A. Dubey,X. Wu,H. Su,T. J. Koo

DOI: https://doi.org/10.1007/11562948_11

2005-01-01

Abstract:In this paper, we describe a computation platform called ReachLab, which enables automatic analysis of embedded software systems that interact with continuous environment. Algorithms are used to specify how the state space of the system model should be explored in order to perform analysis. In ReachLab, both system models and analysis algorithm models are specified in the same framework using Hybrid System Analysis and Design Language (HADL), which is a meta-model based language. The platform allows the models of algorithms to be constructed hierarchically and promotes their reuse in constructing more complex algorithms. Moreover, the platform is designed in such a way that the concerns of design and implementation of analysis algorithms are separated. On one hand, the models of analysis algorithms are abstract and therefore the design of algorithms can be made independent of implementation details. On the other hand, translators are provided to automatically generate implementations from the models for computing analysis results based on computation kernels. Multiple computation kernels, which are based on specific computation tools such as d/dt and the Level Set toolbox, are supported and can be chosen to enable hybrid state space exploration. An example is provided to illustrate the design and implementation process in ReachLab.

Yunan Zhang,Xu,Yixin Jiang

DOI: https://doi.org/10.1109/trustcom50675.2020.00111

2020-01-01

Abstract:Binary code search has received much attention recently due to its impactful applications, e.g., plagiarism detection, malware detection and software vulnerability auditing. However, developing an effective binary code search tool is challenging due to the gigantic syntax and structural differences in binaries resulted from different compilers, compiler options and malware family. In this paper, we propose a scalable and accurate binary search engine which performs syntactic matching by combining a set of key techniques to address the challenges above. The key contribution is binary code searching technique which combined function filtering and partial trace method to match the function code relatively quick and accurate. In addition, a simhash and basic information based function filtering is proposed to dramatically reduce the irrelevant target functions. Besides, we introduce a partial trace method for matching the shortlisted function accurately. The experimental results show that our method can find similar functions, even with the presence of program structure distortion, in a scalable manner.

Tong Ye,Lingfei Wu,Tengfei Ma,Xuhong Zhang,Yangkai Du,Peiyu Liu,Shouling Ji,Wenhai Wang

DOI: https://doi.org/10.48550/arXiv.2310.16853

2023-10-24

Abstract:Automatically generating function summaries for binaries is an extremely valuable but challenging task, since it involves translating the execution behavior and semantics of the low-level language (assembly code) into human-readable natural language. However, most current works on understanding assembly code are oriented towards generating function names, which involve numerous abbreviations that make them still confusing. To bridge this gap, we focus on generating complete summaries for binary functions, especially for stripped binary (no symbol table and debug information in reality). To fully exploit the semantics of assembly code, we present a control flow graph and pseudo code guided binary code summarization framework called CP-BCS. CP-BCS utilizes a bidirectional instruction-level control flow graph and pseudo code that incorporates expert knowledge to learn the comprehensive binary function execution behavior and logic semantics. We evaluate CP-BCS on 3 different binary optimization levels (O1, O2, and O3) for 3 different computer architectures (X86, X64, and ARM). The evaluation results demonstrate CP-BCS is superior and significantly improves the efficiency of reverse engineering.

Programming Languages,Artificial Intelligence

Joshua Collyer,Tim Watson,Iain Phillips

2024-06-03

Abstract:Binary code similarity detection is an important problem with applications in areas like malware analysis, vulnerability research and plagiarism detection. This paper proposes a novel graph neural network architecture combined with a novel graph data representation called call graphlets. A call graphlet encodes the neighborhood around each function in a binary executable, capturing the local and global context through a series of statistical features. A specialized graph neural network model is then designed to operate on this graph representation, learning to map it to a feature vector that encodes semantic code similarities using deep metric learning. The proposed approach is evaluated across four distinct datasets covering different architectures, compiler toolchains, and optimization levels. Experimental results demonstrate that the combination of call graphlets and the novel graph neural network architecture achieves state-of-the-art performance compared to baseline techniques across cross-architecture, mono-architecture and zero shot tasks. In addition, our proposed approach also performs well when evaluated against an out-of-domain function inlining task. Overall, the work provides a general and effective graph neural network-based solution for conducting binary code similarity detection.

