DOU Zeng-jie,WANG Zhen-yu,YAO Wei-ping,WANG Rui-min

DOI: https://doi.org/10.16208/j.issn1000-7024.2010.12.041

2010-01-01

Abstract:To ensure simplicity and stringentness of analyzing executable code,a design method of a simple assembly language inter-mediate representation(SAIR) for executable code is presented.Firstly,according to the characteristic of the assembly language in-structions,SAIRs’ syntactic is given and its structural operational semantics is described in detail.Then,the assembly instructions are classified and the mapping relation of assembly code with the SAIR is established.The assembly code may simplify into SAIR through the mapping relations.Finally,the example of an assembly code transform into SAIR is given.The presented SAIR avoids the complexity of various CPU instruction systems and their addressing mechanisms and does not concern details related with target platforms.SAIR enjoys good readability,which means easily comprehensible and improved analysis efficiency.

Wang Chunlei,Zhao Gang,Dai Yiqi

DOI: https://doi.org/10.1109/ICCSIT.2009.5234950

2009-01-01

Abstract:This paper proposes a control flow based security analysis approach for binary executables. Through deeply investigating the theory of control flow security, we develop the Control Flow Security Model (CFSM) which includes the formal definitions for program semantics and security properties for control flow. CFSM specifies that program execution dynamically follows only certain paths, in accordance with a statically declared security properties specified as Control Flow Constraint Specification (CFCS). We have proposed an efficient control flow security analysis algorithm for verifying that a particular control flow model satisfies the associated security properties. Our work contributes to bridging the gap between abstract specifications of control flow security properties and actual control flow security analysis for binary executables. The effectiveness and the practical usefulness of the approach are exemplified by an illustrative analysis of heap overflow vulnerability.

Ye ZHANG,Yuliang LU

DOI: https://doi.org/10.11772/j.issn.1001-9081.2017.12.3581

2018-01-01

Abstract:Programmable Logic Controller (PLC) is one of the most important components of industrial control system,which controls varieties of physical equipments and production processes.The faults of PLC control program caused by malicious tempering of attacker and programming errors of internal personnel will seriously threaten equipment safety and personal safety in industrial field.In order to solve this problem,a control flow analysis method of PLC program was proposed.Firstly,the lexical and syntactic structure of source code were analyzed by using flex and bison.Then,the intermediate representation without instruction side effects was generated and optimized by analyzing the Abstract Syntax Tree (AST).Finally,the basic blocks were divided on the basis of intermediate representation,and the control flow graph of the program was constructed by taking basic block as the basic unit.The experimental results show that,the proposed method can restore the control flow structure of PLC program in the form of statement table,and provide the basis for program understanding and security analysis.

WANG Wei,WEI Tao,LUO Hai-ning

DOI: https://doi.org/10.3321/j.issn:1002-8331.2007.16.029

2007-01-01

Computer Engineering and Applications Journal

Abstract:The first step of directly analyzing security vulnerabilities of an executable program is to obtain a structural intermediate representation of its binary code.This paper explores application of flow analysis in assembler understanding,and introduces a lightweight prototype of assembler structural representation tool that we implemented on Linux,named BESTAR.The system uses control flow analysis and data flow analysis techniques to identify common control structures,analyzes executive flow of a program,reconstruct expressions and functions,finds data dependency,finally transforms the assembler into a structural and easy-understanding intermediate language program and makes a good preparation for further security analysis.

Jinxin Ma,Zhoujun Li,Chaojian Hu

DOI: https://doi.org/10.1109/cicn.2012.216

2012-01-01

Abstract:Disassembly is the preparative and crucial phase in reverse engineering and it helps people obtain the high-level semantics of binaries. However, considerable obfuscation technologies are presented to prevent the binary from the disassembler for the benefit and safety consideration. Unfortunately, hackers also could disguise their malware with obfuscation to escape the detection. Therefore, substantial literatures are published to thwart the obfuscation. Without discussing which side is legitimate conceptually, the paper proposed a measure to improving the disassembly result especially for the obfuscated binaries. By adopting some brilliant thought from the preceding publications, the paper presented several solutions to improve the result. A novel technique of verification stack pointer which is utilized to distinguish the bounds of functions, moreover, bytes-based pattern matching assist the disassembler to construct intra-procedural control flow graph dramatically. An implementation is designed and developed with the technology and considerable evaluations were taken on it. An example was provided in the evaluation section and it turned out that our disassembler could perform effectively and accurately.

