Antonio Flores-Montoya,Eric Schulte

DOI: https://doi.org/10.48550/arXiv.1906.03969

2019-06-07

Programming Languages

Abstract:Disassembly is fundamental to binary analysis and rewriting. We present a novel disassembly technique that takes a stripped binary and produces reassembleable assembly code. The resulting assembly code has accurate symbolic information, providing cross-references for analysis and to enable adjustment of code and data pointers to accommodate rewriting. Our technique features multiple static analyses and heuristics in a combined Datalog implementation. We argue that Datalog's inference process is particularly well suited for disassembly and the required analyses. Our implementation and experiments support this claim. We have implemented our approach into an open-source tool called Ddisasm. In extensive experiments in which we rewrite thousands of x64 binaries we find Ddisasm is both faster and more accurate than the current state-of-the-art binary reassembling tool, Ramblr.

Chengbin Pang,Ruotong Yu,Yaohui Chen,Eric Koskinen,Georgios Portokalidis,Bing Mao,Jun Xu

DOI: https://doi.org/10.1109/sp40001.2021.00012

2021-05-01

Abstract:Disassembly of binary code is hard, but necessary for improving the security of binary software. Over the past few decades, research in binary disassembly has produced many tools and frameworks, which have been made available to researchers and security professionals. These tools employ a variety of strategies that grant them different characteristics. The lack of systematization, however, impedes new research in the area and makes selecting the right tool hard, as we do not understand the strengths and weaknesses of existing tools. In this paper, we systematize binary disassembly through the study of nine popular, open-source tools. We couple the manual examination of their code bases with the most comprehensive experimental evaluation (thus far) using 3,788 binaries. Our study yields a comprehensive description and organization of strategies for disassembly, classifying them as either algorithm or else heuristic. Meanwhile, we measure and report the impact of individual algorithms on the results of each tool. We find that while principled algorithms are used by all tools, they still heavily rely on heuristics to increase code coverage. Depending on the heuristics used, different coverage-vs-correctness trade-offs come in play, leading to tools with different strengths and weaknesses. We envision that these findings will help users pick the right tool and assist researchers in improving binary disassembly.

Chao DAI,Jian-min PANG,Yi-chi ZHANG,Liang ZHU,Feng YUE,Hong-wei TAO

2017-01-01

Abstract:The malware behavior analysis is composed of analysis in disassembly level and system-call level.Out of the finer grain,the analysis in disassembly level is irreplaceable in characterizing the code behavior.However,the existing analysis technologies in disassembly level is not good at coping with discontinuous instruction sequences.In view of this situation and characteristics of binary code,this paper proposes a method of behavior analysis in disassembly level based on pattern matching with wildcards and gap-length constrains,called CFG-refinedSAIL.It reconstructs the code structure by the recursive traversal disassembly algorithm first.Then the algorithm compares the opcode sequences in each basicblock of control flow with the opcode sequences of malware behavior in a refined way to find out the malware behavior in disassembly level.Finally,the test validates the effectiveness the algorithm,and its performance is good,which could provide the basis for subsequent analysis of malware.

Nan Zhang,Zhenyu Liu,Chan Qiu,Jin Cheng,Jianrong Tan

DOI: https://doi.org/10.1177/0954405419870966

2019-01-01

Proceedings of the Institution of Mechanical Engineers Part B Journal of Engineering Manufacture

Abstract:Disassembly sequence planning plays a crucial role in the reuse and remanufacturing of end-of-life products. However, it is challenging to obtain optimal disassembly sequences as it is a difficult non-deterministic polynomial-time–hard combinatorial optimisation problem. This study proposes a precedence-based disassembly subset-generation method to solve the disassembly sequence-planning problem. The proposed method first generates disassembly subsets based on disassembly precedence relationships. Subsequently, multiple high-level feasible subsets are generated, and some of them are selected to generate higher level subsets using specially designed operators. After several iterations, different optimal disassembly sequences can be obtained. The principal merit of this method is that high-quality disassembly sequences can be generated in the solution construction process. Numerical experiments were conducted by applying the proposed method to three case studies, and the performance of the proposed method for finding optimal solutions and reducing computational time was evaluated in comparison with state-of-the-art methods. The parameters employed in this method were also analysed to explain the mechanism adopted.

