a unified static binary analysis framework alessandro di...
TRANSCRIPT
![Page 1: A unified static binary analysis framework Alessandro Di ...llvm.org/devmtg/2016-11/Slides/DiFederico-rev.ng.pdf · A unified static binary analysis framework Alessandro Di Federico](https://reader031.vdocuments.us/reader031/viewer/2022022112/5c65b10b09d3f2916e8d2d97/html5/thumbnails/1.jpg)
rev.ngA unified static binary analysis framework
Alessandro Di FedericoPhD student at Politecnico di Milano
LLVM developers meeting 2016
November 3, 2016
![Page 2: A unified static binary analysis framework Alessandro Di ...llvm.org/devmtg/2016-11/Slides/DiFederico-rev.ng.pdf · A unified static binary analysis framework Alessandro Di Federico](https://reader031.vdocuments.us/reader031/viewer/2022022112/5c65b10b09d3f2916e8d2d97/html5/thumbnails/2.jpg)
Index
Introduction
A peek insideRecovery of switch casesFunction detection
Results
Conclusions
![Page 3: A unified static binary analysis framework Alessandro Di ...llvm.org/devmtg/2016-11/Slides/DiFederico-rev.ng.pdf · A unified static binary analysis framework Alessandro Di Federico](https://reader031.vdocuments.us/reader031/viewer/2022022112/5c65b10b09d3f2916e8d2d97/html5/thumbnails/3.jpg)
What is rev.ng?
rev.ng is a unified suite of toolsfor static binary analysis
![Page 4: A unified static binary analysis framework Alessandro Di ...llvm.org/devmtg/2016-11/Slides/DiFederico-rev.ng.pdf · A unified static binary analysis framework Alessandro Di Federico](https://reader031.vdocuments.us/reader031/viewer/2022022112/5c65b10b09d3f2916e8d2d97/html5/thumbnails/4.jpg)
Features
• Static binary translation• Recovery of the control-flow graph• Recovery of function boundaries
![Page 5: A unified static binary analysis framework Alessandro Di ...llvm.org/devmtg/2016-11/Slides/DiFederico-rev.ng.pdf · A unified static binary analysis framework Alessandro Di Federico](https://reader031.vdocuments.us/reader031/viewer/2022022112/5c65b10b09d3f2916e8d2d97/html5/thumbnails/5.jpg)
revamb: the static binary translator
1 Parse the binary and load it in memory2 Identify all the basic blocks in a binary3 Lift them using QEMU’s tiny code generator4 Translate the output to a single LLVM IR function5 Recompile it
![Page 6: A unified static binary analysis framework Alessandro Di ...llvm.org/devmtg/2016-11/Slides/DiFederico-rev.ng.pdf · A unified static binary analysis framework Alessandro Di Federico](https://reader031.vdocuments.us/reader031/viewer/2022022112/5c65b10b09d3f2916e8d2d97/html5/thumbnails/6.jpg)
QEMU IR
AlphaARMAArch64
RISC V
Hexagon
x86
x86-64
MicroBlaze
OpenRISC
MIPS64 MIPS XCorePowerPC64
PowerPC
SystemZ
SuperH
SPARC
SPARC64
UnicoreCRIS
![Page 7: A unified static binary analysis framework Alessandro Di ...llvm.org/devmtg/2016-11/Slides/DiFederico-rev.ng.pdf · A unified static binary analysis framework Alessandro Di Federico](https://reader031.vdocuments.us/reader031/viewer/2022022112/5c65b10b09d3f2916e8d2d97/html5/thumbnails/7.jpg)
LLVM IR
AlphaARMAArch64
RISC V
Hexagon
x86
x86-64
MicroBlaze
OpenRISC
MIPS64 MIPS XCorePowerPC64
PowerPC
SystemZ
SuperH
SPARC
SPARC64
UnicoreCRIS
![Page 8: A unified static binary analysis framework Alessandro Di ...llvm.org/devmtg/2016-11/Slides/DiFederico-rev.ng.pdf · A unified static binary analysis framework Alessandro Di Federico](https://reader031.vdocuments.us/reader031/viewer/2022022112/5c65b10b09d3f2916e8d2d97/html5/thumbnails/8.jpg)
revamb
AlphaARMAArch64
RISC V
Hexagon
x86
x86-64
MicroBlaze
OpenRISC
MIPS64 MIPS XCorePowerPC64
PowerPC
SystemZ
SuperH
SPARC
SPARC64
UnicoreCRIS
