When function signature recovery meets compiler optimization
Matching indirect function callees and callers using function signatures recovered from binary executables (number of arguments and argument types) has been proposed to construct a more fine-grained control-flow graph (CFG) to help control-flow integrity (CFI) enforcement. However, various compiler...
Saved in:
| Main Authors: | , |
|---|---|
| Format: | text |
| Language: | English |
| Published: |
Institutional Knowledge at Singapore Management University
2021
|
| Subjects: | |
| Online Access: | https://ink.library.smu.edu.sg/sis_research/6568 https://ink.library.smu.edu.sg/context/sis_research/article/7571/viewcontent/oakland21.pdf |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Singapore Management University |
| Language: | English |
| id |
sg-smu-ink.sis_research-7571 |
|---|---|
| record_format |
dspace |
| spelling |
sg-smu-ink.sis_research-75712022-01-10T03:29:09Z When function signature recovery meets compiler optimization LIN, Yan GAO, Debin Matching indirect function callees and callers using function signatures recovered from binary executables (number of arguments and argument types) has been proposed to construct a more fine-grained control-flow graph (CFG) to help control-flow integrity (CFI) enforcement. However, various compiler optimizations may violate calling conventions and result in unmatched function signatures. In this paper, we present eight scenarios in which compiler optimizations impact function signature recovery, and report experimental results with 1,344 real-world applications of various optimization levels. Most interestingly, our experiments show that compiler optimizations have both positive and negative impacts on function signature recovery, e.g., its elimination of redundant instructions at callers makes counting of the number of arguments more accurate, while it hurts argument type matching as the compiler chooses the most efficient (but potentially different) types at callees and callers. To better deal with these compiler optimizations, we propose a set of improved policies and report our more accurate CFG models constructed from the 1,344 applications. We additionally compare our results recovered from binary executables with those extracted from program source and reveal scenarios where compiler optimization makes the task of accurate function signature recovery undecidable. 2021-05-01T07:00:00Z text application/pdf https://ink.library.smu.edu.sg/sis_research/6568 https://ink.library.smu.edu.sg/context/sis_research/article/7571/viewcontent/oakland21.pdf http://creativecommons.org/licenses/by-nc-nd/4.0/ Research Collection School Of Computing and Information Systems eng Institutional Knowledge at Singapore Management University Information Security |
| institution |
Singapore Management University |
| building |
SMU Libraries |
| continent |
Asia |
| country |
Singapore Singapore |
| content_provider |
SMU Libraries |
| collection |
InK@SMU |
| language |
English |
| topic |
Information Security |
| spellingShingle |
Information Security LIN, Yan GAO, Debin When function signature recovery meets compiler optimization |
| description |
Matching indirect function callees and callers using function signatures recovered from binary executables (number of arguments and argument types) has been proposed to construct a more fine-grained control-flow graph (CFG) to help control-flow integrity (CFI) enforcement. However, various compiler optimizations may violate calling conventions and result in unmatched function signatures. In this paper, we present eight scenarios in which compiler optimizations impact function signature recovery, and report experimental results with 1,344 real-world applications of various optimization levels. Most interestingly, our experiments show that compiler optimizations have both positive and negative impacts on function signature recovery, e.g., its elimination of redundant instructions at callers makes counting of the number of arguments more accurate, while it hurts argument type matching as the compiler chooses the most efficient (but potentially different) types at callees and callers. To better deal with these compiler optimizations, we propose a set of improved policies and report our more accurate CFG models constructed from the 1,344 applications. We additionally compare our results recovered from binary executables with those extracted from program source and reveal scenarios where compiler optimization makes the task of accurate function signature recovery undecidable. |
| format |
text |
| author |
LIN, Yan GAO, Debin |
| author_facet |
LIN, Yan GAO, Debin |
| author_sort |
LIN, Yan |
| title |
When function signature recovery meets compiler optimization |
| title_short |
When function signature recovery meets compiler optimization |
| title_full |
When function signature recovery meets compiler optimization |
| title_fullStr |
When function signature recovery meets compiler optimization |
| title_full_unstemmed |
When function signature recovery meets compiler optimization |
| title_sort |
when function signature recovery meets compiler optimization |
| publisher |
Institutional Knowledge at Singapore Management University |
| publishDate |
2021 |
| url |
https://ink.library.smu.edu.sg/sis_research/6568 https://ink.library.smu.edu.sg/context/sis_research/article/7571/viewcontent/oakland21.pdf |
| _version_ |
1770575992788615168 |