Abstract
Efficient detection and instrumentation of function calls is fundamental for a variety of dynamic analysis techniques, including dynamic callgraph construction, control-flow integrity, and automatic vulnerability discovery. A common way of detecting calls at the machine code level is to look for CALL instructions. However, optimizing compilers frequently implement function tail calls with JMP instructions instead, and distinguishing an intra-procedural jump from a JMP-based function call is not straightforward. Despite the importance of making this distinction, prior research has not produced a reliable solution. In this paper, we address the problem of dynamic function call detection in real-time. We propose a heuristic-based approach named iCi to efficiently and automatically instrument calls, including conventional CALLs and JMP-based calls, at runtime. iCi does not rely on source code, debug information, symbol tables or static analysis. We show that iCi achieves an f-score of 0.95 in the worst case, regardless of optimization level. We open-source our implementation as well as the oracle we used for our evaluation.
Original language | English |
---|---|
Title of host publication | ACSAC '18 Proceedings of the 34th Annual Computer Security Applications Conference |
Place of Publication | San Juan, PR |
Publisher | Association for Computing Machinery |
Pages | 618-628 |
Number of pages | 11 |
ISBN (Electronic) | 9781450365697 |
DOIs | |
Publication status | Published - 2018 |
Event | 34th Annual Computer Security Applications Conference, ACSAC 2018 - San Juan, United States Duration: 3 Dec 2018 → 7 Dec 2018 |
Conference
Conference | 34th Annual Computer Security Applications Conference, ACSAC 2018 |
---|---|
Country/Territory | United States |
City | San Juan |
Period | 3/12/18 → 7/12/18 |
Keywords
- Binary analysis
- Dynamic instrumentation
- Reverse-engineering