Improving Indirect-Call Analysis in LLVM with Type and Data-Flow Co-Analysis

Authors: 

Dinghao Liu and Shouling Ji, Zhejiang University; Kangjie Lu, University of Minnesota; Qinming He, Zhejiang University

Abstract: 

Indirect function calls are widely used in building system software like OS kernels for their high flexibility and performance. Statically resolving indirect-call targets has been known to be a hard problem, which is a fundamental requirement for various program analysis and protection tasks. The state-of-the-art techniques, which use type analysis, are still imprecise. In this paper, we present a new approach, TFA, that precisely identifies indirect-call targets. The intuition behind TFA is that type-based analysis and data-flow analysis are inherently complementary in resolving indirect-call targets. TFA incorporates a co-analysis system that makes the best use of both type information and data-flow information. The co-analysis keeps refining the global call graph iteratively, allowing us to achieve an optimal indirect call analysis. We have implemented TFA in LLVM and evaluated it against five famous large-scale programs. The experimental results show that TFA eliminates additional 24% to 59% of indirect-call targets compared with the state-of-the-art approaches, without introducing new false negatives. With the precise indirect-call analysis, we further develop a strengthened fine-grained forward-edge control-flow integrity scheme and apply it to the Linux kernel. We have also used the refined indirect-call analysis results in bug detection, where we have found 8 deep bugs in the Linux kernel. As a generic technique, the precise indirect-call analysis of TFA can also benefit other applications such as compiler optimization and software debloating.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {299707,
author = {Dinghao Liu and Shouling Ji and Kangjie Lu and Qinming He},
title = {Improving {Indirect-Call} Analysis in {LLVM} with Type and {Data-Flow} {Co-Analysis}},
booktitle = {33rd USENIX Security Symposium (USENIX Security 24)},
year = {2024},
isbn = {978-1-939133-44-1},
address = {Philadelphia, PA},
pages = {5895--5912},
url = {https://www.usenix.org/conference/usenixsecurity24/presentation/liu-dinghao-improving},
publisher = {USENIX Association},
month = aug
}