TY - GEN
T1 - Function Interface Analysis
T2 - 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2017
AU - Qiao, Rui
AU - Sekar, R.
N1 - Publisher Copyright:
© 2017 IEEE.
PY - 2017/8/30
Y1 - 2017/8/30
N2 - Function recognition is one of the key tasks in binary analysis, instrumentation and reverse engineering. Previous approaches for this problem have relied on matching code patterns commonly observed at the beginning and end of functions. While early efforts relied on compiler idioms and expert-identified patterns, more recent works have systematized the process using machine-learning techniques. In contrast, we develop a novel static analysis based method in this paper. In particular, we combine a low-level technique for enumerating candidate functions with a novel static analysis for determining if these candidates exhibit the properties associated with a function interface. Both control-flow properties (e.g., returning to the location at the stack top at the function entry point) and data-flow properties (e.g., parameter passing via registers and the stack, and the degree of adherence to application-binary interface conventions) are checked. Our approach achieves an F1-score above 99% across a broad range of programs across multiple languages and compilers. More importantly, it achieves a 4x or higher reduction in error rate over best previous results.
AB - Function recognition is one of the key tasks in binary analysis, instrumentation and reverse engineering. Previous approaches for this problem have relied on matching code patterns commonly observed at the beginning and end of functions. While early efforts relied on compiler idioms and expert-identified patterns, more recent works have systematized the process using machine-learning techniques. In contrast, we develop a novel static analysis based method in this paper. In particular, we combine a low-level technique for enumerating candidate functions with a novel static analysis for determining if these candidates exhibit the properties associated with a function interface. Both control-flow properties (e.g., returning to the location at the stack top at the function entry point) and data-flow properties (e.g., parameter passing via registers and the stack, and the degree of adherence to application-binary interface conventions) are checked. Our approach achieves an F1-score above 99% across a broad range of programs across multiple languages and compilers. More importantly, it achieves a 4x or higher reduction in error rate over best previous results.
UR - https://www.scopus.com/pages/publications/85024473898
U2 - 10.1109/DSN.2017.29
DO - 10.1109/DSN.2017.29
M3 - Conference contribution
AN - SCOPUS:85024473898
T3 - Proceedings - 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2017
SP - 201
EP - 212
BT - Proceedings - 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2017
PB - Institute of Electrical and Electronics Engineers Inc.
Y2 - 26 June 2017 through 29 June 2017
ER -