Binary and Malware Analysis

Table of Contents

Mitigating code-reuse attacks at the binary level

In GUI browsers, I have this page themed dynamically, so when it's dark outside, you'll get a dark theme. You need JS enabled if you want the dynamic theme; I don't run any JS-based analytics or tracking.

Mitigating code-reuse attacks at the binary level

Control-flow integrity:

promising way to stop code-reuse attacks (using already existing code to do what you want)
hard to enforce in practice
existing binary-level CFI can’t prevent function-reuse attacks

A call to function pointer gives you an attacker-controlled gadget, especially if it’s in a loop.

source-level CFI: enforce class hierarchy, match function argument types
TypeArmor for approximate source-level accuracy

The idea of TypeArmor:

function signature matching: extract argument count at callsite, argument usage at callee. then only allow targets with matching function types
in a callee, argument registers being used before they are written
in a callsite, see which argument registers are set: on function entry point continue, on return edge stop
at runtime, check the number of arguments