Bokai Zhang, Monika Santra, Syed Rafiul Hussain, Gang Tan (Pennsylvania State University)
Sound indirect-call resolution for stripped binaries is critical for security applications such as CFI enforcement, debloating, and large-scale vulnerability discovery, yet it remains challenging in the absence of symbol and type information. A recent work, Block-Based Points-to Analysis (BPA) addresses this problem with a scalable block memory model, but its implementation is tightly coupled to 32-bit x86 through an ISA-specific disassembly pipeline.
To overcome this limitation, we present BPA-X, an architecture-agnostic block-based points-to analysis framework for stripped binaries across multiple ISAs. BPA-X preserves the core soundness assumptions of BPA’s block memory model while replacing x86-specific components with an architecture-agnostic VEX IR via binary analysis platform angr. It generalizes local and global memory-block partitioning using VEX semantics instead of x86-specific patterns, lifts VEX IR into SSA form, and performs fixpoint computation on interprocedural value tracking and reachability analysis.
Our evaluation on SPEC CPU 2006 and real-world server binaries shows that BPA-X improves memory-block partitioning, reduces AICT on many x86 programs compared to BPA, and extends the analysis to x64 without degrading much precision. BPA-X also reduces memory consumption by 25% and improves runtime on large benchmarks.