where does it go refining indirect call targets with
play

Where Does It Go? Refining Indirect-Call Targets with Multi-Layer - PowerPoint PPT Presentation

Oct 09, 2022 •368 likes •934 views

Where Does It Go? Refining Indirect-Call Targets with Multi-Layer Type Analysis Kangjie Lu Hong Hu What is an indirect call? 2 Example, purpose, and commonness void foo(int a) { printf("a = %d\n", a); } typedef void

  1. Where Does It Go? Refining Indirect-Call Targets with Multi-Layer Type Analysis Kangjie Lu Hong Hu

  2. What is an indirect call? 2

  3. Example, purpose, and commonness void foo(int a) { printf("a = %d\n", a); } typedef void (*fptr_t)(int); // Take the address of foo() and // assign to function pointer fptr fptr_t fptr = &foo; ... // Indirect call to foo() fptr(10); 3

  4. Example, purpose, and commonness void foo(int a) { printf("a = %d\n", a); } typedef void (*fptr_t)(int); // Take the address of foo() and // assign to function pointer fptr fptr_t fptr = &foo; ... // Indirect call to foo() fptr(10); 4

  5. Example, purpose, and commonness ● Purpose void foo(int a) { printf("a = %d\n", a); ○ To support dynamic } behaviors typedef void (*fptr_t)(int); ● Common scenarios // Take the address of foo() and // assign to function pointer fptr ○ Interface functions fptr_t fptr = &foo; ○ Virtual functions ○ Callbacks ... ● Commonness // Indirect call to foo() Linux: 58K ○ fptr(10); ○ Firefox: 37K 5

  6. Example, purpose, and commonness ● Purpose void foo(int a) { printf("a = %d\n", a); ○ To support dynamic } behaviors typedef void (*fptr_t)(int); ● Common scenarios // Take the address of foo() and // assign to function pointer fptr ○ Interface functions fptr_t fptr = &foo; ○ Virtual functions ○ Callbacks ... Indirect calls are essential ● Commonness // Indirect call to foo() and common Linux: 58K ○ fptr(10); ○ Firefox: 37K 6

  7. Indirect call is however a major roadblock in security Couldn’t construct a precise call-graph ! 7

  8. Indirect call is however a major roadblock in security Couldn’t construct a precise call-graph ! ● All inter-procedural static analyses and bug detection require a global call-graph! Otherwise, path explosion and inaccuracy ○ ● Effectiveness of control-flow integrity (CFI) depends on it! 8

  9. Indirect call is however a major roadblock in security Couldn’t construct a precise call-graph ! ● All inter-procedural static analyses and bug detection require a global call-graph! ○ Otherwise, path explosion and inaccuracy ● Effectiveness of control-flow integrity (CFI) depends on it! Identifying indirect-call targets is foundational to security! 9

  10. How can we identify them? 10

  11. Two approaches: Point-to analysis vs. Type analysis ● Point-to Analysis ○ Whole-program analysis to find all possible targets ● Cons ○ Precise analysis can’t scale ○ Suffers from soundness or precision issues ○ Itself requires a call-graph 11

  12. Two approaches: Point-to analysis vs. Type analysis ● Point-to Analysis ● (First-Layer) Type Analysis ○ Whole-program analysis to ○ Matching types of functions find all possible targets and function pointers ( FLTA ) ● Cons ● Cons ○ Precise analysis can’t scale ○ Over-approximate ○ Suffers from soundness or ○ Worse precision in larger precision issues programs ○ Itself requires a call-graph 12

  13. Two approaches: Point-to analysis vs. Type analysis ● Point-to Analysis ● (First-Layer) Type Analysis ○ Whole-program analysis to ○ Matching types of functions find all possible targets and function pointers ( FLTA ) ● Cons ● Cons ○ Precise analysis can’t scale ○ Over-approximate Practical and used by CFI ○ Suffers from soundness or ○ Worse precision in larger techniques precision issues programs ○ Itself requires a call-graph 13

  14. Our intuition: Function addresses are often stored to structs layer by layer. Layered type matching is much stricter. 14

