PointerScope: Understanding Pointer Patching for Code Randomization

Various fine-grained randomization schemes have been designed to increase the entropy of process space, while none of them can rise from an academic exercise to industrial deployment like Address Space Layout Randomization (ASLR). One of the critical reasons is the incorrectness of randomization caused by the mismatch between their pointer collection capabilities and the high accuracy requirements of the pointer patching task. In this article, we present PointerScope, an accurate compile-time pointer collection scheme deriving from a group of novel observations. The success of PointerScope relies on the complete tracing of the pointer generation process, including the compilation chain from compiler to static linker and the interface specification between them. From this view, PointerScope identifies four types of pointer-related static linker behaviors and clarifies five types of inherent addressing modes in the x86-64 architecture. The vague understanding of them causes the Compiler-assisted Code Randomization (CCR) to incorrectly collect pointers and patch them to the wrong values after randomization. Further, we measure the pointer collection capability of augmented binary analysis, the experimental results show that they can mitigate challenges from the traditional binary analysis by the given premises, but additional heuristics still need to be designed to support the fine-grained randomization.