Binsweep: Reliably Restricting Untrusted Instruction Streams with Static Binary Analysis and Control-Flow Integrity

Binsweep: Reliably Restricting Untrusted Instruction Streams with Static Binary Analysis and Control-Flow Integrity

17 October 2024

Restricting an application’s instruction stream is necessary to ensure the absence of certain functionality, which in turn is a requirement for lightweight sandboxing of untrusted code in cloud environments. Doing so at the lowest possible level, (i.e., machine code), is safest as it does not assume trusted or bug-free build toolchains. However, resolving indirect branches and instruction set architectures (ISA) with variable-length instructions are a challenge for reliable and exhaustive machine code analysis. In this paper, we present Binsweep, a system that ensures complete analysis of variable-length ISA applications in machine code. The key enabling concept is a restricted form of Control Flow Integrity (CFI) that Binsweep enforces, called BinsweepCFI . We implement BinsweepCFI as a compiler pass within the LLVM toolchain. Our evaluation over SPECint benchmarks in SPEC CPU 2017, and widely used binary programs, including the NGINX webserver, Micronaut service, and Python interpreters, demonstrates that Binsweep can verify real world programs, and BinsweepCFI can protect programs with manageable (6.55% in the worst case) performance overhead. Furthermore, we show Binsweep can verify these programs’ CFGs much faster than a state of the art binary analysis tool, angr, can recover CFGs. These results demonstrate Binsweep can efficiently support admitting untrusted code buffers, hundreds of megabytes in size, to cloud sandboxes.


Venue : The ACM Cloud Computing Security Workshop (CCSW'24)

File Name : binsweep.pdf