Towards Optimal Use of Exception Handling Information for Function Detection
This work addresses security vulnerabilities in binary code analysis by improving function detection accuracy, though it is incremental as it builds on existing call-frame methods.
The paper tackled the problem of function entry detection in binary code by analyzing the use of call frames in exception handling, finding that recursive disassembly maximizes coverage while heuristic-based methods reduce accuracy, and developed an approach to fix call-frame errors to improve reliability.
Function entry detection is critical for security of binary code. Conventional methods heavily rely on patterns, inevitably missing true functions and introducing errors. Recently, call frames have been used in exception-handling for function start detection. However, existing methods have two problems. First, they combine call frames with heuristic-based approaches, which often brings error and uncertain benefits. Second, they trust the fidelity of call frames, without handling the errors that are introduced by call frames. In this paper, we first study the coverage and accuracy of existing approaches in detecting function starts using call frames. We found that recursive disassembly with call frames can maximize coverage, and using extra heuristic-based approaches does not improve coverage and actually hurts accuracy. Second, we unveil call-frame errors and develop the first approach to fix them, making their use more reliable.