TypeSqueezer: When static recovery of function signatures for binary executables meets dynamic analysis
Control-Flow Integrity (CFI) is considered a promising solutionin thwarting advanced code-reuse attacks. While the problem ofbackward-edge protection in CFI is nearly closed, effective forward-edge protection is still a major challenge. The keystone of protecting the forward edge is to resolve indir...
Saved in:
| Main Authors: | , , , , , |
|---|---|
| Format: | text |
| Language: | English |
| Published: |
Institutional Knowledge at Singapore Management University
2023
|
| Subjects: | |
| Online Access: | https://ink.library.smu.edu.sg/sis_research/8419 https://ink.library.smu.edu.sg/context/sis_research/article/9422/viewcontent/ccs_23.pdf |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Singapore Management University |
| Language: | English |
| id |
sg-smu-ink.sis_research-9422 |
|---|---|
| record_format |
dspace |
| spelling |
sg-smu-ink.sis_research-94222024-01-09T03:31:36Z TypeSqueezer: When static recovery of function signatures for binary executables meets dynamic analysis LIN, Ziyi LI, Jinku LI, Bowen MA, Haoyu GAO, Debin MA, Jianfeng Control-Flow Integrity (CFI) is considered a promising solutionin thwarting advanced code-reuse attacks. While the problem ofbackward-edge protection in CFI is nearly closed, effective forward-edge protection is still a major challenge. The keystone of protecting the forward edge is to resolve indirect call targets, which although can be done quite accurately using type-based solutionsgiven the program source code, it faces difficulties when carriedout at the binary level. Since the actual type information is unavailable in COTS binaries, type-based indirect call target matching typically resorts to approximate function signatures inferredusing the arity and argument width of indirect callsites and calltargets. Doing so with static analysis, therefore, forces the existingsolutions to assume the arity/width boundaries in a too-permissiveway to defeat sophisticated attacks.In this paper, we propose a novel hybrid approach to recoverfine-grained function signatures at the binary level, called TypeSqueezer. By observing program behaviors dynamically, TypeSqueezer combines the static analysis results on indirect callsitesand calltargets together, so that both the lower and the upper boundsof their arity/width can be computed according to a philosophysimilar to the squeeze theorem. Moreover, the introduction of dynamic analysis also enables TypeSqueezer to approximate the actual type of function arguments instead of only representing themusing their widths. These together allow TypeSqueezer to significantly refine the capability of indirect call target resolving, and generate the approximate CFGs with better accuracy. We have evaluated TypeSqueezer on the SPEC CPU2006 benchmarks as well asseveral real-world applications. The experimental results suggestthat TypeSqueezer achieves higher type-matching precision compared to existing binary-level type-based solutions. Moreover, wealso discuss the intrinsic limitations of static analysis and showthat it is not enough in defeating certain type of practical attacks; while on the other hand, the same attacks can be successfully thwartedwith the hybrid analysis result of our approach. 2023-11-01T07:00:00Z text application/pdf https://ink.library.smu.edu.sg/sis_research/8419 info:doi/10.1145/3576915.3623214 https://ink.library.smu.edu.sg/context/sis_research/article/9422/viewcontent/ccs_23.pdf http://creativecommons.org/licenses/by-nc-nd/4.0/ Research Collection School Of Computing and Information Systems eng Institutional Knowledge at Singapore Management University Control-flow integrity Type inference Binary executables Artificial Intelligence and Robotics Databases and Information Systems |
| institution |
Singapore Management University |
| building |
SMU Libraries |
| continent |
Asia |
| country |
Singapore Singapore |
| content_provider |
SMU Libraries |
| collection |
InK@SMU |
| language |
English |
| topic |
Control-flow integrity Type inference Binary executables Artificial Intelligence and Robotics Databases and Information Systems |
| spellingShingle |
Control-flow integrity Type inference Binary executables Artificial Intelligence and Robotics Databases and Information Systems LIN, Ziyi LI, Jinku LI, Bowen MA, Haoyu GAO, Debin MA, Jianfeng TypeSqueezer: When static recovery of function signatures for binary executables meets dynamic analysis |
| description |
Control-Flow Integrity (CFI) is considered a promising solutionin thwarting advanced code-reuse attacks. While the problem ofbackward-edge protection in CFI is nearly closed, effective forward-edge protection is still a major challenge. The keystone of protecting the forward edge is to resolve indirect call targets, which although can be done quite accurately using type-based solutionsgiven the program source code, it faces difficulties when carriedout at the binary level. Since the actual type information is unavailable in COTS binaries, type-based indirect call target matching typically resorts to approximate function signatures inferredusing the arity and argument width of indirect callsites and calltargets. Doing so with static analysis, therefore, forces the existingsolutions to assume the arity/width boundaries in a too-permissiveway to defeat sophisticated attacks.In this paper, we propose a novel hybrid approach to recoverfine-grained function signatures at the binary level, called TypeSqueezer. By observing program behaviors dynamically, TypeSqueezer combines the static analysis results on indirect callsitesand calltargets together, so that both the lower and the upper boundsof their arity/width can be computed according to a philosophysimilar to the squeeze theorem. Moreover, the introduction of dynamic analysis also enables TypeSqueezer to approximate the actual type of function arguments instead of only representing themusing their widths. These together allow TypeSqueezer to significantly refine the capability of indirect call target resolving, and generate the approximate CFGs with better accuracy. We have evaluated TypeSqueezer on the SPEC CPU2006 benchmarks as well asseveral real-world applications. The experimental results suggestthat TypeSqueezer achieves higher type-matching precision compared to existing binary-level type-based solutions. Moreover, wealso discuss the intrinsic limitations of static analysis and showthat it is not enough in defeating certain type of practical attacks; while on the other hand, the same attacks can be successfully thwartedwith the hybrid analysis result of our approach. |
| format |
text |
| author |
LIN, Ziyi LI, Jinku LI, Bowen MA, Haoyu GAO, Debin MA, Jianfeng |
| author_facet |
LIN, Ziyi LI, Jinku LI, Bowen MA, Haoyu GAO, Debin MA, Jianfeng |
| author_sort |
LIN, Ziyi |
| title |
TypeSqueezer: When static recovery of function signatures for binary executables meets dynamic analysis |
| title_short |
TypeSqueezer: When static recovery of function signatures for binary executables meets dynamic analysis |
| title_full |
TypeSqueezer: When static recovery of function signatures for binary executables meets dynamic analysis |
| title_fullStr |
TypeSqueezer: When static recovery of function signatures for binary executables meets dynamic analysis |
| title_full_unstemmed |
TypeSqueezer: When static recovery of function signatures for binary executables meets dynamic analysis |
| title_sort |
typesqueezer: when static recovery of function signatures for binary executables meets dynamic analysis |
| publisher |
Institutional Knowledge at Singapore Management University |
| publishDate |
2023 |
| url |
https://ink.library.smu.edu.sg/sis_research/8419 https://ink.library.smu.edu.sg/context/sis_research/article/9422/viewcontent/ccs_23.pdf |
| _version_ |
1787590772369915904 |