where does it go refining indirect call targets with
play

Where Does It Go? Refining Indirect-Call Targets with Multi-Layer - PowerPoint PPT Presentation

Oct 09, 2022 •368 likes •934 views

Where Does It Go? Refining Indirect-Call Targets with Multi-Layer Type Analysis Kangjie Lu Hong Hu What is an indirect call? 2 Example, purpose, and commonness void foo(int a) { printf("a = %d\n", a); } typedef void

  1. Where Does It Go? Refining Indirect-Call Targets with Multi-Layer Type Analysis Kangjie Lu Hong Hu

  2. What is an indirect call? 2

  3. Example, purpose, and commonness void foo(int a) { printf("a = %d\n", a); } typedef void (*fptr_t)(int); // Take the address of foo() and // assign to function pointer fptr fptr_t fptr = &foo; ... // Indirect call to foo() fptr(10); 3

  4. Example, purpose, and commonness void foo(int a) { printf("a = %d\n", a); } typedef void (*fptr_t)(int); // Take the address of foo() and // assign to function pointer fptr fptr_t fptr = &foo; ... // Indirect call to foo() fptr(10); 4

  5. Example, purpose, and commonness ● Purpose void foo(int a) { printf("a = %d\n", a); ○ To support dynamic } behaviors typedef void (*fptr_t)(int); ● Common scenarios // Take the address of foo() and // assign to function pointer fptr ○ Interface functions fptr_t fptr = &foo; ○ Virtual functions ○ Callbacks ... ● Commonness // Indirect call to foo() Linux: 58K ○ fptr(10); ○ Firefox: 37K 5

  6. Example, purpose, and commonness ● Purpose void foo(int a) { printf("a = %d\n", a); ○ To support dynamic } behaviors typedef void (*fptr_t)(int); ● Common scenarios // Take the address of foo() and // assign to function pointer fptr ○ Interface functions fptr_t fptr = &foo; ○ Virtual functions ○ Callbacks ... Indirect calls are essential ● Commonness // Indirect call to foo() and common Linux: 58K ○ fptr(10); ○ Firefox: 37K 6

  7. Indirect call is however a major roadblock in security Couldn’t construct a precise call-graph ! 7

  8. Indirect call is however a major roadblock in security Couldn’t construct a precise call-graph ! ● All inter-procedural static analyses and bug detection require a global call-graph! Otherwise, path explosion and inaccuracy ○ ● Effectiveness of control-flow integrity (CFI) depends on it! 8

  9. Indirect call is however a major roadblock in security Couldn’t construct a precise call-graph ! ● All inter-procedural static analyses and bug detection require a global call-graph! ○ Otherwise, path explosion and inaccuracy ● Effectiveness of control-flow integrity (CFI) depends on it! Identifying indirect-call targets is foundational to security! 9

  10. How can we identify them? 10

  11. Two approaches: Point-to analysis vs. Type analysis ● Point-to Analysis ○ Whole-program analysis to find all possible targets ● Cons ○ Precise analysis can’t scale ○ Suffers from soundness or precision issues ○ Itself requires a call-graph 11

  12. Two approaches: Point-to analysis vs. Type analysis ● Point-to Analysis ● (First-Layer) Type Analysis ○ Whole-program analysis to ○ Matching types of functions find all possible targets and function pointers ( FLTA ) ● Cons ● Cons ○ Precise analysis can’t scale ○ Over-approximate ○ Suffers from soundness or ○ Worse precision in larger precision issues programs ○ Itself requires a call-graph 12

  13. Two approaches: Point-to analysis vs. Type analysis ● Point-to Analysis ● (First-Layer) Type Analysis ○ Whole-program analysis to ○ Matching types of functions find all possible targets and function pointers ( FLTA ) ● Cons ● Cons ○ Precise analysis can’t scale ○ Over-approximate Practical and used by CFI ○ Suffers from soundness or ○ Worse precision in larger techniques precision issues programs ○ Itself requires a call-graph 13

  14. Our intuition: Function addresses are often stored to structs layer by layer. Layered type matching is much stricter. 14

  15. Our intuition: Function addresses are often stored to structs layer by layer. MLTA: Multi-Layer Type Analysis Layered type matching is much stricter. 15