![Page 9: A unified static binary analysis framework Alessandro Di ...llvm.org/devmtg/2016-11/Slides/DiFederico-rev.ng.pdf · A unified static binary analysis framework Alessandro Di Federico](https://reader031.vdocuments.us/reader031/viewer/2022022112/5c65b10b09d3f2916e8d2d97/html5/thumbnails/9.jpg)
revamb
AlphaARMAArch64
RISC V
Hexagon
x86
x86-64
MicroBlaze
OpenRISC
MIPS64 MIPS XCorePowerPC64
PowerPC
SystemZ
SuperH
SPARC
SPARC64
UnicoreCRIS
![Page 10: A unified static binary analysis framework Alessandro Di ...llvm.org/devmtg/2016-11/Slides/DiFederico-rev.ng.pdf · A unified static binary analysis framework Alessandro Di Federico](https://reader031.vdocuments.us/reader031/viewer/2022022112/5c65b10b09d3f2916e8d2d97/html5/thumbnails/10.jpg)
Concept mapping
Input assembly revamb
CPU register LLVM GlobalVariable
direct branch direct branch
indirect branch jump to the dispatcher
![Page 11: A unified static binary analysis framework Alessandro Di ...llvm.org/devmtg/2016-11/Slides/DiFederico-rev.ng.pdf · A unified static binary analysis framework Alessandro Di Federico](https://reader031.vdocuments.us/reader031/viewer/2022022112/5c65b10b09d3f2916e8d2d97/html5/thumbnails/11.jpg)
Concept mapping
Input assembly revamb
CPU register LLVM GlobalVariable
direct branch direct branch
indirect branch jump to the dispatcher
![Page 12: A unified static binary analysis framework Alessandro Di ...llvm.org/devmtg/2016-11/Slides/DiFederico-rev.ng.pdf · A unified static binary analysis framework Alessandro Di Federico](https://reader031.vdocuments.us/reader031/viewer/2022022112/5c65b10b09d3f2916e8d2d97/html5/thumbnails/12.jpg)
Concept mapping
Input assembly revamb
CPU register LLVM GlobalVariable
direct branch direct branch
indirect branch jump to the dispatcher
![Page 13: A unified static binary analysis framework Alessandro Di ...llvm.org/devmtg/2016-11/Slides/DiFederico-rev.ng.pdf · A unified static binary analysis framework Alessandro Di Federico](https://reader031.vdocuments.us/reader031/viewer/2022022112/5c65b10b09d3f2916e8d2d97/html5/thumbnails/13.jpg)
Dispatcher example
%0 = load i32 , i32* @pcswitch i32 %0, label %abort [
i32 0x10074 , label %bb.0 x10074i32 0x10080 , label %bb.0 x10080i32 0x10084 , label %bb.0 x10084...
]
![Page 14: A unified static binary analysis framework Alessandro Di ...llvm.org/devmtg/2016-11/Slides/DiFederico-rev.ng.pdf · A unified static binary analysis framework Alessandro Di Federico](https://reader031.vdocuments.us/reader031/viewer/2022022112/5c65b10b09d3f2916e8d2d97/html5/thumbnails/14.jpg)
Concept mapping
Input assembly revamb
CPU register LLVM GlobalVariable
direct branch direct branch
indirect branch jump to the dispatcher
complex instruction QEMU helper function
syscalls QEMU Linux subsystem
![Page 15: A unified static binary analysis framework Alessandro Di ...llvm.org/devmtg/2016-11/Slides/DiFederico-rev.ng.pdf · A unified static binary analysis framework Alessandro Di Federico](https://reader031.vdocuments.us/reader031/viewer/2022022112/5c65b10b09d3f2916e8d2d97/html5/thumbnails/15.jpg)
Concept mapping
Input assembly revamb
CPU register LLVM GlobalVariable
direct branch direct branch
indirect branch jump to the dispatcher
complex instruction QEMU helper function
syscalls QEMU Linux subsystem
![Page 16: A unified static binary analysis framework Alessandro Di ...llvm.org/devmtg/2016-11/Slides/DiFederico-rev.ng.pdf · A unified static binary analysis framework Alessandro Di Federico](https://reader031.vdocuments.us/reader031/viewer/2022022112/5c65b10b09d3f2916e8d2d97/html5/thumbnails/16.jpg)
Concept mapping
Input assembly revamb
CPU register LLVM GlobalVariable
direct branch direct branch
indirect branch jump to the dispatcher