Cryptography and Security,Artificial Intelligence,Information Retrieval,Machine Learning

Håvard Pettersen,Donn Morrison

2024-01-15

Abstract:This study addresses the challenge of reverse engineering binaries from unknown instruction set architectures, a complex task with potential implications for software maintenance and cyber-security. We focus on the tasks of detecting candidate call and return opcodes for automatic extraction of call graphs in order to simplify the reverse engineering process. Empirical testing on a small dataset of binary files from different architectures demonstrates that the approach can accurately detect specific opcodes under conditions of noisy data. The method lays the groundwork for a valuable tool for reverse engineering where the reverse engineer has minimal a priori knowledge of the underlying instruction set architecture.

Cryptography and Security,Software Engineering

Anshunkang Zhou,Yikun Hu,Xiangzhe Xu,Charles Zhang

DOI: https://doi.org/10.1145/3640337

IF: 3.685

2024-01-11

ACM Transactions on Software Engineering and Methodology

Abstract:Binary code similarity analysis is extremely useful since it provides rich information about an unknown binary, such as revealing its functionality and identifying reused libraries. Robust binary similarity analysis is challenging as heavy compiler optimizations can make semantically similar binaries have gigantic syntactic differences. Unfortunately, existing semantic-based methods still suffer from either incomplete coverage or low accuracy. In this paper, we propose ARCTURUS , a new technique that can achieve high code coverage and high accuracy simultaneously by manipulating program execution under the guidance of code reachability. Our key insight is that the compiler must preserve program semantics (e.g., dependences between code fragments) during compilation; therefore, the code reachability, which implies the interdependence between code, is invariant across code transformations. Based on the above insight, our key idea is to leverage the stability of code reachability to manipulate the program execution such that deep code logic can also be covered in a consistent way. Experimental results show that ARCTURUS achieves an average precision of 87.8% with 100% block coverage, outperforming compared methods by 38.4% on average. ARCTURUS takes only 0.15 seconds to process one function on average, indicating that it is efficient for practical use.

computer science, software engineering

Jiawei Han,Chao Liu

2008-01-01

Abstract:Recent years have seen great advances in software engineering and programming languages. Unfortunately, software is still far from bug-free, even for those deployed. Static analysis is a good approach to eliminating numerous bugs, but its conservative nature of analysis unavoidably constrains its capacity. Dynamic analysis, on the other hand, utilizes program runtime execution data, which complements static approaches. This thesis describes three dynamic techniques that leverage program runtime data to improve software quality.First, we present a statistical debugging algorithm, called S OBER, which automatically localizes software faults without any prior knowledge of the program semantics. This statistical debugging alleviates the high cost associated with manual debugging. Featuring a similar rationale to hypothesis testing, SOBER quantifies the fault relevance of each predicate in a principled way. We systematically evaluate S OBER under the same setting as previous studies, and compare S OBER with other seven algorithms. The result clearly demonstrates the advantages of SOBER over existing approaches.Second, we discuss automated program failure triage, which is a closely related problem with automated debugging. Recent software systems usually feature an automated failure reporting component, with which a huge number of failures are collected from software end-users. In order to effectively leverage the valuable program failure data, the collected failures need to be first triaged, i.e., to locate the most severe failures, and to assign them to appropriate developers. Lying in the center of failure triage is failure indexing, which tries to group failures due to the fault together. In this thesis, we propose a statistical debugging-based approach to program failure triage, called R-PROXIMITY, which better indexes failures and facilitates failure assignment than existing approaches. Finally, we describe a program dynamic slicing-based approach to failure indexing, which complements R-PROXIMITY. R-PROXIMITY is a quality failure indexing tool, but its effectiveness relies on a sufficient number of correct executions, which may or may not be available in practice. The proposed dynamic slicing-based approach does not require any correct executions, and hence perfectly complements R-PROXIMITY . All the three techniques are subject to three mid-sized programs grep, gzip, and flex, and the result validates their advancement of the state of the art.