黄强,曾庆凯

DOI: https://doi.org/10.3969/j.issn.1000-3428.2009.13.057

2009-01-01

Abstract:An Information Flow Analysis(IFA) algorithm in source code based on Static Single Assignment(SSA) intermediate representation is proposed.The process of covert channel recognition is introduced.The algorithm is implemented by using work table based on IFA.The characteristics of time and space cost and analysis accuracy are discussed.The analysis framework is inserted into GCC compiler.Simulation experimental results show this algorithm is effective, and has the value of application.

唐和平,黄曙光,吴志勇

DOI: https://doi.org/10.3778/j.issn.1002-8331.2010.23.018

2010-01-01

Computer Engineering and Applications Journal

Abstract:In order to analyze executable file,this paper proposes a method of understanding program by data flow analysis. It firstly translates disassemble results into data flow descriptive language and gets Reach In and Out definition,builds intra-procedur data flow equations,and then solves equations to refer relation between function input and output.The method has been validated by experiment on string copy function without extra clue.

DENG Chao-guo,GU Da-wu,LI Juan-ru,SUN Ming

DOI: https://doi.org/10.3969/j.issn.1001-3695.2011.04.066

2011-01-01

Abstract:This paper proposed an approach of binary analysis based on full-system emulation and instruction-flow analysis technology.This approach ran executable binary code on a virtual machine which used full-system emulation technology,and then captured and analyzed runtime instruction-flow information to figure out this program's feature.This paper covered design and implement of such a binary code analysis system.Experiment result illustrates that it is more efficient and general to capture,extract and analyze runtime instruction-flow information by using this system.This approach is particularly effective to analyze binary code which uses anti-analysis technology.

Qian Yu,Lansheng Han,Tinghui Dong,Cai Fu,Ming Liu

2014-01-01

Abstract:General steps of analyzing malicious binary files include: Firstly, disassemble binary codes into assembly codes applicable on the current machine; Secondly, conduct analysis to all acquired assembly codes and comprehend code intents before identifying the attribution. These steps are summarized in inclusive descriptions rather than operable properties. One of the major difficulties contained is: Nowadays obfuscated code technique besets with a barrier to direct extraction for effective information from disassembled code files. This paper proposes one binary code analysis method that is generally applicable: Firstly perform an overall analysis to the binary file and complete preliminary wiping off interference information before screening out code snippets with respectively independent functions; secondly, conduct respective processing to each code snippet and achieve more independent basic behavioral units. Inter-skipping relationship within these basic behavioral units helps reestablish the fundamental logic framework of the entire snippet, or control flow graph "CFG". In return the logic framework of the entire program is deduced as well as the genuine intent of obfuscated codes. The last part of the paper carries out corresponding simulation experiment to provide supporting voice for its correctness and effectiveness.

Kai-long ZHU,YU-liang LU,Hui HUANG,Zhao-kun DENG,Yi-jie DENG

DOI: https://doi.org/10.3785/j.issn.1008-973x.2019.05.002

2019-01-01

Abstract:The construction of control flow graph (CFG) was the basis of binary program analysis. A hybrid analysis approach combining static and dynamic analysis techniques was proposed, for the problems that the static construction method cannot handle the indirect jump cases and dynamic construction methods were inefficient and not suitable for large-scale programs. The static analysis technique was used to obtain the basic control flow of the target program. Test cases generated by fuzz testing were used to dynamically analyze the target program, during which a dynamic binary instrumentation technique was used to obtain information of indirect jumps. Finally, the analysis results in the former two steps were integrated to generate CFGs. A CFG construction system CFGConstructor targeting on x86 binaries was designed and implemented based on the proposed hybrid analysis method. Experiments were carried out on the sample programs and CGC dataset to evaluate the effectiveness and efficiency. Results show that the proposed approach can construct more complete CFGs than static analysis do, and is more efficient than dynamic analysis, capable to analyze large programs.

