Partial evaluation of machine code

SrinivasanVenkatesh,; RepsThomas,

doi:10.1145/2858965.2814321

Cited by 5 publications

(20 citation statements)

References 48 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…By repeating steps (1), (2), and (3) on different straight-line instruction sequences in a binary, one can produce an optimized binary. Note that if one has a machine-code synthesizer for performing step (3), one can use different analyses and transformation mechanisms in step (2) to build different semantics-based binary rewriters (e.g., partial evaluators [Srinivasan and Reps 2015a], slicers , binary translators [Bansal and Aiken 2008], etc. ).…”

Section: Overview Of Mcsynth++mentioning

confidence: 99%

“…Binary rewriting becomes particularly important if one wishes to modify the functionality of a binary that lacks source code and/or the compiler toolchain used to build the binary. Binary rewriting can be done for purposes of software reuse (e.g., slicing , partial evaluation [Srinivasan and Reps 2015a], binary translation [Bansal and Aiken 2008]), optimization (e.g., superoptimization [Bansal and Aiken 2006]), and software security (e.g., binary hardening [Abadi et al 2005;Erlingsson and Schneider 1999;Slowinska et al 2012]).…”

Section: Introductionmentioning

confidence: 99%

“…Recently [Srinivasan and Reps 2015b], it has been observed that a machine-code synthesizer 1 can be used to create a general framework for semantics-based binary rewriting (see §2.2), and one can instantiate the framework with different analyses to create different rewriters, such as partial evaluators [Srinivasan and Reps 2015a] and slicers . A machine-code synthesizer is a tool that synthesizes a straight-line instruction sequence that implements a semantic specification of the desired behavior, which is often given as a formula in QFBV.…”

Section: Introductionmentioning

confidence: 99%

“…Consequently, if a binary-rewriter client supplies a formula as input to McSynth++, the client has to wait several minutes or hours before McSynth++ finds an implementation. This delay might not be tolerable for a client that has to invoke the synthesizer multiple times to rewrite an entire binary, e.g., a machine-code partial evaluator [Srinivasan and Reps 2015a].…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Model-assisted machine-code synthesis

Srinivasan

Vartanian

Reps

2017

Proc. ACM Program. Lang.

Self Cite

View full text Add to dashboard Cite

Binary rewriters are tools that are used to modify the functionality of binaries lacking source code. Binary rewriters can be used to rewrite binaries for a variety of purposes including optimization, hardening, and extraction of executable components. To rewrite a binary based on semantic criteria, an essential primitive to have is a machine-code synthesizer-a tool that synthesizes an instruction sequence from a specification of the desired behavior, often given as a formula in quantifier-free bit-vector logic (QFBV). However, state-of-the-art machine-code synthesizers such as McSynth++ employ naïve search strategies for synthesis: McSynth++ merely enumerates candidates of increasing length without performing any form of prioritization. This inefficient search strategy is compounded by the huge number of unique instruction schemas in instruction sets (e.g., around 43,000 in Intel's IA-32) and the exponential cost inherent in enumeration. The effect is slow synthesis: even for relatively small specifications, McSynth++ might take several minutes or a few hours to find an implementation. In this paper, we describe how we use machine learning to make the search in McSynth++ smarter and potentially faster. We converted the linear search in McSynth++ into a best-first search over the space of instruction sequences. The cost heuristic for the best-first search comes from two models-used togetherbuilt from a corpus of ⟨QFBV-formula, instruction-sequence⟩ pairs: (i) a language model that favors useful instruction sequences, and (ii) a regression model that correlates features of instruction sequences with features of QFBV formulas, and favors instruction sequences that are more likely to implement the input formula. Our experiments for IA-32 showed that our model-assisted synthesizer enables synthesis of code for 6 out of 50 formulas on which McSynth++ times out, speeding up the synthesis time by at least 526×, and for the remaining formulas, speeds up synthesis by 4.55×. CCS Concepts: • Software and its engineering → Automatic programming; • Computing methodologies → Supervised learning by regression;

show abstract

Section: Overview Of Mcsynth++mentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Model-assisted machine-code synthesis

Srinivasan

Vartanian

Reps

2017

Proc. ACM Program. Lang.

Self Cite

View full text Add to dashboard Cite

show abstract

“…• convert instructions in the binary to QFBV formulas, • use analysis results to transform QFBV formulas, and • use MCSYNTH to produce an instruction sequence that implements each transformed formula. Examples of semantics-based binary rewriters that can be created using the above recipe include offline optimizers, partial evaluators [25], slicers [27], and binary translators [5]. For example, the machine-code partial evaluator WIPER [25] specializes the QFBV formulas of instructions with respect to a static partial state, and uses MCSYNTH to produce residual instructions from the specialized formulas.…”

Section: Machine-code Synthesis Using Mcsynthmentioning

confidence: 99%

Speeding up machine-code synthesis

Srinivasan

Sharma

Reps

2016

Proceedings of the 2016 ACM SIGPLAN International Conference on Object-Oriented Programming, Systems, Languages, and Applicatio

Self Cite

View full text Add to dashboard Cite

Machine-code synthesis is the problem of searching for an instruction sequence that implements a semantic specification, given as a formula in quantifier-free bit-vector logic (QFBV). Instruction sets like Intel's IA-32 have around 43,000 unique instruction schemas; this huge instruction pool, along with the exponential cost inherent in enumerative synthesis, results in an enormous search space for a machine-code synthesizer: even for relatively small specifications, the synthesizer might take several hours or days to find an implementation. In this paper, we present several improvements to the algorithms used in a state-of-the-art machine-code synthesizer MCSYNTH. In addition to a novel pruning heuristic, our improvements incorporate a number of ideas known from the literature, which we adapt in novel ways for the purpose of speeding up machine-code synthesis. Our experiments for Intel's IA-32 instruction set show that our improvements enable synthesis of code for 12 out of 14 formulas on which MCSYNTH times out, speeding up the synthesis time by at least 1981X, and for the remaining formulas, speeds up synthesis by 3X.

show abstract