  15. Our intuition: Function addresses are often stored to structs layer by layer. MLTA: Multi-Layer Type Analysis Layered type matching is much stricter. 15

  16. Illustrate MLTA // Assign address of foo to a nested field 1. a->b->c->fptr = &foo; 2. d->b->c->fptr = &bar; ... // Complicated data flow 3. a->b->c->fptr(10); // Indirect call to foo() not bar() 16

  17. Illustrate MLTA // Assign address of foo to a nested field 1. a->b->c->fptr = &foo; 2. d->b->c->fptr = &bar; ... // Complicated data flow 3. a->b->c->fptr(10); // Indirect call to foo() not bar() &foo fptr c b a 17

  18. Illustrate MLTA // Assign address of foo to a nested field 1. a->b->c->fptr = &foo; 2. d->b->c->fptr = &bar; ... // Complicated data flow 3. a->b->c->fptr(10); // Indirect call to foo() not bar() &foo fptr c b Complicated data flow a 18

  19. Illustrate MLTA // Assign address of foo to a nested field 1. a->b->c->fptr = &foo; 2. d->b->c->fptr = &bar; ... // Complicated data flow 3. a->b->c->fptr(10); // Indirect call to foo() not bar() &foo fptr() fptr fptr c c b b Complicated data flow a a 19

  20. Illustrate MLTA // Assign address of foo to a nested field 1. a->b->c->fptr = &foo; 2. d->b->c->fptr = &bar; ... // Complicated data flow 3. a->b->c->fptr(10); // Indirect call to foo() not bar() Layered type &foo fptr() fptr_t fptr fptr struct C c c struct B b b Complicated data flow struct A a a 20

  21. Illustrate MLTA // Assign address of foo to a nested field 1. a->b->c->fptr = &foo; 2. d->b->c->fptr = &bar; ... // Complicated data flow 3. a->b->c->fptr(10); // Indirect call to foo() not bar() Layered type &foo fptr() Only functions fptr_t fptr fptr whose addresses are ever stored to struct C c c the layered type can be valid struct B b b targets Complicated data flow struct A a a 21

  22. Results comparison of approaches // Assign address of foo to a nested field 1. a->b->c->fptr = &foo; 2. d->b->c->fptr = &bar; ... // Complicated data flow 3. a->b->c->fptr(10); // Indirect call to foo() not bar() Approach MLTA FLTA 2-Layer Matched targets foo() foo(), bar() foo(), bar() 22

  23. Advantages of the MLTA approach ● Most function addresses are stored to structs 88% in the Linux kernel ○ ● Being elastic When a lower layer is unresolvable, fall back ○ Avoid false negatives ○ ● MLTA should be always better than FLTA ● No expensive or error-prone analysis 23

  24. “This is very intuitive; what are the challenges?” “Fine-grained control-flow integrity for kernel software” ( EuroSP’16 ) by Xinyang Ge, Nirupama Talele, Mathias Payer, Trent Jaeger. 24

  25. Research questions and challenges ● To what extent can MLTA refine the targets? ● Can MLTA guarantee soundness? ○ No false negatives ● Can MLTA also support C++? Virtual functions and tables ○ ● Can MLTA scale to large and complex programs? ● How can MLTA benefit static analysis and bug finding? 25

  26. Our technical contributions ● Multiple techniques to ensure effectiveness and soundness With an elastic design and formal analysis ○ ● Support C++ ● Extensive evaluation (OS kernels and a browser) ● 35 new kernel security bugs 26

  27. Realize MLTA: Overview of the TypeDive system Layered type analysis Targets Maintained resolving data structures Confinement LLVM Indirect- analysis Bitcode call Type-function map Iterative & files targets Propagation elastic resolving Type-propa. map analysis algorithm Escaped types Escaping analysis ● Phase I: Layered type analysis ○ Three analysis techniques and three data structures ● Phase II: Indirect-call targets resolving An iterative and elastic algorithm ○ 27

  28. Analyze type-function confinements ● Purpose ○ To identify which types have been assigned with which functions ○ We say type A confines foo() , if &foo is stored to an A object ● Inputs ○ Address-taking and -storing operations ○ Global object initializers ● Output ○ The type-function confinement map 28

