Towards Optimal Use of Exception Handling Information for Function Detection

TL;DR

This paper improves function start detection in binary code by analyzing call frame accuracy, maximizing coverage with recursive disassembly, and introducing a method to correct call-frame errors for more reliable results.

Contribution

It presents a novel approach to fix call-frame errors and demonstrates that recursive disassembly maximizes coverage without heuristic-based methods.

Findings

Recursive disassembly with call frames maximizes coverage.

Heuristic approaches do not improve and may reduce accuracy.

The proposed method effectively corrects call-frame errors.

Abstract

Function entry detection is critical for security of binary code. Conventional methods heavily rely on patterns, inevitably missing true functions and introducing errors. Recently, call frames have been used in exception-handling for function start detection. However, existing methods have two problems. First, they combine call frames with heuristic-based approaches, which often brings error and uncertain benefits. Second, they trust the fidelity of call frames, without handling the errors that are introduced by call frames. In this paper, we first study the coverage and accuracy of existing approaches in detecting function starts using call frames. We found that recursive disassembly with call frames can maximize coverage, and using extra heuristic-based approaches does not improve coverage and actually hurts accuracy. Second, we unveil call-frame errors and develop the first approach to fix them, making their use more reliable.