commitdiff;h=2077db1be5b18b94a91095a3fb380bbc4a81e61b She involved on articles that give information about performance penalty. First, she is describe performance penalty following 3 points in article available on GCC website : https://gcc.gnu.org/wiki/cauldron2012?action=AttachFile&do=get&target=cmtice.pdf#page=38
Then, a second article of Caroline Tice about Vtable Verification (VTV) compare Vtable Verification (VTV) in GCC 4.9, Indirect Function Call Checker (IFCC) in LLVM and Indirect Function Call Sanitizer (FSan), in LLVM. This second article give information about performance penalty between these 3 features : https://www.usenix.org/sites/default/files/conference/protected-files/sec14_slides_tice.pdf#page=14 In this second article give a performance penalty between 1.6% and 8.7% for VTV. I've never used this feature in a production environment, but according to these two articles, the performance penalty is real. First, a performance penalty of nearly 10% implied by vtable checking should be taken into consideration by system engineers.
The impact on performance can be assessed using profiling tools such as perf. The trace points of the routines involved in virtual table verification can provide information on the performance threat posed by this feature. In addition, a global profiling of the application built with the I'm going to summarize these information on my pull request about this feature. Regards, |
Has this been addressed by the C/C++ Compiler Hardening options guide? @gkunz @thomasnyman @david-a-wheeler |
Vtable verification during compiling C++ code introduce verifying virtual function pointers at run time. This security feature is available on GCC with this option
-fvtable-verify
(https://gcc.gnu.org/onlinedocs/gcc/Instrumentation-Options.html#index-fvtable-verify).I don't know equivalent on clang compiler.
Ensuring the integrity of virtual function pointers prevents overwriting pointers on vulnerable binaries.
Do you think this option may have its place on "Compiler Hardening Guide"?
Regards,
The text was updated successfully, but these errors were encountered: