Polymorphic type inference for machine code

Noonan, Matthew; Loginov, A. A.; Cok, David R.

doi:10.1145/2980983.2908119

Cited by 12 publications

(17 citation statements)

References 29 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This program takes as a parameter a variable with type (struct) pointer, which is represented as [ebp + 8] in assembly codes and whose related instructions are listed in Figure 2. According to the standard typing rules for assembly codes [2], [6], the first 6 related instructions infer that the type of [ebp + 8] should be a type of size 32, while the last instruction suggests that the type of [ebp + 8] is int. Accordingly, both the types recovered for [ebp + 8] by Hex-Rays and Snowman are int, which is incorrect.…”

Section: Motivating Examplesmentioning

confidence: 99%

“…Consider (the stack frame of) a general function. In CDECL and STDCALL conventions, parameters and local variables are always accessed through address expressions of the form "[ebp + offset]" and "[ebp -offset]", respectively, where ebp is the stack base pointer register 2 . While in FASTCALL convention, the first two parameters are passed by the registers ecx and edx, the other parameters and local variables are handled as the same as the conventions above.…”

Section: B Binary Analysismentioning

confidence: 99%

“…Lots of research works on binary type inference have been carried out, such as Hex-Rays [1], Retypd [2], REWORD [3], SecondWrite [4], SmartDec [5], TIE [6] , and so on. However, most of them tend to resort to program analysis techniques, which are often too conservative to infer types with high accuracy.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Type Learning for Binaries and Its Applications

Cheng

Qin

2019

IEEE Trans. Rel.

View full text Add to dashboard Cite

Binary type inference is a challenging problem due partly to the fact that during the compilation much type-related information has been lost. Most existing research work resorts to program analysis techniques, which can be either too heavyweight to be viable in practice or too conservative to be able to infer types with high accuracy. In this work, we propose a new approach to learning types for binary code. Motivated by "duck typing", our approach learn types for recovered variables from their features and properties (e.g., related representative instructions). We first use machine learning to train a classifier with basic types as its levels from binaries with debugging information. The classifier is then used to learn types for new, unseen binaries. While for composite types, such as pointer and struct, a points-to analysis is performed. Finally, several experiments are conducted to evaluate our approach. The results demonstrate that our approach is more precise, both in terms of correct types and compatible types, than the commercial tool Hey-Rays, the open source tool Snowman and a recent tool EKLAVYA using machine learning. We also show that the type information our proposed system learns is capable of helping detect malware.

show abstract

Section: Motivating Examplesmentioning

confidence: 99%

Section: B Binary Analysismentioning

confidence: 99%

See 1 more Smart Citation

Type Learning for Binaries and Its Applications

Cheng

Qin

2019

IEEE Trans. Rel.

View full text Add to dashboard Cite

show abstract

“…Whenever one of the sides from an expression E⊕E ′ or E = E ′ is ranked as p and the other as n, e.g., M (E) = p and M (E ′ ) = n, we say that this expressions is inconsistent. A constraint associated with an inconsistent expression must be dropped, otherwise it will trigger an incompatible unification (called over-unification by Noonan et al [Noonan et al 2016]). Since this elimination occurs during generation stage, the effect to the solver is that the constraint never existed.…”

Section: Bin_optr Is the Assignment Expression(=)mentioning

confidence: 99%

“…On the contrary, we are trying to reconstruct them. Noonan et al [Noonan et al 2016] provide a type inference algorithm for machine code that relates to our work. Their tool, Retypd, works in a two-phase approach: 1) a sound inference algorithm constructed over a type-system richer and more powerful than the actual C type-system; 2) a heuristic-based translation mechanism that converts types from such type-system to C source.…”

Section: Related Workmentioning

confidence: 99%

Inference of static semantics for incomplete C programs

Melo

Ribeiro

Araújo

et al. 2017

Proc. ACM Program. Lang.

View full text Add to dashboard Cite

Incomplete source code naturally emerges in software development: during the design phase, while evolving, testing and analyzing programs. Therefore, the ability to understand partial programs is a valuable asset. However, this problem is still unsolved in the C programming language. Difficulties stem from the fact that parsing C requires, not only syntax, but also semantic information. Furthermore, inferring types so that they respect C's type system is a challenging task. In this paper we present a technique that lets us solve these problems. We provide a unification-based type inference capable of dealing with C intricacies. The ideas we present let us reconstruct partial C programs into complete well-typed ones. Such program reconstruction has several applications: enabling static analysis tools in scenarios where software components may be absent; improving static analysis tools that do not rely on build-specifications; allowing stub-generation and testing tools to work on snippets; and assisting programmers on the extraction of reusable data-structures out of the program parts that use them. Our evaluation is performed on source code from a variety of C libraries such as GNU's Coreutils, GNULib, GNOME's GLib, and GDSL; on implementations from Sedgewick's books; and on snippets from popular open-source projects like CPython, FreeBSD, and Git.

show abstract

Learning Types for Binaries

Cheng

Qin

2017

Formal Methods and Software Engineering

View full text Add to dashboard Cite

Type inference for Binary codes is a challenging problem due partly to the fact that much type-related information has been lost during the compilation from high-level source code. Most of the existing research on binary code type inference tend to resort to program analysis techniques, which can be too conservative to infer types with high accuracy or too heavyweight to be viable in practice. In this paper, we propose a new approach to learning types for recovered variables from their related representative instructions. Our idea is motivated by "duck typing", where the type of a variable is determined by its features and properties. Our approach first learns a classifier from existing binaries with debug information and then uses this classifier to predict types for new, unseen binaries. We have implemented our approach in a tool called BITY and used it to conduct some experiments on a well-known benchmark coreutils (v8.4). The results show that our tool is more precise than the commercial tool Hey-Rays, both in terms of correct types and compatible types. 1 Introduction Binary code type inference aims to infer a high-level typed variables from executables, which is required for, or significantly benefits, many applications such as decompilation, binary code rewriting, vulnerability detection and analysis, binary code reuse, protocol reverse engineering, virtual machine introspection, game hacking, hooking, malware analysis, and so on. However, unlike high-level source codes, binary code type inference is challenging because, during compilation, much program information is lost, particularly, the variables that store the data, and their types, which constrain how the data are stored, manipulated, and interpreted. A significant amount of research has been carried out on binary code type inference, such as REWORD [1], TIE [2] , SmartDec [3], SecondWrite [4], Retypd [5] and Hex-Rays [6]. Most of them resort to program analysis techniques, which are often too conservative to infer types with high accuracy. For example, for a memory byte (i.e., a variable) that is only used to store 0 and 1, most existing tools, such as SmartDec and Hex-Rays, recover the type char or byte t (i.e., a type for bytes), which is clearly either incorrect or too conservative. Moreover, some of them are too heavyweight to use in practice, for example, in the sense that they may generate too many constraints to solve for large-scale programs.

show abstract

Polymorphic type inference for machine code

Cited by 12 publications

References 29 publications

Type Learning for Binaries and Its Applications

Type Learning for Binaries and Its Applications

Inference of static semantics for incomplete C programs

Learning Types for Binaries

Contact Info

Product

Resources

About