Type confusion, often combined with use-after-free, is the main attack vector used to compromise modern C++ software like browsers or virtual machines. Typecasting is a core principle that enables modularity in C++. For performance, most typecasts are only checked statically, i.e., the check only tests if a cast is allowed for the given type hierarchy, ignoring the actual runtime type of the object. Casting an object of an incompatible base type down into a derived type results in type confusion. Attackers have been abusing such type confusion vulnerabilities to compromise popular software products including Adobe Flash, PHP, Google Chrome, or Firefox, raising critical securityconcerns.
We discuss the details of this vulnerability type, how such vulnerabilities relate to memory corruption, and how they can be exploited. Based on an LLVM-based sanitizer that we developed, we will show how to discover such vulnerabilities in large software through targeted fuzzing along the type hierarchy. By selecting a subset of the type hierarchy, the fuzzer focuses on finding violations in a constrained space, restricting the setoffalsepositivesandallowingtheresearchertobettertriageactualbugs.