  29. Analyze type-function confinements ● Purpose ○ To identify which types have been assigned with which functions ○ We say type A confines foo() , if &foo is stored to an A object ● Inputs ○ Address-taking and -storing operations ○ Global object initializers ● Output ○ The type-function confinement map 1. a->fptr = &foo; ... 2. fptr1 = &bar; 29

  30. Analyze type-function confinements ● Purpose ○ To identify which types have been assigned with which functions ○ We say type A confines foo() , if &foo is stored to an A object ● Inputs ○ Address-taking and -storing operations ○ Global object initializers ● Output ○ The type-function confinement map Type Function set 1. a->fptr = &foo; ... fptr_t foo(), bar() 2. fptr1 = &bar; struct A fptr_t foo() 30

  31. Analyze type propagations ● Purpose ○ To capture propagation of addresses from one type to another ● Inputs ○ Type casts and non-address-taking object stores ● Output ○ The type-propagation map 31

  32. Analyze type propagations ● Purpose ○ To capture propagation of addresses from one type to another ● Inputs ○ Type casts and non-address-taking object stores ● Output ○ The type-propagation map 1. a = (struct A*)b; ... 2. c->a = a; 32

Recommend

Profile-based Indirect Call Promotion 1 Outline Motivation Indirect call promotion

Profile-based Indirect Call Promotion 1 Outline Motivation Indirect call promotion

Ivan Baev, Qualcomm Innovation Center Profile-based Indirect Call Promotion 1 Outline Motivation Indirect call promotion transformation and heuristics Results Related optimizations 2 Motivation: reduce indirect branch mispredictions

779 views • 19 slides
UNASSOCIATED GAMMA-RAY SOURCES AS TARGETS FOR INDIRECT DM DETECTION WITH FERMI-LAT J.

UNASSOCIATED GAMMA-RAY SOURCES AS TARGETS FOR INDIRECT DM DETECTION WITH FERMI-LAT J.

UNASSOCIATED GAMMA-RAY SOURCES AS TARGETS FOR INDIRECT DM DETECTION WITH FERMI-LAT J. Coronado-Blzquez M. Snchez-Conde, A. Domnguez, M. di Mauro, E. Charles, N. Mirabal for the Fermi -LAT Collaboration Halo Substructure & Dark Matter

1.32k views • 52 slides
Indirect Cost Rates Audio is only available by conference call Please call: 844-291-5491

Indirect Cost Rates Audio is only available by conference call Please call: 844-291-5491

Indirect Cost Rates Audio is only available by conference call Please call: 844-291-5491 Participant Access Code:4842760 to join the conference call portion of the webinar May 12, 2020 1 OFFICE OF HOUSING COUNSELING Webinar Logistics

850 views • 48 slides
Flowserve First Quarter 2017 Earnings Conference Call May 2, 2017 SOLAR REFINING CHEMICAL

Flowserve First Quarter 2017 Earnings Conference Call May 2, 2017 SOLAR REFINING CHEMICAL

Flowserve First Quarter 2017 Earnings Conference Call May 2, 2017 SOLAR REFINING CHEMICAL NUCLEAR DESALINATION COAL-FIRED POWER Flowserve Q1 2017 Earnings Conference Call : Page 2 Special Note Safe Harbor Statement : This presentation

646 views • 21 slides
Achieving the SRF targets? Frank Rijsberman, Consortium CEO Intermedia iary ry 2022 targets ali

Achieving the SRF targets? Frank Rijsberman, Consortium CEO Intermedia iary ry 2022 targets ali

Achieving the SRF targets? Frank Rijsberman, Consortium CEO Intermedia iary ry 2022 targets ali lign with ith th this is se second call. ll. CRPs claim contribution to 2022 targets in pre -proposals ls. 100 million more farm

223 views • 6 slides
Science Based Targets initiative Call to Action Campaign May 20, 2015 An initiative by Science

Science Based Targets initiative Call to Action Campaign May 20, 2015 An initiative by Science

