Go to DBLP homepageScheduled Execution-Based Binary Indirect Call Targets Refinement
Abstract: Inferring binary indirect call targets is challenging due to dynamic generation and lack of symbol information in stripped binaries. Although type analysis and points-to analysis methods aid the inference, existing methods still yield high false positives. This paper introduces a novel scheduled execution framework to identify indirect call targets with low false positives. We achieve this by executing each basic block once and then combining the execution flow and unexecuted states to infer indirect call targets that were not generated during execution. We implemented the SchedExec prototype and evaluated it with SPEC2006 integer benchmarks. Results show SchedExec’s average precision rate exceeds that of existing state-of-the-art binary static analysis tool, BPA, by 40.3%, and even outperforms the source code type analysis tool, LLVM-CFI, by 30.1%. Besides, SchedExec’s average execution time is 58.1% lower than that of BPA.
External IDs:dblp:conf/esorics/ShiTCYS24
Loading