  16. Illustrate MLTA // Assign address of foo to a nested field 1. a->b->c->fptr = &foo; 2. d->b->c->fptr = &bar; ... // Complicated data flow 3. a->b->c->fptr(10); // Indirect call to foo() not bar() 16

  17. Illustrate MLTA // Assign address of foo to a nested field 1. a->b->c->fptr = &foo; 2. d->b->c->fptr = &bar; ... // Complicated data flow 3. a->b->c->fptr(10); // Indirect call to foo() not bar() &foo fptr c b a 17

  18. Illustrate MLTA // Assign address of foo to a nested field 1. a->b->c->fptr = &foo; 2. d->b->c->fptr = &bar; ... // Complicated data flow 3. a->b->c->fptr(10); // Indirect call to foo() not bar() &foo fptr c b Complicated data flow a 18

  19. Illustrate MLTA // Assign address of foo to a nested field 1. a->b->c->fptr = &foo; 2. d->b->c->fptr = &bar; ... // Complicated data flow 3. a->b->c->fptr(10); // Indirect call to foo() not bar() &foo fptr() fptr fptr c c b b Complicated data flow a a 19

  20. Illustrate MLTA // Assign address of foo to a nested field 1. a->b->c->fptr = &foo; 2. d->b->c->fptr = &bar; ... // Complicated data flow 3. a->b->c->fptr(10); // Indirect call to foo() not bar() Layered type &foo fptr() fptr_t fptr fptr struct C c c struct B b b Complicated data flow struct A a a 20

  21. Illustrate MLTA // Assign address of foo to a nested field 1. a->b->c->fptr = &foo; 2. d->b->c->fptr = &bar; ... // Complicated data flow 3. a->b->c->fptr(10); // Indirect call to foo() not bar() Layered type &foo fptr() Only functions fptr_t fptr fptr whose addresses are ever stored to struct C c c the layered type can be valid struct B b b targets Complicated data flow struct A a a 21

  22. Results comparison of approaches // Assign address of foo to a nested field 1. a->b->c->fptr = &foo; 2. d->b->c->fptr = &bar; ... // Complicated data flow 3. a->b->c->fptr(10); // Indirect call to foo() not bar() Approach MLTA FLTA 2-Layer Matched targets foo() foo(), bar() foo(), bar() 22

  23. Advantages of the MLTA approach ● Most function addresses are stored to structs 88% in the Linux kernel ○ ● Being elastic When a lower layer is unresolvable, fall back ○ Avoid false negatives ○ ● MLTA should be always better than FLTA ● No expensive or error-prone analysis 23

  24. “This is very intuitive; what are the challenges?” “Fine-grained control-flow integrity for kernel software” ( EuroSP’16 ) by Xinyang Ge, Nirupama Talele, Mathias Payer, Trent Jaeger. 24

  25. Research questions and challenges ● To what extent can MLTA refine the targets? ● Can MLTA guarantee soundness? ○ No false negatives ● Can MLTA also support C++? Virtual functions and tables ○ ● Can MLTA scale to large and complex programs? ● How can MLTA benefit static analysis and bug finding? 25

  26. Our technical contributions ● Multiple techniques to ensure effectiveness and soundness With an elastic design and formal analysis ○ ● Support C++ ● Extensive evaluation (OS kernels and a browser) ● 35 new kernel security bugs 26

  27. Realize MLTA: Overview of the TypeDive system Layered type analysis Targets Maintained resolving data structures Confinement LLVM Indirect- analysis Bitcode call Type-function map Iterative & files targets Propagation elastic resolving Type-propa. map analysis algorithm Escaped types Escaping analysis ● Phase I: Layered type analysis ○ Three analysis techniques and three data structures ● Phase II: Indirect-call targets resolving An iterative and elastic algorithm ○ 27

  28. Analyze type-function confinements ● Purpose ○ To identify which types have been assigned with which functions ○ We say type A confines foo() , if &foo is stored to an A object ● Inputs ○ Address-taking and -storing operations ○ Global object initializers ● Output ○ The type-function confinement map 28