Huanyao Rong,Yue Duan,Hang Zhang,XiaoFeng Wang,Hongbo Chen,Shengchen Duan,Shen Wang

2024-07-12

Abstract:Disassembly is a challenging task, particularly for obfuscated executables containing junk bytes, which is designed to induce disassembly errors. Existing solutions rely on heuristics or leverage machine learning techniques, but only achieve limited successes. Fundamentally, such obfuscation cannot be defeated without in-depth understanding of the binary executable's semantics, which is made possible by the emergence of large language models (LLMs). In this paper, we present DisasLLM, a novel LLM-driven dissembler to overcome the challenge in analyzing obfuscated executables. DisasLLM consists of two components: an LLM-based classifier that determines whether an instruction in an assembly code snippet is correctly decoded, and a disassembly strategy that leverages this model to disassemble obfuscated executables end-to-end. We evaluated DisasLLM on a set of heavily obfuscated executables, which is shown to significantly outperform other state-of-the-art disassembly solutions.

Cryptography and Security

Tong Ye,Lingfei Wu,Tengfei Ma,Xuhong Zhang,Yangkai Du,Peiyu Liu,Shouling Ji,Wenhai Wang

DOI: https://doi.org/10.48550/arXiv.2310.16853

2023-10-24

Abstract:Automatically generating function summaries for binaries is an extremely valuable but challenging task, since it involves translating the execution behavior and semantics of the low-level language (assembly code) into human-readable natural language. However, most current works on understanding assembly code are oriented towards generating function names, which involve numerous abbreviations that make them still confusing. To bridge this gap, we focus on generating complete summaries for binary functions, especially for stripped binary (no symbol table and debug information in reality). To fully exploit the semantics of assembly code, we present a control flow graph and pseudo code guided binary code summarization framework called CP-BCS. CP-BCS utilizes a bidirectional instruction-level control flow graph and pseudo code that incorporates expert knowledge to learn the comprehensive binary function execution behavior and logic semantics. We evaluate CP-BCS on 3 different binary optimization levels (O1, O2, and O3) for 3 different computer architectures (X86, X64, and ARM). The evaluation results demonstrate CP-BCS is superior and significantly improves the efficiency of reverse engineering.

Programming Languages,Artificial Intelligence

Kaiyuan Li,Maverick Woo,Limin Jia

DOI: https://doi.org/10.48550/arXiv.2012.09155

2020-12-11

Programming Languages

Abstract:When a software transformation or software security task needs to analyze a given program binary, the first step is often disassembly. Since many modern disassemblers have become highly accurate on many binaries, we believe reliable disassembler benchmarking requires standardizing the set of binaries used and the disassembly ground truth about these binaries. This paper presents (i) a first version of our work-in-progress disassembly benchmark suite, which comprises 879 binaries from diverse projects compiled with multiple compilers and optimization settings, and (ii) a novel disassembly ground truth generator leveraging the notion of "listing files", which has broad support by Clang, GCC, ICC, and MSVC. In additional, it presents our evaluation of four prominent open-source disassemblers using this benchmark suite and a custom evaluation system. Our entire system and all generated data are maintained openly on GitHub to encourage community adoption.

Xinlei Yao,Jianmin Pang,Yichi Zhang,Yong Yu,Jianping Lu

DOI: https://doi.org/10.1109/mines.2012.25

2012-01-01

Abstract:Control flow obfuscation is an important way of software copyright protection, the main purpose is to make the static analysis tools produce wrong control flow graph, and then prevent malicious use of reverse engineering against software. In this paper we ropose an approach to implement control flow obfuscation using Windows structured exception handling mechanism. Programs are obfuscated by replacing branch instructions with exception code and inserting fake branch instruction after the exception code. Furthermore, exception code random technology is used to improve the resilience of the obfuscated code. Experimental results show that disassemble tools fail to identify 56.7% control flow of the obfuscated code, and have a misunderstanding of 40% control flow. The increase in program size and execute time of the obfuscated code is also modest.

