Now you see me: Real-time dynamic function call detection

Franck De Goër, Sanjay Rawat, Dennis Andriesse, Herbert Bos, Roland Groz

Research output: Chapter in Book / Report / Conference proceedingConference contributionAcademicpeer-review

256 Downloads (Pure)

Abstract

Efficient detection and instrumentation of function calls is fundamental for a variety of dynamic analysis techniques, including dynamic callgraph construction, control-flow integrity, and automatic vulnerability discovery. A common way of detecting calls at the machine code level is to look for CALL instructions. However, optimizing compilers frequently implement function tail calls with JMP instructions instead, and distinguishing an intra-procedural jump from a JMP-based function call is not straightforward. Despite the importance of making this distinction, prior research has not produced a reliable solution. In this paper, we address the problem of dynamic function call detection in real-time. We propose a heuristic-based approach named iCi to efficiently and automatically instrument calls, including conventional CALLs and JMP-based calls, at runtime. iCi does not rely on source code, debug information, symbol tables or static analysis. We show that iCi achieves an f-score of 0.95 in the worst case, regardless of optimization level. We open-source our implementation as well as the oracle we used for our evaluation.

Original languageEnglish
Title of host publicationACSAC '18 Proceedings of the 34th Annual Computer Security Applications Conference
Place of PublicationSan Juan, PR
PublisherAssociation for Computing Machinery
Pages618-628
Number of pages11
ISBN (Electronic)9781450365697
DOIs
Publication statusPublished - 2018
Event34th Annual Computer Security Applications Conference, ACSAC 2018 - San Juan, United States
Duration: 3 Dec 20187 Dec 2018

Conference

Conference34th Annual Computer Security Applications Conference, ACSAC 2018
Country/TerritoryUnited States
CitySan Juan
Period3/12/187/12/18

Keywords

  • Binary analysis
  • Dynamic instrumentation
  • Reverse-engineering

Fingerprint

Dive into the research topics of 'Now you see me: Real-time dynamic function call detection'. Together they form a unique fingerprint.

Cite this