  29. Analyze type-function confinements ● Purpose ○ To identify which types have been assigned with which functions ○ We say type A confines foo() , if &foo is stored to an A object ● Inputs ○ Address-taking and -storing operations ○ Global object initializers ● Output ○ The type-function confinement map 1. a->fptr = &foo; ... 2. fptr1 = &bar; 29

  30. Analyze type-function confinements ● Purpose ○ To identify which types have been assigned with which functions ○ We say type A confines foo() , if &foo is stored to an A object ● Inputs ○ Address-taking and -storing operations ○ Global object initializers ● Output ○ The type-function confinement map Type Function set 1. a->fptr = &foo; ... fptr_t foo(), bar() 2. fptr1 = &bar; struct A fptr_t foo() 30

  31. Analyze type propagations ● Purpose ○ To capture propagation of addresses from one type to another ● Inputs ○ Type casts and non-address-taking object stores ● Output ○ The type-propagation map 31

  32. Analyze type propagations ● Purpose ○ To capture propagation of addresses from one type to another ● Inputs ○ Type casts and non-address-taking object stores ● Output ○ The type-propagation map 1. a = (struct A*)b; ... 2. c->a = a; 32

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Profile-based Indirect Call Promotion 1 Outline Motivation Indirect call promotion

Profile-based Indirect Call Promotion 1 Outline Motivation Indirect call promotion

Ivan Baev, Qualcomm Innovation Center Profile-based Indirect Call Promotion 1 Outline Motivation Indirect call promotion transformation and heuristics Results Related optimizations 2 Motivation: reduce indirect branch mispredictions

779 views • 19 slides
UNASSOCIATED GAMMA-RAY SOURCES AS TARGETS FOR INDIRECT DM DETECTION WITH FERMI-LAT J.

UNASSOCIATED GAMMA-RAY SOURCES AS TARGETS FOR INDIRECT DM DETECTION WITH FERMI-LAT J.

UNASSOCIATED GAMMA-RAY SOURCES AS TARGETS FOR INDIRECT DM DETECTION WITH FERMI-LAT J. Coronado-Blzquez M. Snchez-Conde, A. Domnguez, M. di Mauro, E. Charles, N. Mirabal for the Fermi -LAT Collaboration Halo Substructure & Dark Matter

1.32k views • 52 slides
Indirect Cost Rates Audio is only available by conference call Please call: 844-291-5491

Indirect Cost Rates Audio is only available by conference call Please call: 844-291-5491

Indirect Cost Rates Audio is only available by conference call Please call: 844-291-5491 Participant Access Code:4842760 to join the conference call portion of the webinar May 12, 2020 1 OFFICE OF HOUSING COUNSELING Webinar Logistics

850 views • 48 slides
Flowserve First Quarter 2017 Earnings Conference Call May 2, 2017 SOLAR REFINING CHEMICAL

Flowserve First Quarter 2017 Earnings Conference Call May 2, 2017 SOLAR REFINING CHEMICAL

Flowserve First Quarter 2017 Earnings Conference Call May 2, 2017 SOLAR REFINING CHEMICAL NUCLEAR DESALINATION COAL-FIRED POWER Flowserve Q1 2017 Earnings Conference Call : Page 2 Special Note Safe Harbor Statement : This presentation

646 views • 21 slides
Achieving the SRF targets? Frank Rijsberman, Consortium CEO Intermedia iary ry 2022 targets ali

Achieving the SRF targets? Frank Rijsberman, Consortium CEO Intermedia iary ry 2022 targets ali

Achieving the SRF targets? Frank Rijsberman, Consortium CEO Intermedia iary ry 2022 targets ali lign with ith th this is se second call. ll. CRPs claim contribution to 2022 targets in pre -proposals ls. 100 million more farm

223 views • 6 slides
Science Based Targets initiative Call to Action Campaign May 20, 2015 An initiative by Science

Science Based Targets initiative Call to Action Campaign May 20, 2015 An initiative by Science

Science Based Targets initiative Call to Action Campaign May 20, 2015 An initiative by Science Based Targets I Call to Action The Science Based Targets initiative is calling on companies to demonstrate their leadership on climate action by

302 views • 7 slides
Oil & Gas Industry: Indirect tax By Santosh R. Sonar 12 January 2013 Oil and Gas - Indirect

