Extensible Virtual Call Integrity

Virtual calls in C++ are known to be vulnerable to control-flow attacks, and Virtual Call Control Flow Integrity (VCFI) is a proposed defense. However, most existing VCFI defenses are incompatible with real-world C++ software that need extensibility in the form of dynamic loading, foreign language interface, etc. In this paper, we propose a novel and extensible VCFI mechanism-namely eVCFI-that is flexible enough to handle such software requirements. eVCFI uses Approximate Membership Query (AQM) filters, recasting VCFI as an efficient set membership query, giving an O(1) time VCFI check that can be implemented in only a few instructions, all while supporting extensibility and multi-threading. We compare eVCFI with existing VCFIs, showing that we can achieve more accurate policies or extensibility compared with other VCFI mechanisms designed for efficiency or modularity. Evaluation of eVCFI shows small 1.3% overhead with SPEC 2006. Furthermore, we evaluate eVCFI against the FireFox web browser: an example of large/complex C++ software that uses both dynamic loading and a foreign language interface (Rust). We show that eVCFI can protect Firefox with a small overhead of 1.15%. We believe that eVCFI is the first VCFI defense able to protect complex software like Firefox.