Skip to main content
Springer Nature Link
Log in

Scheduled Execution-Based Binary Indirect Call Targets Refinement

  • Conference paper
  • First Online:
Computer Security – ESORICS 2024 (ESORICS 2024)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14984))

Included in the following conference series:

  • 835 Accesses

Abstract

Inferring binary indirect call targets is challenging due to dynamic generation and lack of symbol information in stripped binaries. Although type analysis and points-to analysis methods aid the inference, existing methods still yield high false positives. This paper introduces a novel scheduled execution framework to identify indirect call targets with low false positives. We achieve this by executing each basic block once and then combining the execution flow and unexecuted states to infer indirect call targets that were not generated during execution. We implemented the SchedExec prototype and evaluated it with SPEC2006 integer benchmarks. Results show SchedExec’s average precision rate exceeds that of existing state-of-the-art binary static analysis tool, BPA, by 40.3%, and even outperforms the source code type analysis tool, LLVM-CFI, by 30.1%. Besides, SchedExec’s average execution time is 58.1% lower than that of BPA.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5314

  2. 35, V.: binary.ninja : a reversing engineering platform. https://binary.ninja/

  3. Abadi, M., Budiu, M., Erlingsson, U., Ligatti, J.: Control-flow integrity principles, implementations, and applications. ACM Trans. Information and System Security (TISSEC) 13(1), 1–40 (2009)

    Article  Google Scholar 

  4. Altinay, A., et al.: BinRec: dynamic binary lifting and recompilation. In: Proceedings of the Fifteenth European Conference on Computer Systems, pp. 1–16 (2020)

    Google Scholar 

  5. Balakrishnan, G., Gruian, R., Reps, T., Teitelbaum, T.: CodeSurfer/x86—a platform for analyzing x86 executables. In: Bodik, R. (ed.) CC 2005. LNCS, vol. 3443, pp. 250–254. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-31985-6_19

    Chapter  Google Scholar 

  6. Balakrishnan, G., Reps, T.: Analyzing memory accesses in x86 executables. In: Duesterwald, E. (ed.) CC 2004. LNCS, vol. 2985, pp. 5–23. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24723-4_2

    Chapter  Google Scholar 

  7. Bellard, F.: QEMU, a fast and portable dynamic translator. In: USENIX Annual Technical Conference, FREENIX Track, vol. 41, p. 46. California, USA (2005)

    Google Scholar 

  8. Bernat, A.R., Miller, B.P.: Anywhere, any-time binary instrumentation. In: Proceedings of the 10th ACM SIGPLAN-SIGSOFT Workshop on Program Analysis for Software Tools, pp. 9–16 (2011)

    Google Scholar 

  9. Bourquin, M., King, A., Robbins, E.: BinSlayer: accurate comparison of binary executables. In: Proceedings of the 2nd ACM SIGPLAN Program Protection and Reverse Engineering Workshop, pp. 1–10 (2013)

    Google Scholar 

  10. Brumley, D., Jager, I., Avgerinos, T., Schwartz, E.J.: BAP: a binary analysis platform. In: Gopalakrishnan, G., Qadeer, S. (eds.) CAV 2011. LNCS, vol. 6806, pp. 463–469. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22110-1_37

    Chapter  Google Scholar 

  11. Carlini, N., Wagner, D.: \(\{\)ROP\(\}\) is still dangerous: breaking modern defenses. In: 23rd USENIX Security Symposium (USENIX Security 14), pp. 385–399 (2014)

    Google Scholar 

  12. Chen, S., Lin, Z., Zhang, Y.: \(\{\)SelectiveTaint\(\}\): Efficient data flow tracking with static binary rewriting. In: 30th USENIX Security Symposium (USENIX Security 21), pp. 1665–1682 (2021)

    Google Scholar 

  13. Davi, L., Sadeghi, A.R., Lehmann, D., Monrose, F.: Stitching the gadgets: on the ineffectiveness of \(\{\)Coarse-Grained\(\}\)\(\{\)Control-Flow\(\}\) integrity protection. In: 23rd USENIX Security Symposium (USENIX Security 14), pp. 401–416 (2014)

    Google Scholar 

  14. Farkhani, R.M., Jafari, S., Arshad, S., Robertson, W., Kirda, E., Okhravi, H.: On the effectiveness of type-based control flow integrity. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 28–39 (2018)

