TY - GEN
T1 - Refining Indirect Call Targets at the Binary Level
AU - Kim, Sun Hyoung
AU - Sun, Cong
AU - Zeng, Dongrui
AU - Tan, Gang
N1 - Publisher Copyright:
© 2021 28th Annual Network and Distributed System Security Symposium, NDSS 2021. All Rights Reserved.
PY - 2021
Y1 - 2021
N2 - Enforcing fine-grained Control-Flow Integrity (CFI) is critical for increasing software security. However, for commercial off-the-shelf (COTS) binaries, constructing high-precision Control-Flow Graphs (CFGs) is challenging, because there is no source-level information, such as symbols and types, to assist in indirect-branch target inference. The lack of source-level information brings extra challenges to inferring targets for indirect calls compared to other kinds of indirect branches. Points-to analysis could be a promising solution for this problem, but there is no practical points-to analysis framework for inferring indirect call targets at the binary level. Value set analysis (VSA) is the state-of-the-art binary-level points-to analysis but does not scale to large programs. It is also highly conservative by design and thus leads to low-precision CFG construction. In this paper, we present a binary-level points-to analysis framework called BPA to construct sound and high-precision CFGs. It is a new way of performing points-to analysis at the binary level with the focus on resolving indirect call targets. BPA employs several major techniques, including assuming a block memory model and a memory access analysis for partitioning memory into blocks, to achieve a better balance between scalability and precision. In evaluation, we demonstrate that BPA achieves a 34.5% precision improvement rate over the current state-of-the-art technique without introducing false negatives.
AB - Enforcing fine-grained Control-Flow Integrity (CFI) is critical for increasing software security. However, for commercial off-the-shelf (COTS) binaries, constructing high-precision Control-Flow Graphs (CFGs) is challenging, because there is no source-level information, such as symbols and types, to assist in indirect-branch target inference. The lack of source-level information brings extra challenges to inferring targets for indirect calls compared to other kinds of indirect branches. Points-to analysis could be a promising solution for this problem, but there is no practical points-to analysis framework for inferring indirect call targets at the binary level. Value set analysis (VSA) is the state-of-the-art binary-level points-to analysis but does not scale to large programs. It is also highly conservative by design and thus leads to low-precision CFG construction. In this paper, we present a binary-level points-to analysis framework called BPA to construct sound and high-precision CFGs. It is a new way of performing points-to analysis at the binary level with the focus on resolving indirect call targets. BPA employs several major techniques, including assuming a block memory model and a memory access analysis for partitioning memory into blocks, to achieve a better balance between scalability and precision. In evaluation, we demonstrate that BPA achieves a 34.5% precision improvement rate over the current state-of-the-art technique without introducing false negatives.
UR - http://www.scopus.com/inward/record.url?scp=85118641163&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85118641163&partnerID=8YFLogxK
U2 - 10.14722/ndss.2021.24386
DO - 10.14722/ndss.2021.24386
M3 - Conference contribution
AN - SCOPUS:85118641163
T3 - 28th Annual Network and Distributed System Security Symposium, NDSS 2021
BT - 28th Annual Network and Distributed System Security Symposium, NDSS 2021
PB - The Internet Society
T2 - 28th Annual Network and Distributed System Security Symposium, NDSS 2021
Y2 - 21 February 2021 through 25 February 2021
ER -