Re: [DynInst_API:] Indirect Control Flow Target Deduction in CFG

[Xiaozhu Meng <mxz297@xxxxxxxxx>]

Hi Buddhika,

I am sorry for the late response. In terms of how ParseAPI handle indirect control flows, ParseAPI will try to resolve indirect jumps and if these indirect jumps correspond to a switch statement in the source code, ParseAPI typically can finds the indirect jump targets. You can get these targets by traverse the control flow graph, as shown in the example of the ParseAPI manual and you can check the edge type of control flow edges to determine whether they are indirect or not. For indirect calls and indirect tail calls, ParseAPI has little support to resolve their targets.Â

For your purpose of implementing a control flow integrity prototype, you either allow indirect calls to call all functions (disallowing calling any non-function-entry address), or you will need to do other analysis on top of Dyninst to better estimate the possible call targets.Â

Hope this helps.Â

Thanks,

--Xiaozhu

On Fri, Nov 10, 2017 at 7:56 AM, Buddhika Chamith Kahawitage Don <budkahaw@xxxxxxxxxxxx> wrote:

Hi All,

I am thinking of implementing a control flow integrity prototype for which I require doing some static analysis to approximate control flow targets of indirect control flow instructions.Â

How does parseAPI handle indirect control flows when deriving the CFG? What facilities does the API provide me order to obtain such information? (e.g: which control flows are indirect and what are the possible targets given an indirect control flow instruction)

Regards

Buddhika

_______________________________________________
Dyninst-api mailing list
Dyninst-api@xxxxxxxxxxx
https://lists.cs.wisc.edu/mailman/listinfo/dyninst-api