TYPESQUEEZER: When Static Recovery of Function Signatures for Binary Executables Meets Dynamic Analysis

Control-Flow Integrity (CFI) is considered a promising solution in thwarting advanced code-reuse attacks. While the problem of backward-edge protection in CFI is nearly closed, effective forwardedge protection is still a major challenge. The keystone of protecting the forward edge is to resolve indirect call targets, which although can be done quite accurately using type-based solutions given the program source code, it faces difficulties when carried out at the binary level. Since the actual type information is unavailable in COTS binaries, type-based indirect call target matching typically resorts to approximate function signatures inferred using the arity and argument width of indirect callsites and calltargets. Doing so with static analysis, therefore, forces the existing solutions to assume the arity/width boundaries in a too-permissive way to defeat sophisticated attacks. In this paper, we propose a novel hybrid approach to recover fine-grained function signatures at the binary level, called TYPESQUEEZER. By observing program behaviors dynamically, TYPESQUEEZER combines the static analysis results on indirect callsites and calltargets together, so that both the lower and the upper bounds of their arity/width can be computed according to a philosophy similar to the squeeze theorem. Moreover, the introduction of dynamic analysis also enables TypeS..eezeR to approximate the actual type of function arguments instead of only representing them using their widths. These together allow TYPESQUEEZER to significantly refine the capability of indirect call target resolving, and generate the approximate CFGs with better accuracy. We have evaluated TYPESQUEEZER on the SPEC CPU2006 benchmarks as well as several real-world applications. The experimental results suggest that TYPESQUEEZER achieves higher type-matching precision compared to existing binary-level type-based solutions. Moreover, we also discuss the intrinsic limitations of static analysis and show that it is not enough in defeating certain type of practical attacks; while on the other hand, the same attacks can be successfully thwarted with the hybrid analysis result of our approach.