Matan Avitan,Elena V. Ravve,Zeev Volkovich

DOI: https://doi.org/10.3390/math12050658

IF: 2.4

2024-02-25

Mathematics

Abstract:Many different aspects of software system development and verification rely on precise function identification in binary code. Recognition of the source Assembly functions in embedded systems is one of the fundamental challenges in binary program analysis. While numerous approaches assume that the functions are given a priori, correct identification of the functions in binaries remains a great issue. This contribution addresses the problem of uncertainty in binary code in identification of functions, which were optimized during compilation. This paper investigates the difference between debug and optimized functions via modeling of these functions. To do so, we introduce an extensible model-centred hands-on approach for examining similarities between binary functions. The main idea is to model each function using a set of predetermined, experimentally discovered features, and then find a suitable weight vector that could give impact factor to each such a feature. After finding the weight vector, the introduced models of such desired functions can be identified in binary software packages. It means that we reduce the similarity identification problem of the models to a classical version of optimization problems with one optimization criterion. Using our implementation, we found that the proposed approach works smoothly for functions, which contain at least ten Assembly instructions. Our tool guarantees success at a very high level.

mathematics

Toufique Ahmed,Premkumar Devanbu,Anand Ashok Sawant

DOI: https://doi.org/10.48550/arXiv.2103.05221

2021-03-09

Software Engineering

Abstract:Much software, whether beneficent or malevolent, is distributed only as binaries, sans source code. Absent source code, understanding binaries' behavior can be quite challenging, especially when compiled under higher levels of compiler optimization. These optimizations can transform comprehensible, "natural" source constructions into something entirely unrecognizable. Reverse engineering binaries, especially those suspected of being malevolent or guilty of intellectual property theft, are important and time-consuming tasks. There is a great deal of interest in tools to "decompile" binaries back into more natural source code to aid reverse engineering. Decompilation involves several desirable steps, including recreating source-language constructions, variable names, and perhaps even comments. One central step in creating binaries is optimizing function calls, using steps such as inlining. Recovering these (possibly inlined) function calls from optimized binaries is an essential task that most state-of-the-art decompiler tools try to do but do not perform very well. In this paper, we evaluate a supervised learning approach to the problem of recovering optimized function calls. We leverage open-source software and develop an automated labeling scheme to generate a reasonably large dataset of binaries labeled with actual function usages. We augment this large but limited labeled dataset with a pre-training step, which learns the decompiled code statistics from a much larger unlabeled dataset. Thus augmented, our learned labeling model can be combined with an existing decompilation tool, Ghidra, to achieve substantially improved performance in function call recovery, especially at higher levels of optimization.

Yusong Tan,Wei Chen,Qingbo Wu

DOI: https://doi.org/10.1109/ICPADS.2010.59

2010-01-01

Abstract:It is hard to execute parallel program efficiently on man-core platform because we could not divide program into appropriate granularity executed simultaneously. Based on virtual machine and binary translation technologies the article proposes the vapor profiling framework that uses SBIRP instruction in-place replacement method to collect program’s run-time control flow and data flow information precisely. Moreover, it explains how to create control flow and data flow dependency graphs. Experiment results prove that vapor has better performance than traditional methods.

Tao Wei,Jian Mao,Wei Zou,Yu Chen

DOI: https://doi.org/10.1109/COMPSAC.2007.203

2007-01-01

Abstract:One of the major challenges of control flow analysis in decompilation is to structure 2-way branches into conditionals, loop conditionals and switches. In this paper, we propose a graph-based method to formally describe structures of 2-way branches via the introduction of concepts called "compound branch subgraph" and "cascade branch subgraph". We then present novel structuring algorithms based on such concepts. Compared with previous works, our algorithms are deterministic rather than heuristic, and they do not use complicated data structures such as Interval/DSG. We show that in theory our algorithm is more accurate and efficient than typical current approaches; furthermore, we have applied the algorithm to several real-world binary executables, and experimental results validate such theoretical analysis.

