Publication Type
Conference Proceeding Article
Version
publishedVersion
Publication Date
11-2023
Abstract
Control-Flow Integrity (CFI) is considered a promising solutionin thwarting advanced code-reuse attacks. While the problem ofbackward-edge protection in CFI is nearly closed, effective forward-edge protection is still a major challenge. The keystone of protecting the forward edge is to resolve indirect call targets, which although can be done quite accurately using type-based solutionsgiven the program source code, it faces difficulties when carriedout at the binary level. Since the actual type information is unavailable in COTS binaries, type-based indirect call target matching typically resorts to approximate function signatures inferredusing the arity and argument width of indirect callsites and calltargets. Doing so with static analysis, therefore, forces the existingsolutions to assume the arity/width boundaries in a too-permissiveway to defeat sophisticated attacks.In this paper, we propose a novel hybrid approach to recoverfine-grained function signatures at the binary level, called TypeSqueezer. By observing program behaviors dynamically, TypeSqueezer combines the static analysis results on indirect callsitesand calltargets together, so that both the lower and the upper boundsof their arity/width can be computed according to a philosophysimilar to the squeeze theorem. Moreover, the introduction of dynamic analysis also enables TypeSqueezer to approximate the actual type of function arguments instead of only representing themusing their widths. These together allow TypeSqueezer to significantly refine the capability of indirect call target resolving, and generate the approximate CFGs with better accuracy. We have evaluated TypeSqueezer on the SPEC CPU2006 benchmarks as well asseveral real-world applications. The experimental results suggestthat TypeSqueezer achieves higher type-matching precision compared to existing binary-level type-based solutions. Moreover, wealso discuss the intrinsic limitations of static analysis and showthat it is not enough in defeating certain type of practical attacks; while on the other hand, the same attacks can be successfully thwartedwith the hybrid analysis result of our approach.
Keywords
Control-flow integrity, Type inference, Binary executables
Discipline
Artificial Intelligence and Robotics | Databases and Information Systems
Research Areas
Data Science and Engineering; Intelligent Systems and Optimization
Publication
The 30th ACM Conference on Computer and Communications Security (CCS 2023)
First Page
2725
Last Page
2739
ISBN
9798400700507
Identifier
10.1145/3576915.3623214
City or Country
Copenhagen, Denmark
Citation
LIN, Ziyi; LI, Jinku; LI, Bowen; MA, Haoyu; GAO, Debin; and MA, Jianfeng.
TypeSqueezer: When static recovery of function signatures for binary executables meets dynamic analysis. (2023). The 30th ACM Conference on Computer and Communications Security (CCS 2023). 2725-2739.
Available at: https://ink.library.smu.edu.sg/sis_research/8419
Copyright Owner and License
Authors
Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-No Derivative Works 4.0 International License.