Xinlei Yao,Jianmin Pang,Yichi Zhang,Yong Yu,Jianping Lu

DOI: https://doi.org/10.1109/mines.2012.25

2012-01-01

Abstract:Control flow obfuscation is an important way of software copyright protection, the main purpose is to make the static analysis tools produce wrong control flow graph, and then prevent malicious use of reverse engineering against software. In this paper we ropose an approach to implement control flow obfuscation using Windows structured exception handling mechanism. Programs are obfuscated by replacing branch instructions with exception code and inserting fake branch instruction after the exception code. Furthermore, exception code random technology is used to improve the resilience of the obfuscated code. Experimental results show that disassemble tools fail to identify 56.7% control flow of the obfuscated code, and have a misunderstanding of 40% control flow. The increase in program size and execute time of the obfuscated code is also modest.

吴国伟,曹厚华

DOI: https://doi.org/10.3969/j.issn.1000-3428.2010.15.019

2010-01-01

Abstract:An automatic program flow analysis method is presented,which uses static single assignment to simplify data dependence relation in program slicing,and uses a simple and fast program slicing algorithm to delete statements and control predicate which has no effect on loop control,and uses abstract interpretation to get precise program flow information automatically.Experimental results show this method is more fast than the normal method up to 25%,while keeping precision.Moreover,there is no any assume on program form,so the flow analysis method is suitable for any program form.

Aron Schnakenbeck,Robin Mroß,Marcus Völker,Stefan Kowalewski,Alexander Fay

DOI: https://doi.org/10.1109/INDIN51400.2023.10218176

2023-08-25

Abstract:The graphical modeling language GRAFCET is used as a formal specification language in industrial control design. This paper proposes a static analysis approach based on the control flow of GRAFCET using abstract interpretation to allow verification on specification level. GRAFCET has different elements leading to concurrent behavior, which in general results in a large state space. To get precise results and reduce the state space, we propose an analysis suitable for GRAFCET instances without concurrent behavior. We point out how to check for the absence of concurrency and present a flow-sensitive analysis for these GRAFCET instances. The proposed approach is evaluated on an industrial-sized example.

Programming Languages,Logic in Computer Science,Systems and Control

Zhoukai Wang,Jiong Zhang,Weigang Ma,Huaijun Wang

DOI: https://doi.org/10.1117/12.2589382

2021-01-01

Abstract:The traditional control flow diagram (CFG) only displays the overall framework of the program, but ignores its detailed control information and the complex inner structure. Programmers can hardly comprehend the whole program through traditional CFG. Therefore, an algorithm is proposed to generate a new kind of CFG with abundant details and inner structure. After parsing the compilation results of Clang static analyzer, the algorithm firstly extracts the key control information of a program, and then uses the control information to build up the basic display units. Secondly, the algorithm orders and packs these basic display units to form an intermediate XML file. Finally, the Jgraphx graphics library is introduced to parse the intermediate XML file and render the new CFG. Experiment shows that when comparing with the conventional CFG, the new CFG that drawn by the proposed algorithm can demonstrate more details, states, and data flows. The CFG drawn by the proposed algorithm can also offer strong support for complex software maintenance and testing.

马金鑫,忽朝俭,李舟军

DOI: https://doi.org/10.16511/j.cnki.qhdxxb.2011.10.003

2011-01-01

Abstract:Disassembly plays a fundamental and important role in reverse engineering.A static disassembly method based on a refining control flow graph was developed to improve disassembly accuracy and efficiency.The method slices the binary into functions and constructs an intra-procedure control flow graph for each function.Then,it extracts the real control flow graph as per graph theory and the assembly code features.This program evaluated 22 coreutils programs between these two linear sweep algorithms and is 63.2% faster than Objdump for drawing accurate control flow graphs.Therefore,it is more efficient and accurate.

