Lightweight Function Pointer Analysis

  • Wei ZhangEmail author
  • Yu Zhang
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9065)


How to detect and classify the huge malware samples received every day is a major challenge of security area. In recent years, using function call graph to detect and classify malicious software has become a feasible method. As the basic technology of call graph construction, function pointer analysis becomes more noticeable. Previous works often use the result of pointer analysis to determine the possible targets of function pointer calls. However, the inherent complexity and efficiency problem of the pointer analysis often leads to unsatisfactory results when applied to practical programs. This paper presents a strong connected component (SCC) level flow-sensitive and context-sensitive function pointer analysis algorithm (referred as FP algorithm). This algorithm not only makes up for the speed deficiency of pointer analysis, but also obtains higher precision. Measurements for 8 practical C programs show that FP algorithm advances 42.6 times on average compared with DSA algorithm and the precision is also improved.


Function pointer analysis algorithm Function pointer reference graph SCC-level flow-sensitive Context-sensitive LLVM 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Symantec Corp.: 2014 internet security threat report. Technical Report, Volume 19 (April 2014),
  2. 2.
    Annavaram, M., Patel, J.M., Davidson, E.S.: Call graph prefetching for database applications. ACM Trans. Comput. Syst. 21(4), 412–444 (2003)CrossRefGoogle Scholar
  3. 3.
    Antoniol, G., Calzolari, F., Tonella, P.: Impact of function pointers on the call graph. In: 3rd CSMR European Conference on Software Maintenance and Reengineering, CSMR 1999, p. 51. IEEE Computer Society, Washington, DC (1999)Google Scholar
  4. 4.
    Atkinson, D.C.: Accurate call graph extraction of programs with function pointers using type signatures. In: 11th APSEC Asia-Pacific Software Engineering Conference, pp. 326–335. IEEE Computer Society, Washington, DC (2004)CrossRefGoogle Scholar
  5. 5.
    Bohnet, J., Döllner, J.: Visual exploration of function call graphs for feature location in complex software systems. In: 2006 ACM Symposium on Software Visualization, SoftVis 2006, pp. 95–104. ACM, New York (2006)Google Scholar
  6. 6.
    Cheng, B.-C., Hwu, W.-m.: An empirical study of function pointers using spec benchmarks. In: Carter, L., Ferrante, J. (eds.) LCPC 1999. LNCS, vol. 1863, pp. 490–493. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  7. 7.
    Dhurjati, D., Kowshik, S., Adve, V.: SAFECode: Enforcing alias analysis for weakly typed languages. In: ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2006, pp. 144–157. ACM, New York (2006)CrossRefGoogle Scholar
  8. 8.
    Endre, H., Istvn, F., kos, K., Judit, J., Tibor, G.: General flow-sensitive pointer analysis and call graph construction. In: Proceedings of the Estonian, vol. 11(4), Academy of Sciences (December 2005)Google Scholar
  9. 9.
    Faruki, P., Laxmi, V., Gaur, M.S., Vinod, P.: Mining control flow graph as api call-grams to detect portable executable malware. In: Proceedings of the Fifth International Conference on Security of Information and Networks, SIN 2012, pp. 130–137. ACM, New York (2012)Google Scholar
  10. 10.
    Gascon, H., Yamaguchi, F., Arp, D., Rieck, K.: Structural detection of android malware using embedded call graphs. In: Proceedings of the 2013 ACM Workshop on Artificial Intelligence and Security, AISec 2013, pp. 45–54. ACM, New York (2013)CrossRefGoogle Scholar
  11. 11.
    Hu, X., Chiueh, T.-c., Shin, K.G.: Large-scale malware indexing using function-call graphs. In: 16th CCS ACM Conference on Computer and Communications Security, pp. 611–620. ACM, New York (2009)Google Scholar
  12. 12.
    Huang, B., Ling, X., Wu, G.: Field-sensitive function pointer analysis using field propagation for state graph extraction. JSW 8(7), 1592–1603 (2013)Google Scholar
  13. 13.
    Jang, J.-W., Woo, J., Yun, J., Kim, H.K.: Mal-netminer:malware classification based on social network analysis of call graph. In: 23rd WWW Companion International Conference on World Wide Web Companion, pp. 731–734. Republic and Canton of Geneva, Switzerland (2014); International World Wide Web Conferences Steering Committee Google Scholar
  14. 14.
    Karrer, T., Krämer, J.-P., Diehl, J., et al.: Stacksplorer:call graph navigation helps increasing code maintenance efficiency. In: 24th UIST Annual ACM Symposium on User Interface Software and Technology, pp. 217–224. ACM, New York (2011)Google Scholar
  15. 15.
    Lattner, C., Adve, V.: LLVM: A compilation framework for lifelong program analysis & transformation. In: International Symposium on Code Generation and Optimization: Feedback-directed and Runtime Optimization, CGO 2004, p. 75. IEEE Computer Society, Washington, DC (2004)Google Scholar
  16. 16.
    Lattner, C., Adve, V.: Automatic pool allocation: Improving performance by controlling data structure layout in the heap. SIGPLAN Not. 40(6), 129–142 (2005)CrossRefGoogle Scholar
  17. 17.
    Lattner, C., Lenharth, A., Adve, V.: Making context-sensitive points-to analysis with heap cloning practical for the real world. In: ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2007, pp. 278–289. ACM, New York (2007)CrossRefGoogle Scholar
  18. 18.
    Milanova, A., Rountev, A., Ryder, B.G.: Precise call graph construction in the presence of function pointers. In: 2nd SCAM IEEE International Workshop on Source Code Analysis and Manipulation, SCAM 2002, p. 155. IEEE Computer Society, Washington, DC (2002)Google Scholar
  19. 19.
    Robert Muth and Saumya Debray. On the complexity of function pointer may-alias analysis. Technical report, Tucson, AZ, USA (1996)Google Scholar
  20. 20.
    Nguyen, H.V., Kästner, C., Nguyen, T.N.: Building call graphs for embedded client-side code in dynamic web applications. In: Proceedings of the 22Nd ACM SIGSOFT International Symposium on Foundations of Software Engineering, FSE 2014, pp. 518–529. ACM, New York (2014)Google Scholar
  21. 21.
    Zhao, J., Nagarakatte, S., Milo, M.K., Zdancewic, S.: Formalizing the LLVM intermediate representation for verified program transformations. In: 39th POPL ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pp. 427–440. ACM, New York (2012)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  1. 1.School of Computer Science and TechnologyUniversity of Science and Technology of ChinaHefeiP.R. China

Personalised recommendations