The lower layers in the modern computing infrastructure
are written in languages threatened by exploitation
of memory management errors. Recently deployed exploit
mitigations such as control-flow integrity (CFI) can
prevent traditional return-oriented programming (ROP)
exploits but are much less effective against newer techniques
such as Counterfeit Object-Oriented Programming
(COOP) that execute a chain of C++ virtual methods.
Since these methods are valid control-flow targets, COOP
attacks are hard to distinguish from benign computations.
Code randomization is likewise ineffective against COOP.
Until now, however, COOP attacks have been limited
to vulnerable C++ applications which makes it unclear
whether COOP is as general and portable a threat as ROP.
This paper demonstrates the first COOP-style exploit
for Objective-C, the predominant programming language
on Appleās OS X and iOS platforms. We also retrofit the
Objective-C runtime with the first practical and efficient
defense against our novel attack. Our defense is able
to protect complex, real-world software such as iTunes
without recompilation. Our performance experiments
show that the overhead of our defense is low in practice.
The lower layers in the modern computing infrastructure are written in languages threatened by exploitation of memory management errors. Recently deployed exploit mitigations such as control-flow integrity (CFI) can prevent traditional return-oriented programming (ROP) exploits but are much less effective against newer techniques such as Counterfeit Object-Oriented Programming (COOP) that execute a chain of C++ virtual methods. Since these methods are valid control-flow targets, COOP attacks are hard to distinguish from benign computations. Code randomization is likewise ineffective against COOP. Until now, however, COOP attacks have been limited to vulnerable C++ applications which makes it unclear whether COOP is as general and portable a threat as ROP. This paper demonstrates the first COOP-style exploit for Objective-C, the predominant programming language on Appleās OS X and iOS platforms. We also retrofit the Objective-C runtime with the first practical and efficient defense against our novel attack. Our defense is able to protect complex, real-world software such as iTunes without recompilation. Our performance experiments show that the overhead of our defense is low in practice.