An Abstract Interpretation-Based Framework for Control Flow Reconstruction from Binaries

Kinder, Johannes; Zuleger, Florian; Veith, Helmut

doi:10.1007/978-3-540-93900-9_19

Cited by 68 publications

(53 citation statements)

References 20 publications

(44 reference statements)

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Defining an analysis that is able to deal with indirect jumps is non-obvious, though, so in earlier work [15] we proposed a generic framework for control flow reconstruction that is parameterized by an over-approximate data flow analysis for a simplified language without indirect jumps. In the following, we provide a new and more flexible formalization of low-level control flow as a parameterized semantics that allows to define concrete, under-, and over-approximating semantics in common terms.…”

Section: Parameterized Semantics For Low-level Control Flowmentioning

confidence: 99%

“…The fixpoint of the fully instantiated over-approximate semantics can be computed using chaotic iteration over the locations in the partial CFG, which yields the algorithm for static control flow reconstruction [15]. The resulting CFG over-approximates the concrete CFG, i.e., is a superset of its edges.…”

Section: Over-approximate Semanticsmentioning

confidence: 99%

“…The transfer relation −→ of the parameterized semantics is monotonic in its original form [15], i.e., ∀S 1 , S 1 , S 2 , S 2 :…”

Section: Theorem 1 (Termination)mentioning

confidence: 99%

“…The major problem in computing a CFG for low-level machine code lies in the treatment of indirect branches, i.e., instructions such as jmp eax, whose targets are computed at runtime. In earlier work [15,14], we showed how abstract interpretation [7] of machine code coupled with on the fly disassembly can compute an over-approximation of the concrete CFG: starting with an empty CFG, data flow information is propagated one instruction at a time. On encountering an indirect branch instruction, possible targets are computed from the partial data flow information and added to the CFG as new edges.…”

Section: Introductionmentioning

confidence: 99%

“…In Section 4, we show how this semantics can be instantiated to obtain (i) the concrete semantics of a low-level language, (ii) our existing over-approximate control flow reconstruction [15], and (iii) a purely under-approximate control flow reconstruction. -Based on these definitions, we present a combined over-and under-approximation as an instance of our framework (Section 5).…”

Section: Introductionmentioning

confidence: 99%

See 4 more Smart Citations

Alternating Control Flow Reconstruction

Kinder

Kravchenko

2012

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

Abstract. Unresolved indirect branch instructions are a major obstacle for statically reconstructing a control flow graph (CFG) from machine code. If static analysis cannot compute a precise set of possible targets for a branch, the necessary conservative over-approximation introduces a large amount of spurious edges, leading to even more imprecision and a degenerate CFG. In this paper, we propose to leverage under-approximation to handle this problem. We provide an abstract interpretation framework for control flow reconstruction that alternates between over-and under-approximation. Effectively, the framework imposes additional preconditions on the program on demand, allowing to avoid conservative over-approximation of indirect branches. We give an example instantiation of our framework using dynamically observed execution traces and constant propagation. We report preliminary experimental results confirming that our alternating analysis yields CFGs closer to the concrete CFG than pure over-or under-approximation.

show abstract

Section: Parameterized Semantics For Low-level Control Flowmentioning

confidence: 99%

Section: Over-approximate Semanticsmentioning

confidence: 99%

“…The transfer relation −→ of the parameterized semantics is monotonic in its original form [15], i.e., ∀S 1 , S 1 , S 2 , S 2 :…”

Section: Theorem 1 (Termination)mentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Alternating Control Flow Reconstruction

Kinder

Kravchenko

2012

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

show abstract

OSMOSE: automatic structural testing of executables

Bardin

Herrmann

2011

Software Testing Verif & Rel

View full text Add to dashboard Cite

Verification is usually performed on a high‐level view of the software, either specification or program source code. However, in certain circumstances verification is more relevant when performed at the machine‐code level. This paper focuses on automatic test data generation from a stand‐alone executable. Low‐level analysis is much more difficult than high‐level analysis since even the control‐flow graph is not available and bit‐level instructions have to be modelled faithfully. The paper shows how ‘path‐based’ structural test data generation can be adapted from structured language to machine code, using both state‐of‐the‐art technologies and innovative techniques. The results have been implemented in a tool named OSMOSE and encouraging experiments have been conducted. Copyright © 2010 John Wiley & Sons, Ltd.

show abstract

Software Similarity and Classification

Cesare

Xiang

2012

SpringerBriefs in Computer Science

View full text Add to dashboard Cite

This thesis introduces the major applications related to software similarity and classification and proposes novel contributions to the theory and practice of malware detection and clone detection. The topic of software similarity and classification covers the areas of detecting software variants, clones, derivatives, and classes of software. The literature of those individual areas can be combined into a cohesive topic that we examine in a unified manner. We demonstrate that considering these applied problems as a software similarity and classification problem enables techniques to be shared between areas.

show abstract

An Abstract Interpretation-Based Framework for Control Flow Reconstruction from Binaries

Cited by 68 publications

References 20 publications

Alternating Control Flow Reconstruction

Alternating Control Flow Reconstruction

OSMOSE: automatic structural testing of executables

Software Similarity and Classification

Contact Info

Product

Resources

About