Oil & Gas Industry: Indirect tax By Santosh R. Sonar 12 January 2013 Oil and Gas - Indirect

Oil & Gas Industry: Indirect tax By Santosh R. Sonar 12 January 2013 Oil and Gas - Indirect Tax 12 January 2013 1 Agenda Overview of indirect taxes Major indirect tax concerns for oil & gas sector Goods and Services

387 views • 35 slides
Workshop 23909 1 Scope of the indirect fee regime The indirect fee regime should be

Workshop 23909 1 Scope of the indirect fee regime The indirect fee regime should be

Workshop 23909 1 Scope of the indirect fee regime The indirect fee regime should be implemented in all Croatian ports that are open to public traffic The indirect fee regime shall apply to ship related waste 2 Exemptions

526 views • 19 slides
SLO Growth Targets How to determine & set growth targets Todays Learning Targets I CAN

SLO Growth Targets How to determine & set growth targets Todays Learning Targets I CAN

SLO Growth Targets How to determine & set growth targets Todays Learning Targets I CAN evaluate pre-assessment data & group my students by score ranges. I CAN set growth targets that are rigorous yet attainable. I CAN complete

927 views • 26 slides
Contents Lecture 1: Introducing UML for Mobility Lecture 2: Refining Mobility Designs

Contents Lecture 1: Introducing UML for Mobility Lecture 2: Refining Mobility Designs

Contents Lecture 1: Introducing UML for Mobility Lecture 2: Refining Mobility Designs Refining mobility activities Refining mobility in sequence diagrams A semantic approach to refinement: Mobile TLA Lecture 3: Property-driven

279 views • 14 slides
Refining NZ Analyst Briefing 23 August 2018 1 DISCLAIMER This presentation contains

Refining NZ Analyst Briefing 23 August 2018 1 DISCLAIMER This presentation contains

Refining NZ Analyst Briefing 23 August 2018 1 DISCLAIMER This presentation contains forward looking statements concerning the financial condition, results and operations of The New Zealand Refining Company Limited (hereafter referred to as

294 views • 18 slides
Oil & Gas / Petroleum Refining Sector Oil & Gas / Petroleum Refining Sector AB 32 Scoping

Oil & Gas / Petroleum Refining Sector Oil & Gas / Petroleum Refining Sector AB 32 Scoping

Oil & Gas / Petroleum Refining Sector Oil & Gas / Petroleum Refining Sector AB 32 Scoping Plan Development AB 32 Scoping Plan Development Public Workshop Public Workshop California Air Resources Board Sacramento, CA April 11, 2008 1

591 views • 29 slides
Global illumination Anastasia Bolotnikova Global illumination a.k.a. GI a.k.a. indirect

Global illumination Anastasia Bolotnikova Global illumination a.k.a. GI a.k.a. indirect

Global illumination Anastasia Bolotnikova Global illumination a.k.a. GI a.k.a. indirect illumination What? - bunch of algorithms, a process of simulating indirect light Why? - add more realistic lighting to 3D scenes (direct+indirect) Some issues:

298 views • 19 slides
Strategic Review 15 April 2020 REFINING NZ DISCLAIMER STRATEGIC REVIEW PRESENTATION This

Strategic Review 15 April 2020 REFINING NZ DISCLAIMER STRATEGIC REVIEW PRESENTATION This

REFINING NZ STRATEGIC REVIEW PRESENTATION Strategic Review 15 April 2020 REFINING NZ DISCLAIMER STRATEGIC REVIEW PRESENTATION This presentation does not constitute an offer or invitation by The New Zealand Refining Company Limited

459 views • 9 slides
Refining Waste into Resource Refining Waste into Resource An Environmentally Responsible Solution

Refining Waste into Resource Refining Waste into Resource An Environmentally Responsible Solution

Refining Waste into Resource Refining Waste into Resource An Environmentally Responsible Solution An Environmentally Responsible Solution 1 GPS A Zero Waste Organization GREEN POWER SOLUTIONS, INC. PO BOX 411 BOTSFORD CT 06404 2 GPS

140 views • 13 slides
Preliminary Analysis of the Economic Impacts of the PES Refining Complex Refinery Advisory