Muhui Jiang,Qinming Dai,Wenlong Zhang,Rui Chang,Yajin Zhou,Xiapu Luo,Ruoyu Wang,Yang Liu,Kui Ren

DOI: https://doi.org/10.1109/tse.2022.3187811

IF: 7.4

2023-01-01

IEEE Transactions on Software Engineering

Abstract:Embedded devices are becoming ubiquitous, and ARM is becoming the dominant architecture for them. Meanwhile, there is a pressing need to perform security assessments for these devices. Due to different types of peripherals, emulating the software, i.e., firmware, of these devices in scale is challenging. Therefore, static analysis is still widely used. Existing works usually leverage off-the-shelf tools to disassemble stripped ARM binaries and (implicitly) assume that reliably disassembling binaries is a solved problem. However, whether this assumption really holds is unknown. In this paper, we conduct the first comprehensive study on ARM disassembly tools. Specifically, we build 1,896 ARM binaries (including 248 obfuscated ones) with different compilers, compiling options, and obfuscation methods. We then evaluate them using eight state-of-the-art ARM disassembly tools (including both commercial and noncommercial ones) in three different versions on their capabilities to locate instruction boundary, function boundary, and function signature. Instruction and function boundary are two fundamental primitives that the other primitives are built upon while function signature is significant for control flow integrity (CFI) techniques. Our work reveals some observations that have not been systematically summarized and/or confirmed. For instance, we find that the existence of both ARM and Thumb instruction sets, and the reuse of the BL instruction for both function calls and branches bring serious challenges to disassembly tools. Our evaluation sheds light on the limitations of state-of-the-art disassembly tools and points out potential directions for improvement.

Guang Wang,Ziyuan Zhu,Xu Cheng,Dan Meng

DOI: https://doi.org/10.1109/iccd56317.2022.00075

2022-01-01

Abstract:Instruction disassemblers can be used for software reverse engineering, malware analysis, and undocumented instructions detection. However, flaws in the disassemblers directly affect the accuracy of its related applications. For example, if the disassembler fails to decode or misdecodes the binary code of malware, the reverse engineers may misinterpret the functionality of the malware. Therefore, it is necessary to systematically test the disassemblers. Existing works leverage the depth-first search (DFS) algorithm to search the x86 instruction space. However, they cannot cover all x86 instruction opcodes and register operands. The root cause is that existing DFS algorithms cannot guarantee the search depth for some instruction space. We proposed an approach, named FedDFS, to improve the search depth of DFS algorithm. We analyzed the x86 instruction formats and summarized the essential search depth for each instruction format. We leveraged a feedback controlled DFS algorithm, which is controlled by comparing its search depth with essential search depth. If FedDFS detects that search depth is smaller than essential search depth, the feedback mechanism promptly increases the search depth until it reaches the proper search depth. We evaluated FedDFS on disassembler Capstone and processors from Intel and AMD. The experimental results proved that, after increasing the search depth, FedDFS does improve the coverage of x86 instruction opcodes and register operands. FedDFS tested trillions of instructions and found more instruction flaws in Capstone, which of them can only be found by FedDFS.

Chengbin Pang,Tiantai Zhang,Ruotong Yu,Bing Mao,Jun Xu

2022-01-01

Abstract:Modern disassembly tools often rely on empirical evaluations to validate their performance and discover their limitations, thus promoting long-term evolvement. To support the empirical evaluation, a foundation is the right approach to collect the ground truth knowledge. However, there has been no unanimous agreement on the approach we should use. Most users pick an approach based on their experience or will, regardless of the properties that the approach presents. In this paper, we perform a study on the approaches to building the ground truth for binary disassembly, aiming to shed light on the right way for the future. We first provide a taxonomy of the approaches used by past research, which unveils five major mechanisms behind those approaches. Following the taxonomy, we summarize the properties of the five mechanisms from two perspectives: (i) the coverage and precision of the ground truth produced by the mechanisms and (ii) the applicable scope of the mechanisms (e.g., what disassembly tasks and what types of binaries are supported). The summarization, accompanied by quantitative evaluations, illustrates that many mechanisms are ill-suited to support the generation of disassembly ground truth. The mechanism best serving today's need is to trace the compiling process of the target binaries to collect the ground truth information. Observing that the existing tool to trace the compiling process can still miss ground truth results and can only handle x86/x64 binaries, we extend the tool to avoid overlooking those results and support ARM32/AArch64/MIPS32/MIPS64 binaries. We envision that our extension will make the tool a better foundation to enable universal, standard ground truth for binary disassembly.

