Abstraction Recovery for Scalable Static Binary Analysis

Schwartz, Edward J.

01 May 2014

Many source code tools help software programmers analyze programs as they are being developed, but such tools can no longer be applied once the final programs are shipped to the user. This greatly limits users, security experts, and anyone other than the programmer who wishes to perform additional testing and program analysis. This dissertation is concerned with the development of scalable techniques for statically analyzing binary programs, which can be employed by anyone who has access to the binary. Unfortunately, static binary analysis is often more difficult than static source code analysis because the abstractions that are the basis of source code programs, such as variables, types, functions, and control flow structure, are not explicitly present in binary programs. Previous approaches work around the the lack of abstractions by reasoning about the program at a lower level, but this approach has not scaled as well as equivalent source code techniques that use abstractions. This dissertation investigates an alternative approach to static binary analysis which is called abstraction recovery. The premise of abstraction recovery is that since many binaries are actually compiled from an abstract source language which is more suitable for analysis, the first step of static binary analysis should be to recover such abstractions. Abstraction recovery is shown to be feasible in two real-world applications. First, C abstractions are recovered by a newly developed decompiler. The second application recovers gadget abstractions to automatically generate return-oriented programming (ROP) attacks. Experiments using the decompiler demonstrate that recovering C abstractions improves scalability over low-level analysis, with applications such as verification and detection of buffer overflows seeing an average of 17× improvement. Similarly, gadget abstractions speed up automated ROP attacks by 99×. Though some binary analysis problems do not lend themselves to abstraction recovery because they reason about low-level or syntactic details, abstraction recovery is an attractive alternative to conventional low-level analysis when users are interested in the behavior of the original abstract program from which a binary was compiled, which is often the case.

binary analysis

abstraction recovery

decompilation

Finding and remedying high-level security issues in binary code

Dewey, David Bryan

07 January 2016

C++ and Microsoft's Component Object Model (COM) are examples of a high- level lan- guage and development framework that were built on top of the lower-level, primitive lan- guage, C. C was never designed to support concepts like object orientation, type enforcement, and language independence. Further, these languages and frameworks are designed to com- pile and run directly on the processor where these concepts are also not supported. Other high-level languages that do support these concepts make use of a runtime or virtual machine to create a computing model to suit their needs. By forcing these high-level concepts into a primitive computing model, many security issues have been introduced. Existing binary- level security analysis tools and runtime enforcement frameworks operate at the lowest level of context. As such, they struggle to detect and remedy higher-level security issues. In this dissertation, a framework for elevating the context of binary code is presented. By bringing the context for analysis closer to where these security issues are introduced, this framework allows for higher-level analyses and enforcement frameworks to be developed.

Security

Static analysis

Binary decompilation

Vulnerability detection

Autorskoprávní ochrana počítačových programů / Copyright protection of software

Kozelka, Ondřej

January 2015

Copyright protection of computer programs This thesis deals with copyright protection of specific works of authorship - computer programs. The thesis deals with the definition of works of authorship and the conditions in which the computer program is a work of authorship, at least as a legal fiction. For the term computer program, the thesis is trying to find a suitable definition that is sufficiently general, but also accurately captures it's notion. Various known forms of expression of the computer program (source code, machine code, but also a code in an intermediate language) are described and the thesis explains, why it is appropriate to protect the computer program in any form. The thesis clarifies, why the term "software" and the term "computer program" are not identical and arbitrarily exchanging them can cause problems. Furthermore, the thesis deals with the author of the computer program and co-authorship. The next part deals with the rights of the author of the work. The exclusive rights of the author (the moral rights of the author and copyright) are discussed. The thesis describes the rights of exploitation of a computer programs, with a focus on differences againts other works of authorship. One of the rights of the author is also the right to provide an authorization to exercise the right to...

Designing an object-oriented decompiler : Decompilation support for Interactive Disassembler Pro / Design av en objekt-orienterad dekompilator : Dekompilatorstöd för Interactive Disassembler Pro

