Lightweight Function Pointer Analysis

How to detect and classify the huge malware samples received every day is a major challenge of security area. In recent years, using function call graph to detect and classify malicious software has become a feasible method. As the basic technology of call graph construction, function pointer analysis becomes more noticeable. Previous works often use the result of pointer analysis to determine the possible targets of function pointer calls. However, the inherent complexity and efficiency problem of the pointer analysis often leads to unsatisfactory results when applied to practical programs. This paper presents a strong connected component (SCC) level flow-sensitive and context-sensitive function pointer analysis algorithm (referred as FP algorithm). This algorithm not only makes up for the speed deficiency of pointer analysis, but also obtains higher precision. Measurements for 8 practical C programs show that FP algorithm advances 42.6 times on average compared with DSA algorithm and the precision is also improved.

[1]  Vikram S. Adve,et al.  LLVM: a compilation framework for lifelong program analysis & transformation , 2004, International Symposium on Code Generation and Optimization, 2004. CGO 2004..

[2]  Darren C. Atkinson Accurate call graph extraction of programs with function pointers using type signatures , 2004, 11th Asia-Pacific Software Engineering Conference.

[3]  Huy Kang Kim,et al.  Mal-netminer: malware classification based on social network analysis of call graph , 2014, WWW '14 Companion.

[4]  Hung Viet Nguyen,et al.  Building call graphs for embedded client-side code in dynamic web applications , 2014, SIGSOFT FSE.

[5]  Vikram S. Adve,et al.  Making context-sensitive points-to analysis with heap cloning practical for the real world , 2007, PLDI '07.

[6]  Milo M. K. Martin,et al.  Formalizing the LLVM intermediate representation for verified program transformations , 2012, POPL '12.

[7]  Vijay Laxmi,et al.  Mining control flow graph as API call-grams to detect portable executable malware , 2012, SIN '12.

[8]  Wen-mei W. Hwu,et al.  An Empirical Study of Function Pointers Using SPEC Benchmarks , 1999, LCPC.

[9]  Björn Hartmann,et al.  Stacksplorer: call graph navigation helps increasing code maintenance efficiency , 2011, UIST.

[10]  Kang G. Shin,et al.  Large-scale malware indexing using function-call graphs , 2009, CCS.

[11]  Giuliano Antoniol,et al.  Impact of function pointers on the call graph , 1999, Proceedings of the Third European Conference on Software Maintenance and Reengineering (Cat. No. PR00090).

[12]  Barbara G. Ryder,et al.  Precise call graph construction in the presence of function pointers , 2002, Proceedings. Second IEEE International Workshop on Source Code Analysis and Manipulation.

[13]  Dinakar Dhurjati,et al.  SAFECode: enforcing alias analysis for weakly typed languages , 2005, PLDI '06.

[14]  Xiang Ling,et al.  Field-sensitive Function Pointer Analysis Using Field Propagation for State Graph Extraction , 2013, J. Softw..

[15]  Jürgen Döllner,et al.  Visual exploration of function call graphs for feature location in complex software systems , 2006, SoftVis '06.

[16]  Saumya K. Debray,et al.  On the Complexity of Function Pointer May-Alias Analysis , 1997, TAPSOFT.

[17]  Konrad Rieck,et al.  Structural detection of android malware using embedded call graphs , 2013, AISec.

[18]  Jignesh M. Patel,et al.  Call graph prefetching for database applications , 2003, TOCS.

[19]  Vikram S. Adve,et al.  Automatic pool allocation: improving performance by controlling data structure layout in the heap , 2005, PLDI '05.