Anne Veenendaal,Elliot Daly,Eddie Jones,Zhao Gang,Sumalini Vartak,Rahul S Patwardhan

DOI: https://doi.org/10.48550/arXiv.1610.04594

2016-07-27

Software Engineering

Abstract:Enterprise level software is implemented using multi-layer architecture. These layers are often implemented using de-coupled solutions with millions of lines of code. Programmers often have to track and debug a function call from user interface layer to the data access layer while troubleshooting an issue. They have to inspect the code based on search results or use design documents to construct the call graph. This process is time consuming and laborious. The development environment tools are insufficient or confined to analyzing only the code in the loaded solution. This paper proposes a method to construct a call graph of the call across several layers of the code residing in different code bases to help programmers better understand the design and architecture of the software. The signatures of class, methods, and properties were evaluated and then matched against the code files. A graph of matching functions was created. The recursive search stopped when there were no matches or the data layer code was detected. The method resulted in 78.26% accuracy when compared with manual search.

Lixin Li,Chao Wang

DOI: https://doi.org/10.1007/978-3-642-40787-1_31

2013-01-01

Abstract:Dynamic analysis techniques have made a significant impact in security practice, e.g. by automating some of the most tedious processes in detecting vulnerabilities. However, a significant gap remains between existing software tools and what many security applications demand. In this paper, we present our work on developing a cross-platform interactive analysis tool, which leverages techniques such as symbolic execution and taint tracking to analyze binary code on a range of platforms. The tool builds upon IDA, a popular reverse engineering platform, and provides a unified analysis engine to handle various instruction sets and operating systems. We have evaluated the tool on a set of real-world applications and shown that it can help identify the root causes of security vulnerabilities quickly.

付文,赵荣彩,庞建民,张一弛

DOI: https://doi.org/10.3969/j.issn.1000-3428.2010.16.017

2010-01-01

Abstract:Locating main function from binary code is not an easy task when there is no symbol table in it.Aiming at this problem,this paper presents a novel approach for Portable Executables(PE).It analyzes the execution process of a PE from the entry point to abstract some patterns for locating.Instruction pattern matching is used to locate the address of function main() from a PE file.Experimental result shows that the approach based on pattern matching is favorable and effective on locating function main() from portable executables in different platform.It can improve the analyzing ability of binary code analysis tools.

XuHao Chen,Li Shen,ZhiYing Wang,Zhong Zheng,Wei Chen

DOI: https://doi.org/10.1007/s11432-014-5089-5

2014-01-01

Science China Information Sciences

Abstract:We propose a novel lightweight code generation algorithm GSM (Greedy Subgraph Mapping), which can generate compact code with low overhead using many-to-one mapping. GSM is implemented and evaluated in a dynamic binary translation prototype system called TransARM. Experimental results demonstrate that GSM generates higher quality target code than a conventional implementation, which brings an average code expansion rate close to 1.3 for the selected 11 benchmarks. Moreover, GSM causes slightly extra overhead and negligible slowdown of translation and enables 10% performance improvement for target code execution.

Chengbin Pang,Ruotong Yu,Dongpeng Xu,Eric Koskinen,Georgios Portokalidis,Jun Xu

DOI: https://doi.org/10.48550/arXiv.2104.03168

2021-04-07

Abstract:Function entry detection is critical for security of binary code. Conventional methods heavily rely on patterns, inevitably missing true functions and introducing errors. Recently, call frames have been used in exception-handling for function start detection. However, existing methods have two problems. First, they combine call frames with heuristic-based approaches, which often brings error and uncertain benefits. Second, they trust the fidelity of call frames, without handling the errors that are introduced by call frames. In this paper, we first study the coverage and accuracy of existing approaches in detecting function starts using call frames. We found that recursive disassembly with call frames can maximize coverage, and using extra heuristic-based approaches does not improve coverage and actually hurts accuracy. Second, we unveil call-frame errors and develop the first approach to fix them, making their use more reliable.

Cryptography and Security

Robert Husák,F. Zavoral,J. Kofroň

DOI: https://doi.org/10.14279/tuj.eceasst.77.1109

2019-10-21

Abstract:In order to prevent and fix errors in program code, developers need to understand its semantics to a significant extent. For this purpose, they use various approaches, such as manual call graph exploration or dynamic analysis with a debugger. However, these techniques tend to be cumbersome in a larger codebase, because they provide either underapproximate or overapproximate results and it is often hard to combine them. Therefore, we present AskTheCode, a Microsoft Visual Studio extension enabling to interactively explore a call graph, ensuring that only feasible execution traces are taken into consideration. AskTheCode is based on control flow analysis and backward symbolic execution. We show its potential to significantly improve developers' experience on a complex code example.