Science Based Targets initiative Call to Action Campaign May 20, 2015 An initiative by Science Based Targets I Call to Action The Science Based Targets initiative is calling on companies to demonstrate their leadership on climate action by

302 views • 7 slides
Oil & Gas Industry: Indirect tax By Santosh R. Sonar 12 January 2013 Oil and Gas - Indirect

Oil & Gas Industry: Indirect tax By Santosh R. Sonar 12 January 2013 Oil and Gas - Indirect

Oil & Gas Industry: Indirect tax By Santosh R. Sonar 12 January 2013 Oil and Gas - Indirect Tax 12 January 2013 1 Agenda Overview of indirect taxes Major indirect tax concerns for oil & gas sector Goods and Services

387 views • 35 slides
Workshop 23909 1 Scope of the indirect fee regime The indirect fee regime should be

Workshop 23909 1 Scope of the indirect fee regime The indirect fee regime should be

Workshop 23909 1 Scope of the indirect fee regime The indirect fee regime should be implemented in all Croatian ports that are open to public traffic The indirect fee regime shall apply to ship related waste 2 Exemptions

526 views • 19 slides
SLO Growth Targets How to determine & set growth targets Todays Learning Targets I CAN

SLO Growth Targets How to determine & set growth targets Todays Learning Targets I CAN

SLO Growth Targets How to determine & set growth targets Todays Learning Targets I CAN evaluate pre-assessment data & group my students by score ranges. I CAN set growth targets that are rigorous yet attainable. I CAN complete

927 views • 26 slides
Contents Lecture 1: Introducing UML for Mobility Lecture 2: Refining Mobility Designs

Contents Lecture 1: Introducing UML for Mobility Lecture 2: Refining Mobility Designs

Contents Lecture 1: Introducing UML for Mobility Lecture 2: Refining Mobility Designs Refining mobility activities Refining mobility in sequence diagrams A semantic approach to refinement: Mobile TLA Lecture 3: Property-driven

279 views • 14 slides
Refining NZ Analyst Briefing 23 August 2018 1 DISCLAIMER This presentation contains

Refining NZ Analyst Briefing 23 August 2018 1 DISCLAIMER This presentation contains

Refining NZ Analyst Briefing 23 August 2018 1 DISCLAIMER This presentation contains forward looking statements concerning the financial condition, results and operations of The New Zealand Refining Company Limited (hereafter referred to as

294 views • 18 slides
Oil & Gas / Petroleum Refining Sector Oil & Gas / Petroleum Refining Sector AB 32 Scoping

Oil & Gas / Petroleum Refining Sector Oil & Gas / Petroleum Refining Sector AB 32 Scoping

Oil & Gas / Petroleum Refining Sector Oil & Gas / Petroleum Refining Sector AB 32 Scoping Plan Development AB 32 Scoping Plan Development Public Workshop Public Workshop California Air Resources Board Sacramento, CA April 11, 2008 1

591 views • 29 slides
Global illumination Anastasia Bolotnikova Global illumination a.k.a. GI a.k.a. indirect

Global illumination Anastasia Bolotnikova Global illumination a.k.a. GI a.k.a. indirect

Global illumination Anastasia Bolotnikova Global illumination a.k.a. GI a.k.a. indirect illumination What? - bunch of algorithms, a process of simulating indirect light Why? - add more realistic lighting to 3D scenes (direct+indirect) Some issues:

298 views • 19 slides
Strategic Review 15 April 2020 REFINING NZ DISCLAIMER STRATEGIC REVIEW PRESENTATION This

Strategic Review 15 April 2020 REFINING NZ DISCLAIMER STRATEGIC REVIEW PRESENTATION This

REFINING NZ STRATEGIC REVIEW PRESENTATION Strategic Review 15 April 2020 REFINING NZ DISCLAIMER STRATEGIC REVIEW PRESENTATION This presentation does not constitute an offer or invitation by The New Zealand Refining Company Limited

459 views • 9 slides
Refining Waste into Resource Refining Waste into Resource An Environmentally Responsible Solution

Refining Waste into Resource Refining Waste into Resource An Environmentally Responsible Solution