    Google Scholar 

  15. Ghaffarinia, M., Hamlen, K.W.: Binary control-flow trimming. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, pp. 1009–1022 (2019)

    Google Scholar 

  16. Göktas, E., Athanasopoulos, E., Bos, H., Portokalidis, G.: Out of control: overcoming control-flow integrity. In: 2014 IEEE Symposium on Security and Privacy, pp. 575–589. IEEE (2014)

    Google Scholar 

  17. Han, H., Wesie, A., Pak, B.: Precise and scalable detection of \(\{\)Use-after-Compacting-Garbage-Collection\(\}\) bugs. In: 30th USENIX Security Symposium (USENIX Security 21), pp. 2059–2074 (2021)

    Google Scholar 

  18. Kim, S.H., Sun, C., Zeng, D., Tan, G.: Refining indirect call targets at the binary level. In: Network and Distributed System Security Symposium, NDSS (2021)

    Google Scholar 

  19. Kim, S.H., Zeng, D., Sun, C., Tan, G.: BinPointer: towards precise, sound, and scalable binary-level pointer analysis. In: Proceedings of the 31st ACM SIGPLAN International Conference on Compiler Construction, pp. 169–180 (2022)

    Google Scholar 

  20. Koo, H., Chen, Y., Lu, L., Kemerlis, V.P., Polychronakis, M.: Compiler-assisted code randomization. In: 2018 IEEE Symposium on Security and Privacy (SP), pp. 461–477. IEEE (2018)

    Google Scholar 

  21. Lattner, C., Adve, V.: The LLVM compiler framework and infrastructure tutorial. In: Eigenmann, R., Li, Z., Midkiff, S.P. (eds.) LCPC 2004. LNCS, vol. 3602, pp. 15–16. Springer, Heidelberg (2005). https://doi.org/10.1007/11532378_2

    Chapter  Google Scholar 

  22. Li, J., Tong, X., Zhang, F., Ma, J.: Fine-CFI: fine-grained control-flow integrity for operating system kernels. IEEE Trans. Inf. Forensics Secur. 13(6), 1535–1550 (2018)

    Article  Google Scholar 

  23. Li, Z., Wang, J., Sun, M., Lui, J.C.: MirChecker: detecting bugs in rust programs via static analysis. In: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, pp. 2183–2196 (2021)

    Google Scholar 

  24. Lu, K., Hu, H.: Where does it go? Refining indirect-call targets with multi-layer type analysis. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, pp. 1867–1881 (2019)

    Google Scholar 

  25. Luk, C.K., et al.: Pin: building customized program analysis tools with dynamic instrumentation. ACM Sigplan Notices 40(6), 190–200 (2005)

    Article  Google Scholar 

  26. Meng, X., Miller, B.P.: Binary code is not easy. In: Proceedings of the 25th International Symposium on Software Testing and Analysis, pp. 24–35 (2016)

    Google Scholar 

  27. Muntean, P., Fischer, M., Tan, G., Lin, Z., Grossklags, J., Eckert, C.: \(\tau \)CFI: type-assisted control flow integrity for x86-64 binaries. In: Bailey, M., Holz, T., Stamatogiannakis, M., Ioannidis, S. (eds.) RAID 2018. LNCS, vol. 11050, pp. 423–444. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-00470-5_20

    Chapter  Google Scholar 

  28. Nethercote, N., Seward, J.: Valgrind: a framework for heavyweight dynamic binary instrumentation. ACM Sigplan notices 42(6), 89–100 (2007)

    Article  Google Scholar 

  29. NSA: Ghidra software reverse engineering framework. https://ghidra-sre.org/

  30. Pang, C., et al.: SoK: all you ever wanted to know about x86/x64 binary disassembly but were afraid to ask. In: 2021 IEEE Symposium on Security and Privacy (SP), pp. 833–851. IEEE (2021)

    Google Scholar 

  31. Qian, C., Hu, H., Alharthi, M., Chung, P.H., Kim, T., Lee, W.: \(\{\)RAZOR\(\}\): A framework for post-deployment software debloating. In: 28th USENIX Security Symposium (USENIX Security 19), pp. 1733–1750 (2019)

    Google Scholar 

  32. SA, H.R.: IDA Pro: a cross-platform multi-processor disassembler and debugger. http://www.hex-rays.com/products/ida/index.shtml/

  33. Shoshitaishvili, Y., et al.: SOK:(state of) the art of war: offensive techniques in binary analysis. In: 2016 IEEE Symposium on Security and Privacy (SP), pp. 138–157. IEEE (2016)