Computer Science

xusheng xiao,tao xie,nikolai tillmann,peli de halleux

2010-01-01

Abstract:The process of achieving high structural coverage of the pro- gram under test can be automated using Dynamic Sym- bolic Execution (DSE), which generates test inputs to it- eratively explore paths of the program under test. When applied on real-world applications, DSE faces various chal- lenges in generating test inputs to achieve high structural coverage. Among issues related to these challenges, our preliminary study identified two main types of issues: (1) object-creation issues (OCI), where DSE fails to generate method-call sequences to produce desirable object states; (2) external-method-call issues (EMCI), where symbolic val- ues are passed as arguments to third-party library methods that are not instrumented by DSE. Automatically solving these two main types of issues is challenging, since the explo- ration space of generating method-call sequences for desir- able object states is usually too huge, and instrumenting all third-party libraries can cause explosion of the exploration space. However, when provided with informative informa- tion of issues, users can effectively assist DSE to achieve high structural coverage. In this paper, we propose a gen- eral approach, called Covana, to identify issues faced by DSE via analyzing runtime information, and filter out irrelevant issues using residual structural coverage. We provide two techniques to instantiate our general approach to identify OCIs and EMCIs. To show the effectiveness of Covana, we conduct evaluations on two open source projects. Our re- sults show that Covana effectively identifies 155 OCIs, and 43 EMCIs. Moreover, Covana effectively reduces 296 irrel- evant issues out of 451 OCIs and 1567 irrelevant issues out of 1610 EMCIs produced by a straightforward approach.

Hayfa Tayeb,Ludovic Paillat,Berenger Bramas

2023-06-30

Abstract:Leveraging the SIMD capability of modern CPU architectures is mandatory to take full benefit of their increasing performance. To exploit this feature, binary executables must be explicitly vectorized by the developers or an automatic vectorization tool. This why the compilation research community has created several strategies to transform a scalar code into a vectorized implementation. However, the majority of the approaches focus on regular algorithms, such as affine loops, that can be vectorized with few data transformations. In this paper, we present a new approach that allow automatically vectorizing scalar codes with chaotic data accesses as long as their operations can be statically inferred. We describe how our method transforms a graph of scalar instructions into a vectorized one using different heuristics with the aim of reducing the number or cost of the instructions. Finally, we demonstrate the interest of our approach on various computational kernels using Intel AVX-512 and ARM SVE.

Distributed, Parallel, and Cluster Computing,Programming Languages

Derrick McKee,Nathan Burow,Mathias Payer

DOI: https://doi.org/10.48550/arXiv.1906.02928

2020-07-01

Abstract:When reverse engineering a binary, the analyst must first understand the semantics of the binary's functions through either manual or automatic analysis. Manual semantic analysis is time-consuming, because abstractions provided by high level languages, such as type information, variable scope, or comments are lost, and past analyses cannot apply to the current analysis task. Existing automated binary analysis tools currently suffer from low accuracy in determining semantic function identification in the presence of diverse compilation environments. We introduce Software Ethology, a binary analysis approach for determining the semantic similarity of functions. Software Ethology abstracts semantic behavior as classification vectors of program state changes resulting from a function executing with a specified input state, and uses these vectors as a unique fingerprint for identification. All existing semantic identifiers determine function similarity via code measurements, and suffer from high inaccuracy when classifying functions from compilation environments different from their ground truth source. Since Software Ethology does not rely on code measurements, its accuracy is resilient to changes in compiler, compiler version, optimization level, or even different source implementing equivalent functionality. Tinbergen, our prototype Software Ethology implementation, leverages a virtual execution environment and a fuzzer to generate the classification vectors. In evaluating Tinbergen's feasibility as a semantic function identifier by identifying functions in coreutils-8.30, we achieve a high .805 average accuracy. Compared to the state-of-the-art, Tinbergen is 1.5 orders of magnitude faster when training, 50% faster in answering queries, and, when identifying functions in binaries generated from differing compilation environments, is 30%-61% more accurate.

Cryptography and Security