complex instruction QEMU helper function
syscalls QEMU Linux subsystem
![Page 17: A unified static binary analysis framework Alessandro Di ...llvm.org/devmtg/2016-11/Slides/DiFederico-rev.ng.pdf · A unified static binary analysis framework Alessandro Di Federico](https://reader031.vdocuments.us/reader031/viewer/2022022112/5c65b10b09d3f2916e8d2d97/html5/thumbnails/17.jpg)
We statically link all the necessaryQEMU helper functions
![Page 18: A unified static binary analysis framework Alessandro Di ...llvm.org/devmtg/2016-11/Slides/DiFederico-rev.ng.pdf · A unified static binary analysis framework Alessandro Di Federico](https://reader031.vdocuments.us/reader031/viewer/2022022112/5c65b10b09d3f2916e8d2d97/html5/thumbnails/18.jpg)
Example: original assembly
ldr r3, [fp, #-8]
bl 0x1234
![Page 19: A unified static binary analysis framework Alessandro Di ...llvm.org/devmtg/2016-11/Slides/DiFederico-rev.ng.pdf · A unified static binary analysis framework Alessandro Di Federico](https://reader031.vdocuments.us/reader031/viewer/2022022112/5c65b10b09d3f2916e8d2d97/html5/thumbnails/19.jpg)
Example: QEMU’s IR
ldr r3, [fp, #-8]
bl 0x1234
mov_i32 tmp5 ,fpmovi_i32 tmp6 ,$0xfffffff8add_i32 tmp5 ,tmp5 ,tmp6qemu_ld_i32 tmp6 ,tmp5mov_i32 r3,tmp6
movi_i32 tmp5 ,$0x10088mov_i32 lr,tmp5movi_i32 pc,$0x1234exit_tb $0x0
![Page 20: A unified static binary analysis framework Alessandro Di ...llvm.org/devmtg/2016-11/Slides/DiFederico-rev.ng.pdf · A unified static binary analysis framework Alessandro Di Federico](https://reader031.vdocuments.us/reader031/viewer/2022022112/5c65b10b09d3f2916e8d2d97/html5/thumbnails/20.jpg)
Example: LLVM IR
ldr r3, [fp, #-8]
bl 0x1234
%1 = load i32 , i32* @fp%2 = add i32 %1, -8%3 = inttoptr i32 %2 to i32*%4 = load i32 , i32* %3store i32 %4, i32* @r3
store i32 0x10088 , i32* @lrstore i32 0x1234 , i32* @pcbr label %bb.0x1234
![Page 21: A unified static binary analysis framework Alessandro Di ...llvm.org/devmtg/2016-11/Slides/DiFederico-rev.ng.pdf · A unified static binary analysis framework Alessandro Di Federico](https://reader031.vdocuments.us/reader031/viewer/2022022112/5c65b10b09d3f2916e8d2d97/html5/thumbnails/21.jpg)
System overview
md5sum.armCollect JTs1
from global data
Lift toQEMU IR
Collect JTs fromdirect jumps
Translateto LLVM IR
new JT
Collect JTs fromindirect jumps
new JT
Identify functionboundaries
Link runtimefunctions
md5sum.x86-64
1JT: a jump target, i.e., a basic block starting address
![Page 22: A unified static binary analysis framework Alessandro Di ...llvm.org/devmtg/2016-11/Slides/DiFederico-rev.ng.pdf · A unified static binary analysis framework Alessandro Di Federico](https://reader031.vdocuments.us/reader031/viewer/2022022112/5c65b10b09d3f2916e8d2d97/html5/thumbnails/22.jpg)
Index
Introduction
A peek insideRecovery of switch casesFunction detection
Results
Conclusions
![Page 23: A unified static binary analysis framework Alessandro Di ...llvm.org/devmtg/2016-11/Slides/DiFederico-rev.ng.pdf · A unified static binary analysis framework Alessandro Di Federico](https://reader031.vdocuments.us/reader031/viewer/2022022112/5c65b10b09d3f2916e8d2d97/html5/thumbnails/23.jpg)
Index
Introduction
A peek insideRecovery of switch casesFunction detection
Results
Conclusions
![Page 24: A unified static binary analysis framework Alessandro Di ...llvm.org/devmtg/2016-11/Slides/DiFederico-rev.ng.pdf · A unified static binary analysis framework Alessandro Di Federico](https://reader031.vdocuments.us/reader031/viewer/2022022112/5c65b10b09d3f2916e8d2d97/html5/thumbnails/24.jpg)
Typical lowering of a switch on ARM
1000: cmp r1, #51004: addls pc, pc, r1, lsl #21008: ...100c: ...
