PhaseSeed: Precise Call Graph Construction for Split-Phase Applications using Dynamic Seeding

TL;DR

PhaseSeed enhances call graph precision for split-phase applications by dynamically analyzing initialization, then seeding this info into static analysis, significantly improving security mechanism accuracy.

Contribution

It introduces a novel dynamic-static hybrid approach, PhaseSeed, for precise call graph construction in split-phase applications, addressing static analysis imprecision.

Findings

Up to 92.6% precision improvement for control flow integrity.

Filters nine additional security-critical system calls.

Proven soundness across multiple runs with the same configuration.

Abstract

Precise and sound call graph construction is crucial for many software security mechanisms. Unfortunately, traditional static pointer analysis techniques used to generate application call graphs suffer from imprecision. These techniques are agnostic to the application's architecture and are designed for broad applicability. To mitigate this precision problem, we propose PhaseSeed, a novel technique that improves the accuracy of pointer analysis for split-phase applications, which have distinct initialization and processing phases. PhaseSeed analyzes the initialization phase dynamically, collecting the points-to relationships established at runtime. At the end of the initialization phase, it then seeds this information to a static analysis stage that performs pointer analysis for all code that stays in scope during the processing phase, improving precision. Our observations show that, given the same runtime configuration options, the points-to relationships established during the initialization phase remain constant across multiple runs. Therefore, PhaseSeed is sound with respect to a given initial configuration. We apply PhaseSeed to three security mechanisms: control flow integrity (CFI), software debloating, and system call filtering. PhaseSeed provides up to 92.6% precision improvement for CFI compared to static call graph construction techniques, and filters nine additional security-critical system calls when used to generate Seccomp profiles.