Zhi-feng Zhang,Yi-xiong Feng,Jian-rong Tan,Wei-qiang Jia,Guo-dong Yi

DOI: https://doi.org/10.1631/jzus.a1500155

2015-01-01

Journal of Zhejiang University SCIENCE A

Abstract:This paper investigates the problem of parallel disassembly with the consideration of fuzziness. A novel approach is proposed based on optimized dispatching for parallel disassembly in which disassembly time is characterized by the fuzzy sets due to inevitable uncertainties. The proposed approach consists of three parts: in the first part, the fuzzy time-based dispatching disassembly process model is established; in the second part, the boundary conditions of the fuzzy time and the disassembly are derived, and the components' disassembly order and available stations are encoded together to find the optimal disassembly path; in the final part, the approach is optimized by using genetic algorithm (GA) to minimize the total time and cost, and the solution is compared with other algorithms. Finally, a case study for a hydraulic press disassembly is presented to verify the effectiveness and feasibility of the proposed approach.

Tianyang Dong,Ling Zhang,Ruofeng Tong,Jinxiang Dong

DOI: https://doi.org/10.1007/s00170-005-0036-7

IF: 3.563

2005-01-01

The International Journal of Advanced Manufacturing Technology

Abstract:An important aspect of design for the life cycle is assessing the disassemblability of products. This paper presents a novel approach to automatic generation of disassembly sequence from hierarchical attributed liaison graph (HALG) representation of an assembly through recursively decomposing the assembly into subassemblies. In order to increase the planning efficiency, the HALG is built according to the knowledge in engineering, design and demanufacturing domains. In this method, the boundary representation (B-Rep) models are simplified by removing the hidden surfaces to reduce the computational complexity of disassembly planning. For each layer of HALG, the subassembly selection indices defined in terms of mobility, stability, and parallelism are proposed to evaluate the extracted tentative subassemblies and select the preferred subassemblies. To verify the validity and efficiency of the approach, a variety of assemblies including some complicated products are tested, and the corresponding results are presented.

Yixiong Feng,Kaiyue Cui,Zhaoxi Hong,Weiyu Yan,Xiuju Song,Jianrong Tan

DOI: https://doi.org/10.1109/case59546.2024.10711603

2024-01-01

Abstract:Complex high-end equipment is the fundamental hardware of Industry 5.0. Low-carbon green disassembly for high-end equipment has prominent effects on Industry 5.0. However, low-carbon disassembly sequence planning (DSP) for complex high-end equipment is time-consuming and inefficient. Moreover, it is easy to generate non-homogeneous decision-making information due to cognitive uncertainty during disassembly evaluation, which makes it too difficult to determine the optimal solution. To address these issues, this work proposes a novel DSP method by integrating disassembly carbon benefit, improved Moth-Flame Optimizer (IMFO), and normalization of non-homogeneous information in this study. IMFO is designed to solve DSP. It adopts good-set theory, a nonlinear dynamic convergence factor, and an adaptive weight for greater efficiency in searching for feasible solutions. A 2-tuple is utilized as the uniform representation base to process non-homogeneous information. Finally, a case study for the CNC TGK46100 is provided to illustrate the effectiveness of the proposed method. Throughout the analysis, carbon benefit is increased by 1 to 2.83 times, and computing efficiency is increased by 68.57% and 61.27% over an advanced ant colony algorithm and genetic algorithm respectively.

WANG Wei,WEI Tao,LUO Hai-ning

DOI: https://doi.org/10.3321/j.issn:1002-8331.2007.16.029

2007-01-01

Computer Engineering and Applications Journal

Abstract:The first step of directly analyzing security vulnerabilities of an executable program is to obtain a structural intermediate representation of its binary code.This paper explores application of flow analysis in assembler understanding,and introduces a lightweight prototype of assembler structural representation tool that we implemented on Linux,named BESTAR.The system uses control flow analysis and data flow analysis techniques to identify common control structures,analyzes executive flow of a program,reconstruct expressions and functions,finds data dependency,finally transforms the assembler into a structural and easy-understanding intermediate language program and makes a good preparation for further security analysis.