M Ogawa,ZJ Hu,I Sasano

DOI: https://doi.org/10.1145/944746.944716

2003-01-01

Abstract:Program analysis is the heart of modern compilers. Most control flow analyses are reduced to the problem of finding a fixed point in a certain transition system, and such fixed point is commonly computed through an iterative procedure that repeats tracing until convergence.This paper proposes a new method to analyze programs through recursive graph traversals instead of iterative procedures, based on the fact that most programs (without spaghetti GOTO) have well-structured control flow graphs, graphs with bounded tree width. Our main techniques are; an algebraic construction of a control flow graph, called SP Term, which enables control flow analysis to be defined in a natural recursive form, and the Optimization Theorem, which enables us to compute optimal solution by dynamic programming.We illustrate our method with two examples; dead code detection and register allocation. Different from the traditional standard iterative solution, our dead code detection is described as a simple combination of bottom-up and top-down traversals on SP Term. Register allocation is more interesting, as it further requires optimality of the result. We show how the Optimization Theorem on SP Terms works to find an optimal register allocation as a certain dynamic programming.

Dai Guilan,Tian Jinlan,Zhang Suqing,Jiang Weidu

DOI: https://doi.org/10.1145/772970.772972

2003-01-01

Abstract:The design of an intermediate representation is critical to the portability of a compiler and the efficiency of code generation. In order to increase the reusability of compiler components, and to simplify the development process of compilers, the paper presents an abstract intermediate representation (AIR) that provides a concise notation for describing the abstract syntax of programming languages and the inner data structures of compilers. AIR integrates algebraic data types into the object-oriented paradigm and thus makes it have stronger expressive power, flexibility, and extensibility. AIR separates the abstract descriptions from the concrete implementation. This makes it easier to be implemented in different high-level languages and thus improves the interoperatibility of compiler components.

文勇,蔡铭,陈刚,杨子江,金星

DOI: https://doi.org/10.16208/j.issn1000-7024.2010.11.037

2010-01-01

Abstract:To effectively carry out the object code analysis and verification,a novel method of control flow and structural coverage measurement for object code verification is presented based on CPU module extension.By branch instruction function extension,along with a new module for dynamic branch target buffer,the control flow of object code is collected effectively.And then,the algorithm for control flow construction and structural coverage measurement are given respectively.Both the overhead and computation complexity are acceptable with analysis study.Competitive advantage of this method is independent of compiler and non-incursive measurement for the object code.

Bixin Li

DOI: https://doi.org/10.1145/571681.571683

2002-01-01

ACM SIGSOFT Software Engineering Notes

Abstract:Traditional information-flow analysis is mainly based on dataflow and control-flow analysis. In object-oriented program, because of pointer aliasing, inheritance, and polymorphism, information-flow analysis become very complicated. Especially, it is difficult to rely only on normal data and control-flow analysis techniques. some new approaches are required to analyze the information-flow between components in object-oriented program. In this paper, object-oriented program slicing technique is introduced. By this technique, the amount of information-flow, the width of information-flow and correlation coefficient between components can be computed. Some applications of the information-flow are also discussed and analyzed in this paper.

Yuanqiang Qiu,Qingping Tan,Jianjun Xu,Yuxiang Zhao

DOI: https://doi.org/10.1109/bmei.2015.7401567

2015-01-01

Abstract:In the space environment, a large number of cosmic rays often results in transient faults on on-board computers. And one of the main problems caused by these faults is the control flow errors in the program. This paper proposes a software-implemented control flow error detecting and correcting approach for the linear assembly named DCCLA. DCCLA firstly divides the program into loop blocks and non-loop blocks and assigns the formatted labels for the blocks. Then based on the mechanism of instructions counting, DCCLA inserts counting and comparing instructions into every block, with the purpose of detecting and correcting the control flow errors occurred inter-block and intra-block. In order to correct the data flow errors caused by the control flow errors, DCCLA backups the loop state and live variables. One advantage of DCCLA is that it can be configured flexibly according to the requirement of reliability and performance. The results of fault injection experiment shown that, the average fail rate of programs with DCCLA has decreased to 4.25% with the cost of increasing the average executing time by 41.7% and increasing the average program space by 46.7% DCCLA has the least influence on performance and space overhead and correspondingly higher reliability among three typical control flow detecting algorithms.