Publication Type

Conference Proceeding Article

Version

publishedVersion

Publication Date

11-2023

Abstract

Control-Flow Integrity (CFI) is considered a promising solutionin thwarting advanced code-reuse attacks. While the problem ofbackward-edge protection in CFI is nearly closed, effective forward-edge protection is still a major challenge. The keystone of protecting the forward edge is to resolve indirect call targets, which although can be done quite accurately using type-based solutionsgiven the program source code, it faces difficulties when carriedout at the binary level. Since the actual type information is unavailable in COTS binaries, type-based indirect call target matching typically resorts to approximate function signatures inferredusing the arity and argument width of indirect callsites and calltargets. Doing so with static analysis, therefore, forces the existingsolutions to assume the arity/width boundaries in a too-permissiveway to defeat sophisticated attacks.In this paper, we propose a novel hybrid approach to recoverfine-grained function signatures at the binary level, called TypeSqueezer. By observing program behaviors dynamically, TypeSqueezer combines the static analysis results on indirect callsitesand calltargets together, so that both the lower and the upper boundsof their arity/width can be computed according to a philosophysimilar to the squeeze theorem. Moreover, the introduction of dynamic analysis also enables TypeSqueezer to approximate the actual type of function arguments instead of only representing themusing their widths. These together allow TypeSqueezer to significantly refine the capability of indirect call target resolving, and generate the approximate CFGs with better accuracy. We have evaluated TypeSqueezer on the SPEC CPU2006 benchmarks as well asseveral real-world applications. The experimental results suggestthat TypeSqueezer achieves higher type-matching precision compared to existing binary-level type-based solutions. Moreover, wealso discuss the intrinsic limitations of static analysis and showthat it is not enough in defeating certain type of practical attacks; while on the other hand, the same attacks can be successfully thwartedwith the hybrid analysis result of our approach.

Keywords

Control-flow integrity, Type inference, Binary executables

Discipline

Artificial Intelligence and Robotics | Databases and Information Systems

Research Areas

Data Science and Engineering; Intelligent Systems and Optimization

Publication

The 30th ACM Conference on Computer and Communications Security (CCS 2023)

First Page

2725

Last Page

2739

ISBN

9798400700507

Identifier

10.1145/3576915.3623214

City or Country

Copenhagen, Denmark

Copyright Owner and License

Authors

Share

COinS