Resolving Indirect Calls in Binary Code via Cross-Reference Augmented Graph Neural Networks

TL;DR

CupidCall employs cross-reference augmented graph neural networks and compiler-level type analysis to significantly improve indirect call resolution accuracy in binary code analysis, outperforming existing ML-based methods.

Contribution

The paper introduces CupidCall, a novel method that enhances binary analysis by integrating cross-references into CFGs and utilizing advanced GNNs for precise indirect call resolution.

Findings

Achieves 95.2% F1 score on real-world binaries

Outperforms state-of-the-art ML approaches in accuracy

Enhances inter-procedural CFG construction for security analysis

Abstract

Binary code analysis is essential in scenarios where source code is unavailable, with extensive applications across various security domains. However, accurately resolving indirect call targets remains a longstanding challenge in maintaining the integrity of static analysis in binary code. This difficulty arises because the operand of a call instruction (e.g., call rax) remains unknown until runtime, resulting in an incomplete inter-procedural control flow graph (CFG). Previous approaches have struggled with low accuracy and limited scalability. To address these limitations, recent work has increasingly turned to machine learning (ML) to enhance analysis. However, this ML-driven approach faces two significant obstacles: low-quality callsite-callee training pairs and inadequate binary code representation, both of which undermine the accuracy of ML models. In this paper, we introduce CupidCall, a novel approach for resolving indirect calls using graph neural networks. Existing ML models in this area often overlook key elements such as data and code cross-references, which are essential for understanding a program's control flow. In contrast, CupidCall augments CFGs with cross-references, preserving rich semantic information. Additionally, we leverage advanced compiler-level type analysis to generate high-quality callsite-callee training pairs, enhancing model precision and reliability. We further design a graph neural model that leverages augmented CFGs and relational graph convolutions for accurate target prediction. Evaluated against real-world binaries from GitHub and the Arch User Repository on x86_64 architecture, CupidCall achieves an F1 score of 95.2%, outperforming state-of-the-art ML-based approaches. These results highlight CupidCall's effectiveness in building precise inter-procedural CFGs and its potential to advance downstream binary analysis and security applications.