Towards Optimal Use of Exception Handling Information for Function Detection. (arXiv:2104.03168v1 [cs.CR])

Function entry detection is critical for security of binary code.
Conventional methods heavily rely on patterns, inevitably missing true
functions and introducing errors. Recently, call frames have been used in
exception-handling for function start detection. However, existing methods have
two problems. First, they combine call frames with heuristic-based approaches,
which often brings error and uncertain benefits. Second, they trust the
fidelity of call frames, without handling the errors that are introduced by
call frames. In this paper, we first study the coverage and accuracy of
existing approaches in detecting function starts using call frames. We found
that recursive disassembly with call frames can maximize coverage, and using
extra heuristic-based approaches does not improve coverage and actually hurts
accuracy. Second, we unveil call-frame errors and develop the first approach to
fix them, making their use more reliable.