![Page 25: A unified static binary analysis framework Alessandro Di ...llvm.org/devmtg/2016-11/Slides/DiFederico-rev.ng.pdf · A unified static binary analysis framework Alessandro Di Federico](https://reader031.vdocuments.us/reader031/viewer/2022022112/5c65b10b09d3f2916e8d2d97/html5/thumbnails/25.jpg)
OSR Analysis
• A data-flow analysis to handle switch
• It considers each SSA value• Tracks of it can be expressed w.r.t. x :
• plus an offset a• and a factor b
• For each basic block it tracks:• the boundaries of x• the signedness of x
![Page 26: A unified static binary analysis framework Alessandro Di ...llvm.org/devmtg/2016-11/Slides/DiFederico-rev.ng.pdf · A unified static binary analysis framework Alessandro Di Federico](https://reader031.vdocuments.us/reader031/viewer/2022022112/5c65b10b09d3f2916e8d2d97/html5/thumbnails/26.jpg)
An Offset Shifted Range (OSR)
Given two SSA values x and y :
y = a + b · x , with{
x :x ∈ [c,d ]x /∈ [c,d ]
and x issigned
unsigned
}
![Page 27: A unified static binary analysis framework Alessandro Di ...llvm.org/devmtg/2016-11/Slides/DiFederico-rev.ng.pdf · A unified static binary analysis framework Alessandro Di Federico](https://reader031.vdocuments.us/reader031/viewer/2022022112/5c65b10b09d3f2916e8d2d97/html5/thumbnails/27.jpg)
Example: the input
1000: cmp r1, #51004: addls pc, pc, r1, lsl #21008: ...100c: ...
![Page 28: A unified static binary analysis framework Alessandro Di ...llvm.org/devmtg/2016-11/Slides/DiFederico-rev.ng.pdf · A unified static binary analysis framework Alessandro Di Federico](https://reader031.vdocuments.us/reader031/viewer/2022022112/5c65b10b09d3f2916e8d2d97/html5/thumbnails/28.jpg)
Pseudo C LLVM IR OSRA
a = r1b = a - 4c = (b >= 4)if (c)
{d = (b == 0)if (!d)
return}
e = a << 2f = e + 0x100cpc = f
BB1:%1 = load i32 , i32* @r1%2 = sub i32 %1, 4%3 = icmp uge i32 %1, 4br i1 %3, %BB2 , %BB3
BB2:%4 = icmp eq i32 %2, 0br i1 %4, %BB3 , %exit
BB3:
%5 = shl i32 %1, 2%6 = add i32 0x100c , %5store i32 %6, i32* @pc
![Page 29: A unified static binary analysis framework Alessandro Di ...llvm.org/devmtg/2016-11/Slides/DiFederico-rev.ng.pdf · A unified static binary analysis framework Alessandro Di Federico](https://reader031.vdocuments.us/reader031/viewer/2022022112/5c65b10b09d3f2916e8d2d97/html5/thumbnails/29.jpg)
Pseudo C LLVM IR OSRA
a = r1b = a - 4c = (b >= 4)if (c)
{d = (b == 0)if (!d)
return}
e = a << 2f = e + 0x100cpc = f
BB1:%1 = load i32 , i32* @r1%2 = sub i32 %1, 4%3 = icmp uge i32 %1, 4br i1 %3, %BB2 , %BB3
BB2:%4 = icmp eq i32 %2, 0br i1 %4, %BB3 , %exit
BB3:
%5 = shl i32 %1, 2%6 = add i32 0x100c , %5store i32 %6, i32* @pc
; [x]
![Page 30: A unified static binary analysis framework Alessandro Di ...llvm.org/devmtg/2016-11/Slides/DiFederico-rev.ng.pdf · A unified static binary analysis framework Alessandro Di Federico](https://reader031.vdocuments.us/reader031/viewer/2022022112/5c65b10b09d3f2916e8d2d97/html5/thumbnails/30.jpg)
