MUSTI: Dynamic Prevention of Invalid Object Initialization Attacks

Invalid object initialization vulnerabilities have been identified since the 1990s by a research group at Princeton University. These vulnerabilities are critical since they can be used to totally compromise the security of a Java virtual machine (JVM). Recently, such a vulnerability identified as CVE-2017-3289 has been found again in the bytecode verifier of the JVM and affects more than 40 versions of the JVM. In this paper, we present a runtime solution called MUSTI to detect and prevent attacks leveraging this kind of critical vulnerabilities. We optimize MUSTI to have a runtime overhead below 0.5% and a memory overhead below 0.42%. Compared with state of the art, MUSTI is completely automated and does not require to manually annotate the code.