Eriksson, David

January 2002

Decompilation, or reverse compilation, takes a computer program and produces high-level code that works like the original source code. This makes it easier to understand a computer program when source code is not available. However, there are very few tools for decompilation available today. This report describes the design and implementation of Desquirr, a decompilation plug-in for Interactive Disassembler Pro. Desquirr has an object-oriented design and performs basic decompilation of programs running on Intel x86 processors. The low-level analysis uses knowledge about specialized compiler constructs, called idioms, to perform a more accurate decompilation. Desquirr implements data flow analysis, meaning the conversion from primitive machine code instructions into code in a high-level language. The major part of the data flow analysis is the Register Copy Propagation which builds high-level expressions from primitive instructions. Control flow analysis, meaning to restore high-level language constructs such as if/else and for loops, is not implemented. A high level representation of a piece of machine code contains the same information as an assembly language representation of the same machine code, but in a format that is easier to comprehend. Symbols such as ?*? and ?+? are used in high-level language expressions, compared to instructions such as ?mul? and ?add? in assembly language. Two small test cases which compares decompiled code with assembly language shows promising results in reducing the amount of information needed to comprehend a program. / Dekompilering, eller omvänd kompilering, tar ett datorprogram och omvandlar det till högnivåspråk som fungerar som den ursprungliga källkoden. Detta gör det lättare att förstå ett datorprogram när källkod inte finns tillgänglig. Det finns väldigt få verktyg för dekompilering tillgängliga idag. Den här rapporten beskriver design och implementation av Desquirr, en dekomplator-plugin för Interactive Disassembler Pro. Desquirr har en objekt-orienterad design och utför grundläggande dekompilering av program som kör på Intel x86-processorer.

decompilation

reverse engineering

program transformation

Computer Sciences

Datavetenskap (datalogi)

Software Engineering

Programvaruteknik

Reverzní inženýrství na platformách Java a Android / Reverse engineering of platforms Java and Android

Žák, Josef

January 2016

This thesis deals with reverse engineering of Android and Java. It contains a description of existing tools and techniques, including techniques of defense. The first part is focused on available research about the topic. The next part discusses usage of reverse engineering in software development. The next chapters describe Android operating system and concept of a virtual machine on both platforms. Both kinds of architectures are compared (register-based vs stack-based machine). Core of the work is focused on static analysis (content of APK file, disassembling, decompilation). Available decompilers of class and dex files are compared. Testing is made with various versions of Java. The final chapter contains techniques and tools of defense against reverse engineering including a description of pros and cons. Two popular obfuscators are tested (Proguard, DashO).

Detection of Avionics Supply Chain Non-control-flow Malware Using Binary Decompilation and Wavelet Analysis

Hill, Jeremy Michael Olivar

09 August 2021

No description available.

Computer Engineering

Computer Science

Electrical Engineering

non-control-flow Trojans

decompilation

Ghidra

wavelet analysis

discrete wavelet transform

Strukturování kódu v zadní části zpětného překladače / Code Structuring in Decompiler Back-End

Porwolik, Tomáš

January 2016

This thesis deals with a decompilation tool which converts low-level binary code to a high-level representation. This tool is being developed by AVG Technologies. The aim of this work is to design and implement a method for code structuring in the decompiler back-end. The designed method works by traversing the control-flow graph with matching of predefined patterns. It is not always possible to structure code using conditional statements and loops. Sometimes also goto statements must be used. The implemented solution is compared with the original solution in the decompiler. According to the results the new solution is faster, better tested, but in greater number of test cases generates invalid code. From the viewpoint of structuring the results are different and sometimes the code is structured better, but sometimes worse.

Generický zpětný překlad programů v bajtkódu do vyšší formy reprezentace / Generic Decompilation of Bytecode into High-Level Representation

Mrázek, Petr

January 2013

The work describes methods and principles of decompilation, basic information about reverse engineering and its use in both software engineering and engineering in general. Furthermore, it introduces the decompiler developed within the Lissom project at BUT FIT. The goal of the work is to design and implement a retargetable decompiler for bytecode, which extends the original decompiler.

Generický zpětný překlad za účelem rozpoznání chování / Generic Reverse Compilation to Recognize Specific Behavior

Ďurfina, Lukáš

January 2014

Práce je zaměřena na rozpoznávání specifického chování pomocí generického zpětného překladu. Generický zpětný překlad je proces, který transformuje spustitelné soubory z různých architektur a formátů objektových souborů na stejný jazyk na vysoké úrovni. Tento proces se vztahuje k nástroji Lissom Decompiler. Pro účely rozpoznání chování práce zavádí Language for Decompilation -- LfD. LfD představuje jednoduchý imperativní jazyk, který je vhodný pro srovnávaní. Konkrétní chování je dáno známým spustitelným souborem (např. malware) a rozpoznání se provádí jako najítí poměru podobnosti s jiným neznámým spustitelným souborem. Tento poměr podobnosti je vypočítán nástrojem LfDComparator, který zpracovává dva vstupy v LfD a rozhoduje o jejich podobnosti.

LLVM-IR based Decompilation

Ilsoo, Jeon

06 June 2019

No description available.

Computer Science

decompilation

decompiler

malware analysis

vulnerability detection

Low Level Language

Low Level Virtual Machine

LLVM