Pseudo C LLVM IR OSRA
a = r1b = a - 4c = (b >= 4)if (c)
{d = (b == 0)if (!d)
return}
e = a << 2f = e + 0x100cpc = f
BB1:%1 = load i32 , i32* @r1%2 = sub i32 %1, 4%3 = icmp uge i32 %1, 4br i1 %3, %BB2 , %BB3
BB2:%4 = icmp eq i32 %2, 0br i1 %4, %BB3 , %exit
BB3:
%5 = shl i32 %1, 2%6 = add i32 0x100c , %5store i32 %6, i32* @pc
; [x]; [x - 4]
![Page 31: A unified static binary analysis framework Alessandro Di ...llvm.org/devmtg/2016-11/Slides/DiFederico-rev.ng.pdf · A unified static binary analysis framework Alessandro Di Federico](https://reader031.vdocuments.us/reader031/viewer/2022022112/5c65b10b09d3f2916e8d2d97/html5/thumbnails/31.jpg)
Pseudo C LLVM IR OSRA
a = r1b = a - 4c = (b >= 4)if (c)
{d = (b == 0)if (!d)
return}
e = a << 2f = e + 0x100cpc = f
BB1:%1 = load i32 , i32* @r1%2 = sub i32 %1, 4%3 = icmp uge i32 %1, 4br i1 %3, %BB2 , %BB3
BB2:%4 = icmp eq i32 %2, 0br i1 %4, %BB3 , %exit
BB3:
%5 = shl i32 %1, 2%6 = add i32 0x100c , %5store i32 %6, i32* @pc
; [x]; [x - 4]; (x >= 4, u)
![Page 32: A unified static binary analysis framework Alessandro Di ...llvm.org/devmtg/2016-11/Slides/DiFederico-rev.ng.pdf · A unified static binary analysis framework Alessandro Di Federico](https://reader031.vdocuments.us/reader031/viewer/2022022112/5c65b10b09d3f2916e8d2d97/html5/thumbnails/32.jpg)
Pseudo C LLVM IR OSRA
a = r1b = a - 4c = (b >= 4)if (c)
{d = (b == 0)if (!d)
return}
e = a << 2f = e + 0x100cpc = f
BB1:%1 = load i32 , i32* @r1%2 = sub i32 %1, 4%3 = icmp uge i32 %1, 4br i1 %3, %BB2 , %BB3
BB2:%4 = icmp eq i32 %2, 0br i1 %4, %BB3 , %exit
BB3:
%5 = shl i32 %1, 2%6 = add i32 0x100c , %5store i32 %6, i32* @pc
; [x]; [x - 4]; (x >= 4, u)
; (x >= 4, u)
![Page 33: A unified static binary analysis framework Alessandro Di ...llvm.org/devmtg/2016-11/Slides/DiFederico-rev.ng.pdf · A unified static binary analysis framework Alessandro Di Federico](https://reader031.vdocuments.us/reader031/viewer/2022022112/5c65b10b09d3f2916e8d2d97/html5/thumbnails/33.jpg)
Pseudo C LLVM IR OSRA
a = r1b = a - 4c = (b >= 4)if (c)
{d = (b == 0)if (!d)
return}
e = a << 2f = e + 0x100cpc = f
BB1:%1 = load i32 , i32* @r1%2 = sub i32 %1, 4%3 = icmp uge i32 %1, 4br i1 %3, %BB2 , %BB3
BB2:%4 = icmp eq i32 %2, 0br i1 %4, %BB3 , %exit
BB3:
%5 = shl i32 %1, 2%6 = add i32 0x100c , %5store i32 %6, i32* @pc
; [x]; [x - 4]; (x >= 4, u)
; (x >= 4, u)
; (x < 4, u)
![Page 34: A unified static binary analysis framework Alessandro Di ...llvm.org/devmtg/2016-11/Slides/DiFederico-rev.ng.pdf · A unified static binary analysis framework Alessandro Di Federico](https://reader031.vdocuments.us/reader031/viewer/2022022112/5c65b10b09d3f2916e8d2d97/html5/thumbnails/34.jpg)