    Google Scholar 

  34. Tauner, S., Telesklav, M.: Comparative analysis and enhancement of CFG-based hardware-assisted CFI schemes. ACM Trans. Embed. Comput. Syst. (TECS) 20(5s), 1–25 (2021)

    Article  Google Scholar 

  35. Tian, L., Shi, Y., Chen, L., Yang, Y., Shi, G.: Gadgets splicing: dynamic binary transformation for precise rewriting. In: 2022 IEEE/ACM International Symposium on Code Generation and Optimization (CGO), pp. 155–167. IEEE (2022)

    Google Scholar 

  36. Tice, C., et al.: Enforcing \(\{\)Forward-Edge\(\}\)\(\{\)Control-Flow\(\}\) integrity in \(\{\)GCC\(\}\) & \(\{\)LLVM\(\}\). In: 23rd USENIX Security Symposium (USENIX security 14), pp. 941–955 (2014)

    Google Scholar 

  37. Van Der Veen, V., et al.: A tough call: Mitigating advanced code-reuse attacks at the binary level. In: 2016 IEEE Symposium on Security and Privacy (SP), pp. 934–953. IEEE (2016)

    Google Scholar 

  38. Wenzl, M., Merzdovnik, G., Ullrich, J., Weippl, E.: From hack to elaborate technique-a survey on binary rewriting. ACM Comput. Surv. (CSUR) 52(3), 1–37 (2019)

    Article  Google Scholar 

  39. Xu, L., Sun, F., Su, Z.: Constructing precise control flow graphs from binaries. University of California, Davis, Tech. Rep, p. 28 (2009)

    Google Scholar 

  40. Zeng, D., Tan, G.: From debugging-information based binary-level type inference to CFG generation. In: Proceedings of the Eighth ACM Conference on Data and Application Security and Privacy, pp. 366–376 (2018)

    Google Scholar 

  41. Zhang, C., et al.: Practical control flow integrity and randomization for binary executables. In: 2013 IEEE Symposium on Security and Privacy, pp. 559–573. IEEE (2013)

    Google Scholar 

  42. Zhang, M., Sekar, R.: Control flow integrity for COTS binaries. In: Proceedings of the 22th USENIX Security Symposium, Washington, DC, USA, 14-16 August 2013, pp. 337–352 (2013)

    Google Scholar 

  43. Zhu, K., Lu, Y., Huang, H., Yu, L., Zhao, J.: Constructing more complete control flow graphs utilizing directed gray-box fuzzing. Appl. Sci. 11(3), 1351 (2021)

    Article  Google Scholar 

  44. Zhu, W., et al.: Callee: Recovering call graphs for binaries with transfer and contrastive learning. In: 2023 IEEE Symposium on Security and Privacy (SP), pp. 1953–1970. IEEE Computer Society (2022)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China

    Yangyang Shi, Liwei Chen, Yanqi Yang & Gang Shi

  2. School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China

    Yangyang Shi, Liwei Chen, Yanqi Yang & Gang Shi

  3. Intel China Ltd., Shanghai, China

    Linan Tian

Authors
  1. Yangyang Shi
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Linan Tian
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Liwei Chen
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Yanqi Yang
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Gang Shi
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Liwei Chen .

Editor information

Editors and Affiliations

  1. Institut Polytechnique de Paris, Palaiseau, France

    Joaquin Garcia-Alfaro

  2. Bydgoszcz University of Science and Technology, Bydgoszcz, Poland

    Rafał Kozik

  3. Bydgoszcz University of Science and Technology, Bydgoszcz, Poland

    Michał Choraś

  4. Norwegian University of Science and Technology - NTNU, Gjøvik, Norway

    Sokratis Katsikas

Rights and permissions

Reprints and permissions

Copyright information

© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Shi, Y., Tian, L., Chen, L., Yang, Y., Shi, G. (2024). Scheduled Execution-Based Binary Indirect Call Targets Refinement. In: Garcia-Alfaro, J., Kozik, R., Choraś, M., Katsikas, S. (eds) Computer Security – ESORICS 2024. ESORICS 2024. Lecture Notes in Computer Science, vol 14984. Springer, Cham. https://doi.org/10.1007/978-3-031-70896-1_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-70896-1_1

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-70895-4

  • Online ISBN: 978-3-031-70896-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics