2019CCS Multi-Layer Type Analysis

Reference 1

GeorgiaTech SS Lab: https://gts3.org/pages/projects.html

System software commonly uses indirect calls to realize dynamic program behaviors. However, indirect-calls also bring challenges to constructing a precise control-flow graph that is a standard prerequisite for many static program-analysis and system-hardening techniques. Unfortunately, indentifying indirect-call targets is a hard problem. In particular, modern compilers do not identify indirect-call targets by default. Existing approaches identify indirect-call targets based on type analysis that matches the type of function pointers and the ones of address-taken functions. Such approaches, however, suffer from hight false-positive rate as many irrelevant functions may share the same types.

MLTA: Multi-Layer Type Analysis.

  • function pointers are commonly stored into objects whose types have a multi-layer type hierarchy. ==> By matching the multi-layer types of function pointers and functions, MLTA can dramatically refine indirect-call targets.

MLTA implementation: TYPEDIVE, based on LLVM.

Evaluation

  • LLVM 8.0
  • FreeBSD 12.0, Linux 5.1.0, Firefox. -O0 -g -fno-inlining

![reduction of icall targets]()

Collecting Traces

  • Intel PT
  • QEMU
  1. Where Does It Go? Refining Indirect-Call Targets with Multi-Layer Type Analysis. Kangjie Lu, Hong Hu. CCS 2019. ↩
Created Nov 13, 2019 // Last Updated Nov 17, 2019

If you could revise
the fundmental principles of
computer system design
to improve security...

... what would you change?