Preliminary Analysis of the Economic Impacts of the PES Refining Complex Refinery Advisory

Preliminary Analysis of the Economic Impacts of the PES Refining Complex Refinery Advisory Groups Business Committee September 9 th , 2019 The PES Refining Complex Oldest, largest refinery on the East Coast 1,400-acre facility

162 views • 12 slides
Delek US Holdings, Inc. First Quarter 2020 Earnings Call May 6, 2020 Disclaimers Forward

Delek US Holdings, Inc. First Quarter 2020 Earnings Call May 6, 2020 Disclaimers Forward

Delek US Holdings, Inc. First Quarter 2020 Earnings Call May 6, 2020 Disclaimers Forward Looking Statements: Delek US Holdings, Inc. (Delek US) and Delek Logistics Partners, LP (Delek Logistics; and collectively with Delek US,

448 views • 12 slides
Poster Presenter Prep Call September 25, 2019 www.energystorage.org About Storage Exchange

Poster Presenter Prep Call September 25, 2019 www.energystorage.org About Storage Exchange

Poster Presenter Prep Call September 25, 2019 www.energystorage.org About Storage Exchange Performance, Deployment & Modeling & Reliability, & Tech Field Experience Analysis Advancement Each session will have three parts:

89 views • 7 slides
Fourth Quarter Fourth Quarter Fiscal Year 2011 Fiscal Year 2011 Fiscal Year 2011 Fiscal Year

Fourth Quarter Fourth Quarter Fiscal Year 2011 Fiscal Year 2011 Fiscal Year 2011 Fiscal Year

Fourth Quarter Fourth Quarter Fiscal Year 2011 Fiscal Year 2011 Fiscal Year 2011 Fiscal Year 2011 Financial Results Financial Results June 9, 2011 1 Forward Looking Statements Certain statements included in this management presentation

622 views • 17 slides
Asia Pacific Journal of Marketing and Logistics A proposed method for the development of marketing

Asia Pacific Journal of Marketing and Logistics A proposed method for the development of marketing

Asia Pacific Journal of Marketing and Logistics A proposed method for the development of marketing mix of the tea drink market Couchen Wu, Shwu Ing Wu, Article information: To cite this document: Couchen Wu, Shwu Ing Wu, (1998) "A

854 views • 21 slides
The low-call diet: Authenticated Encryption for call counting HSM users Gaven J. Watson

The low-call diet: Authenticated Encryption for call counting HSM users Gaven J. Watson

The low-call diet: Authenticated Encryption for call counting HSM users Gaven J. Watson University of Bristol Joint work with: Mike Bond (Cryptomathic), George French (Barclays Bank Plc) and Nigel P. Smart (UoB) Real World Cryptography

1.23k views • 104 slides
AmeriCorps VISTA Sponsor Call June 17, 2020 Tech Check The Chat will be monitored Access the

AmeriCorps VISTA Sponsor Call June 17, 2020 Tech Check The Chat will be monitored Access the

AmeriCorps VISTA Sponsor Call June 17, 2020 Tech Check The Chat will be monitored Access the throughout The recording audio through our meeting; and slides will be the computer or please test it posted on the on the phone: now with a

316 views • 19 slides
How NLP is Helping a European Financial Institution Enhance Customer Experience Tal Doron

How NLP is Helping a European Financial Institution Enhance Customer Experience Tal Doron

How NLP is Helping a European Financial Institution Enhance Customer Experience Tal Doron Director, Technology Innovation Agenda Introduction 1 Challenges 2 Use Case 3 Project Milestones 4 Whats Next 5 2 ABOUT ME @taldor oron

619 views • 47 slides
WIC Developmental Monitoring Project: Networking Call A S S O C I A T I O N O F S T A T E P U

WIC Developmental Monitoring Project: Networking Call A S S O C I A T I O N O F S T A T E P U

WIC Developmental Monitoring Project: Networking Call A S S O C I A T I O N O F S T A T E P U B L I C H E A L T H N U T R I T I O N I S T S Updates Update from Funded States AR, MA, NV Project Updates/Timeline Virtual Options

88 views • 6 slides

More recommend