Evolving Exact Decompilation

Schulte, Eric; Ruchti, Jason; Noonan, Matt; Ciarletta, David; Loginov, A. A.

doi:10.14722/bar.2018.23008

Cited by 24 publications

(26 citation statements)

References 23 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Soundness is addressed by two recent works. Schulte et al [18] use search-based techniques to generate source-code producing byte-equivalent binaries to the original executable. This technique, when it succeeds, ensures soundness by design but it is only applied to small examples, with limited success.…”

Section: Related Workmentioning

confidence: 99%

“…In the end, TINA roughly generates one C statement per assembly instruction for the chunks of the Debian distribution. 13 "movq (%1, %0), %%mm1 \n\t" // T 14 "movq -1(%2, %0), %%mm2 \n\t" // L 15 "movq (%2, %0), %%mm3 \n\t" // X 16 "movq %%mm2, %%mm4 \n\t" // L "psubb %%mm0, %%mm2 \n\t" 18 "paddb %%mm1, %%mm2 \n\t" // L + T -LT 19 "movq %%mm4, %%mm5 \n\t" // L 20 "pmaxub %%mm1, %%mm4 \n\t" // max(T, L) 21 "pminub %%mm5, %%mm1 \n\t" // min(T, L) 22 "pminub %%mm2, %%mm4 \n\t" 23 "pmaxub %%mm1, %%mm4 \n\t" 24 "psubb %%mm4, %%mm3 \n\t" // dst -pred 25 "movq %%mm3, (%3, %0) \n\t" 26 "add $8, %0 \n\t" 27 "movq -1(%1, %0), %%mm0 \n\t" // LT 28 "cmp %4, %0 \n\t" 29 " jb 1b \n\t" 30 : "+r" (i) 31 : "r" (src1), "r" (src2), 32 "r" (dst), "r" ((x86 _ reg) w)); Sec. VII-D refers to a ffmpeg function accessing index −1 of its input buffer.…”

Section: Appendix C Additional Experiments: Size Of Produced Codementioning

confidence: 99%

“…Yet, as they mostly aim at helping reverse engineers, correctness is not their main concern. Actually, "existing decompilers frequently produce decompilation that fails to achieve full functional equivalence with the original program" [18]. Some recent works partially target this issue: Schwartz et al [19] do not demonstrate correctness (they instead measure a certain degree of it via testing), while Schulte et al [18] use a correct-bydesign but intractable (possibly non-terminating) search-based method.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Get Rid of Inline Assembly through Verification-Oriented Lifting

Recoules

Bardin

Bonichon

et al. 2019

2019 34th IEEE/ACM International Conference on Automated Software Engineering (ASE)

View full text Add to dashboard Cite

Formal methods for software development have made great strides in the last two decades, to the point that their application in safety-critical embedded software is an undeniable success. Their extension to non-critical software is one of the notable forthcoming challenges. For example, C programmers regularly use inline assembly for low-level optimizations and system primitives. This usually results in rendering state-ofthe-art formal analyzers developed for C ineffective. We thus propose TINA, the first automated, generic, verification-friendly and trustworthy lifting technique turning inline assembly into semantically equivalent C code amenable to verification, in order to take advantage of existing C analyzers. Extensive experiments on real-world code (including GMP and ffmpeg) show the feasibility and benefits of TINA.Assuming no side-effect beyond those mentioned in output operands'. 1 # 54 "/usr/include/i386-linux-gnu/sys/select.h" 2 typedef long int __ fd _ mask; 3 4 # 64 "/usr/include/i386-linux-gnu/sys/select.h" 5 typedef struct { 6 __ fd _ mask __ fds _ bits[1024 / (8 * sizeof( __ fd _ mask))]; 7 } fd _ set; 8 9 # 1074 "socklib.c" 10 int udpc _ prepareForSelect 11 (int * socks, int nr, fd _ set * read _ set) 12 { 13 / * [...] * / 14 int maxFd; 15 do { 16 int __ d0, __ d1; 17 __ asm __ __ volatile __ 18 ("cld; rep; " "stosl" 19: "=c" ( __ d0), "=D" ( __ d1) 20 : "a" (0), 21 "0" (sizeof(fd _ set) / sizeof( __ fd _ mask)), 22 void sub _ median _ pred _ mmxext(uint8 _ t * dst, uint8 _ t const * src1,

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Appendix C Additional Experiments: Size Of Produced Codementioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Get Rid of Inline Assembly through Verification-Oriented Lifting

Recoules

Bardin

Bonichon

et al. 2019

2019 34th IEEE/ACM International Conference on Automated Software Engineering (ASE)

View full text Add to dashboard Cite

show abstract

“…One obvious way to circumvent the problem of missing sources, is to decompile all such functions back to source code. There have been many attempts at decompiling assembly code to source code, both specifically to timing analysis and as a general tool [17]. However, the decompiled code is typically less precise than the original, due to the information that is lost during compilation [9].…”

Section: The Decompilation Workaroundmentioning

confidence: 99%

“…However, this puts more burden on the decompiler, terms of how it is allowed to reconstruct source control flows from binary ones. Moreover, the decompiler must be sound itself, which appears to be difficult with available tools [17].…”

Section: Comparison Of Approachesmentioning

confidence: 99%

Imprecision in WCET estimates due to library calls and how to reduce it (WIP paper)

Becker¹,

Chakraborty²,

Metta

et al. 2019

Proceedings of the 20th ACM SIGPLAN/SIGBED International Conference on Languages, Compilers, and Tools for Embedded Systems

View full text Add to dashboard Cite

One of the main difficulties in estimating the Worst Case Execution Time (WCET) at the binary level is that machine instructions do not allow inferring call contexts as precisely as source code, since compiler optimizations obfuscate control flow and type information. On the other hand, WCET estimation at source code level can be precise in tracking call contexts, but it is pessimistic for functions that are not available as source code. In this paper we propose approaches to join binary-level and source-level analyses, to get the best out of both. We present the arising problems in detail, evaluate the approaches qualitatively, and highlight their trade-offs.

show abstract