Publication Type

Conference Proceeding Article

Publication Date

5-2021

Abstract

Matching indirect function callees and callers using function signatures recovered from binary executables (number of arguments and argument types) has been proposed to construct a more fine-grained control-flow graph (CFG) to help control-flow integrity (CFI) enforcement. However, various compiler optimizations may violate calling conventions and result in unmatched function signatures. In this paper, we present eight scenarios in which compiler optimizations impact function signature recovery, and report experimental results with 1,344 real-world applications of various optimization levels. Most interestingly, our experiments show that compiler optimizations have both positive and negative impacts on function signature recovery, e.g., its elimination of redundant instructions at callers makes counting of the number of arguments more accurate, while it hurts argument type matching as the compiler chooses the most efficient (but potentially different) types at callees and callers. To better deal with these compiler optimizations, we propose a set of improved policies and report our more accurate CFG models constructed from the 1,344 applications. We additionally compare our results recovered from binary executables with those extracted from program source and reveal scenarios where compiler optimization makes the task of accurate function signature recovery undecidable.

Discipline

Information Security

Research Areas

Cybersecurity

Publication

Proceedings of the 42nd IEEE Symposium on Security and Privacy (S&P 2021), 24-27 May

First Page

36

Last Page

52

ISBN

978-172818934-5

Publisher

Institute of Electrical and Electronics Engineers Inc

City or Country

New Jersey, United States

Additional URL

https://doi.org/10.1109/SP40001.2021.00006

Share

COinS