OCFI: Make Function Entry Identification Hard Again
Function entry identification is a crucial yet challenging task for binary disassemblers that has been the focus of research in the past decades. However, recent researches show that call frame information (CFI) provides accurate and almost complete function entries. With the aid of CFI, disassemblers have significant improvements in function entry detection. CFI is specifically designed for efficient stack unwinding, and every function has corresponding CFI in x64 and aarch64 architectures. Nevertheless, not every function and instruction unwinds the stack at runtime, and this observation has led to the development of techniques such as obfuscation to complicate function detection by disassemblers.
We propose a prototype of OCFI to obfuscate CFI based on this observation. The goal of OCFI is to obstruct function detection of popular disassemblers that use CFI as a way to detect function entries. We evaluated OCFI on a large-scale dataset that includes real-world applications and automated generation programs, and found that the obfuscated CFI was able to correctly unwind the stack and make the detection of function entries of popular disassemblers more difficult. Furthermore, on average, OCFI incurs a size overhead of only 4% and nearly zero runtime overhead.
Tue 18 JulDisplayed time zone: Pacific Time (US & Canada) change
13:30 - 15:00 | ISSTA 4: Static AnalysisTechnical Papers at Smith Classroom (Gates G10) Chair(s): Christian Hammer University of Passau | ||
13:30 15mTalk | Detecting Vulnerabilities in Linux-Based Embedded Firmware with SSE-Based On-Demand Alias Analysis Technical Papers Kai Cheng Shenzhen Institute of Advanced Technology at Chinese Academy of Sciences; Sangfor Technologies, Yaowen Zheng Nanyang Technological University, Tao Liu Pennsylvania State University, Le Guan University of Georgia, Peng Liu Pennsylvania State University, Hong Li Institute of Information Engineering at Chinese Academy of Sciences, Hongsong Zhu Institute of Information Engineering at Chinese Academy of Sciences; University of Chinese Academy of Sciences, Kejiang Ye Shenzhen Institute of Advanced Technology at Chinese Academy of Sciences, Limin Sun Institute of Information Engineering at Chinese Academy of Sciences; University of Chinese Academy of Sciences DOI | ||
13:45 15mTalk | Beware of the Unexpected: Bimodal Taint AnalysisACM SIGSOFT Distinguished Paper Technical Papers DOI | ||
14:00 15mTalk | OCFI: Make Function Entry Identification Hard Again Technical Papers Chengbin Pang Nanjing University, Tiantai Zhang Nanjing University, Xuelan Xu Nanjing University, Linzhang Wang Nanjing University, Bing Mao Nanjing University DOI | ||
14:15 15mTalk | Tai-e: A Developer-Friendly Static Analysis Framework for Java by Harnessing the Good Designs of Classics Technical Papers DOI Pre-print | ||
14:30 15mTalk | That’s a Tough Call: Studying the Challenges of Call Graph Construction for WebAssemblyACM SIGSOFT Distinguished Artifact Technical Papers Daniel Lehmann University of Stuttgart, Michelle Thalakottur Northeastern University, Frank Tip Northeastern University, Michael Pradel University of Stuttgart DOI | ||
14:45 15mTalk | Eunomia: Enabling User-Specified Fine-Grained Search in Symbolically Executing WebAssembly BinariesACM SIGSOFT Distinguished Paper Technical Papers Ningyu He Peking University, Zhehao Zhao Peking University, Jikai Wang Huazhong University of Science and Technology, Yubin Hu Beijing University of Posts and Telecommunications, Shengjian (Daniel) Guo Baidu Security, Haoyu Wang Huazhong University of Science and Technology, Guangtai Liang Huawei Cloud Computing Technologies, Ding Li Peking University, Xiangqun Chen Peking University, Yao Guo Peking University DOI | ||