Refining Waste into Resource Refining Waste into Resource An Environmentally Responsible Solution An Environmentally Responsible Solution 1 GPS A Zero Waste Organization GREEN POWER SOLUTIONS, INC. PO BOX 411 BOTSFORD CT 06404 2 GPS

140 views • 13 slides
Preliminary Analysis of the Economic Impacts of the PES Refining Complex Refinery Advisory

Preliminary Analysis of the Economic Impacts of the PES Refining Complex Refinery Advisory

Preliminary Analysis of the Economic Impacts of the PES Refining Complex Refinery Advisory Groups Business Committee September 9 th , 2019 The PES Refining Complex Oldest, largest refinery on the East Coast 1,400-acre facility

162 views • 12 slides
An Analysis of Call-site Patching Without Strong Hardware Support for Self-Modifying-Code Tim

An Analysis of Call-site Patching Without Strong Hardware Support for Self-Modifying-Code Tim

An Analysis of Call-site Patching Without Strong Hardware Support for Self-Modifying-Code Tim Hartley, Foivos Zakkak, first.last@manchester.ac.uk Christos Kotselidis, Mikel Lujan MPLR19 2019-10-22 Call-Sites Direct branching Indirect

266 views • 15 slides
Optimizing Indirect Memory References with milk Vladimir Kiriansky, Yunming Zhang, Saman

Optimizing Indirect Memory References with milk Vladimir Kiriansky, Yunming Zhang, Saman

Optimizing Indirect Memory References with milk Vladimir Kiriansky, Yunming Zhang, Saman Amarasinghe MIT PACT 16 September 13, 2016, Haifa, Israel 1 Indirect Accesses 2 Indirect Accesses with OpenMP 3 Indirect Accesses

918 views • 55 slides
There must be a be,er way: designing and refining post-14

There must be a be,er way: designing and refining post-14

There must be a be,er way: designing and refining post-14 provision Geoff Stanton UCU conference May 8 th 2010 What is the problem? An ongoing

196 views • 15 slides
Petrobras Repositioning in Refining Preliminary model Landulpho Alves Refinery Mataripe, BA

Petrobras Repositioning in Refining Preliminary model Landulpho Alves Refinery Mataripe, BA

Petrobras Repositioning in Refining Preliminary model Landulpho Alves Refinery Mataripe, BA Initial considerations In order to support its final proposal regarding partnerships in the refining segment, Petrobras held a seminar with the

517 views • 24 slides
Implications for Europe Fourth Meeting of the EU Refining Forum December 11, 2014, Brussels

Implications for Europe Fourth Meeting of the EU Refining Forum December 11, 2014, Brussels

Strategic Russian Oil Policy EU Refining and International Competition: A Final Golden Run? Implications for Europe Fourth Meeting of the EU Refining Forum December 11, 2014, Brussels Sammy Six Clingendael International Energy Programme, The

496 views • 10 slides
Refining Australia / New Zealand Tim Hart Chief Executive Officer AGENDA Australia /

Refining Australia / New Zealand Tim Hart Chief Executive Officer AGENDA Australia /

Refining Australia / New Zealand Tim Hart Chief Executive Officer AGENDA Australia / New Zealand Market Overview Refining a unique business Strong core business performance Investment in our Future People / Safety

696 views • 13 slides
Two-Level Mediation m aj bj x y c j Indirect effect: * + Cov ( a j , b j ) Bauer,

Two-Level Mediation m aj bj x y c j Indirect effect: * + Cov ( a j , b j ) Bauer,

Two-Level Mediation m aj bj x y c j Indirect effect: * + Cov ( a j , b j ) Bauer, Preacher & Gil (2006). Conceptualizing and testing random indirect effects and moderated mediation in multilevel models: New procedures and

352 views • 3 slides
Indirect Cost Recovery Using Federal Funds to Recover Indirect Costs Federal Funding

Indirect Cost Recovery Using Federal Funds to Recover Indirect Costs Federal Funding

Indirect Cost Recovery Using Federal Funds to Recover Indirect Costs Federal Funding Conference March 2020 The Cost of Doing Business Direct Costs Federal grants fund specific and limited activities related to meeting the

727 views • 38 slides

More recommend