Tao Wei,Jian Mao,Wei Zou,Yu Chen

DOI: https://doi.org/10.1109/COMPSAC.2007.203

2007-01-01

Abstract:One of the major challenges of control flow analysis in decompilation is to structure 2-way branches into conditionals, loop conditionals and switches. In this paper, we propose a graph-based method to formally describe structures of 2-way branches via the introduction of concepts called "compound branch subgraph" and "cascade branch subgraph". We then present novel structuring algorithms based on such concepts. Compared with previous works, our algorithms are deterministic rather than heuristic, and they do not use complicated data structures such as Interval/DSG. We show that in theory our algorithm is more accurate and efficient than typical current approaches; furthermore, we have applied the algorithm to several real-world binary executables, and experimental results validate such theoretical analysis.

Robin David,Sébastien Bardin,Jean-Yves Marion

DOI: https://doi.org/10.48550/arXiv.1612.05675

2016-12-17

Abstract:Software deobfuscation is a crucial activity in security analysis and especially, in malware analysis. While standard static and dynamic approaches suffer from well-known shortcomings, Dynamic Symbolic Execution (DSE) has recently been proposed has an interesting alternative, more robust than static analysis and more complete than dynamic analysis. Yet, DSE addresses certain kinds of questions encountered by a reverser namely feasibility questions. Many issues arising during reverse, e.g. detecting protection schemes such as opaque predicates fall into the category of infeasibility questions. In this article, we present the Backward-Bounded DSE, a generic, precise, efficient and robust method for solving infeasibility questions. We demonstrate the benefit of the method for opaque predicates and call stack tampering, and give some insight for its usage for some other protection schemes. Especially, the technique has successfully been used on state-of-the-art packers as well as on the government-grade X-Tunnel malware -- allowing its entire deobfuscation. Backward-Bounded DSE does not supersede existing DSE approaches, but rather complements them by addressing infeasibility questions in a scalable and precise manner. Following this line, we propose sparse disassembly, a combination of Backward-Bounded DSE and static disassembly able to enlarge dynamic disassembly in a guaranteed way, hence getting the best of dynamic and static disassembly. This work paves the way for robust, efficient and precise disassembly tools for heavily-obfuscated binaries.

Cryptography and Security,Software Engineering

ZHANG Yi-chi,PANG Jian-min,ZHAO Rong-cai,HAN Xiao-su

2009-01-01

Abstract:Malware writers make use of exception return of subroutine to evade detecting by malware detectors.To crack the technique,this paper proposes a novel disassembly algorithm.This algorithm decodes an executable file twice and emulates the operations on memory stack.Through this twice-decoding and emulation process,this algorithm can be used to recognize exception returns and thus ensure the correctness of a decoding process.Compared with two commonly used disassemblers IDAPro and OBJDump,this algorithm is better at identifying this kind of exception and improves the rate of disassembly.

He SUN,Lifa WU,Zheng HONG,Huiying YAN,Yafeng ZHANG

DOI: https://doi.org/10.3969/j.issn.1000-3428.2017.03.027

2017-01-01

Abstract:Extracting a complete and accurate function call graph is the foundation of malware similarity analysis based on function call graph.This paper proposes a malware function call graph extraction method which integrates both dynamic and static analysis methods.It extracts executable path of malicious programs on the basis of static disassembly,and an active discovery strategy of hidden information is used to find out the hidden instructions and function calls in the malware.A dynamic feedback mechanism is used to ensure the information synchronization during the process of static and dynamic analysis.The experimental results show that the proposed method can deal with all kinds of reverse analysis technologies and extract a complete and accurate function call graph from malwares.

Yuan Xinyu,Li Ying,Deng Shuiguang,Cheng Jie

DOI: https://doi.org/10.1080/10798587.2011.10643220

2011-01-01

Abstract:The Affine partitioning framework, which unifies many useful program transforms such as unimodular transformations, loop fusion, fission, scaling, reindexing, and statement reordering, has been proved to be successful in automatic discovery of the loop-level parallelization in programs. The affine partition algorithm was improved from the aspects of compile-time and runtime efficiency in this paper. Firstly, it improves compile-time speed of affine partition algorithm by using of generalized GCD test which is a basic dependence testing algorithm. This paper proved that generalized GCD test has a strong relationship with affine partition algorithm which can improve the compiling speed of the affine partition algorithm. Secondly, a method is put forward to select an optimal solution among the infinite legal solutions of the affine partition algorithm which ensures the minimum communication volume and the simplified processor space expression. Proved by experiments, the two innovations mentioned above can promote the compile-time and runtime efficiency of the affine partition algorithm.