Pseudo C LLVM IR OSRA
a = r1b = a - 4c = (b >= 4)if (c)
{d = (b == 0)if (!d)
return}
e = a << 2f = e + 0x100cpc = f
BB1:%1 = load i32 , i32* @r1%2 = sub i32 %1, 4%3 = icmp uge i32 %1, 4br i1 %3, %BB2 , %BB3
BB2:%4 = icmp eq i32 %2, 0br i1 %4, %BB3 , %exit
BB3:
%5 = shl i32 %1, 2%6 = add i32 0x100c , %5store i32 %6, i32* @pc
; [x]; [x - 4]; (x >= 4, u)
; (x >= 4, u); (x - 4 == 0, u)
; (x < 4, u)
![Page 35: A unified static binary analysis framework Alessandro Di ...llvm.org/devmtg/2016-11/Slides/DiFederico-rev.ng.pdf · A unified static binary analysis framework Alessandro Di Federico](https://reader031.vdocuments.us/reader031/viewer/2022022112/5c65b10b09d3f2916e8d2d97/html5/thumbnails/35.jpg)
Pseudo C LLVM IR OSRA
a = r1b = a - 4c = (b >= 4)if (c)
{d = (b == 0)if (!d)
return}
e = a << 2f = e + 0x100cpc = f
BB1:%1 = load i32 , i32* @r1%2 = sub i32 %1, 4%3 = icmp uge i32 %1, 4br i1 %3, %BB2 , %BB3
BB2:%4 = icmp eq i32 %2, 0br i1 %4, %BB3 , %exit
BB3:
%5 = shl i32 %1, 2%6 = add i32 0x100c , %5store i32 %6, i32* @pc
; [x]; [x - 4]; (x >= 4, u)
; (x >= 4, u); (x == 4, u)
; (x < 4, u)
![Page 36: A unified static binary analysis framework Alessandro Di ...llvm.org/devmtg/2016-11/Slides/DiFederico-rev.ng.pdf · A unified static binary analysis framework Alessandro Di Federico](https://reader031.vdocuments.us/reader031/viewer/2022022112/5c65b10b09d3f2916e8d2d97/html5/thumbnails/36.jpg)
Pseudo C LLVM IR OSRA
a = r1b = a - 4c = (b >= 4)if (c)
{d = (b == 0)if (!d)
return}
e = a << 2f = e + 0x100cpc = f
BB1:%1 = load i32 , i32* @r1%2 = sub i32 %1, 4%3 = icmp uge i32 %1, 4br i1 %3, %BB2 , %BB3
BB2:%4 = icmp eq i32 %2, 0br i1 %4, %BB3 , %exit
BB3:
%5 = shl i32 %1, 2%6 = add i32 0x100c , %5store i32 %6, i32* @pc
; [x]; [x - 4]; (x >= 4, u)
; (x >= 4, u); (x == 4, u)
; (x < 4, u); (x == 4, u)
![Page 37: A unified static binary analysis framework Alessandro Di ...llvm.org/devmtg/2016-11/Slides/DiFederico-rev.ng.pdf · A unified static binary analysis framework Alessandro Di Federico](https://reader031.vdocuments.us/reader031/viewer/2022022112/5c65b10b09d3f2916e8d2d97/html5/thumbnails/37.jpg)
Pseudo C LLVM IR OSRA
a = r1b = a - 4c = (b >= 4)if (c)
{d = (b == 0)if (!d)
return}
e = a << 2f = e + 0x100cpc = f
BB1:%1 = load i32 , i32* @r1%2 = sub i32 %1, 4%3 = icmp uge i32 %1, 4br i1 %3, %BB2 , %BB3
BB2:%4 = icmp eq i32 %2, 0br i1 %4, %BB3 , %exit
BB3:
%5 = shl i32 %1, 2%6 = add i32 0x100c , %5store i32 %6, i32* @pc
; [x]; [x - 4]; (x >= 4, u)
; (x >= 4, u); (x == 4, u)
; (x <= 4, u)
![Page 38: A unified static binary analysis framework Alessandro Di ...llvm.org/devmtg/2016-11/Slides/DiFederico-rev.ng.pdf · A unified static binary analysis framework Alessandro Di Federico](https://reader031.vdocuments.us/reader031/viewer/2022022112/5c65b10b09d3f2916e8d2d97/html5/thumbnails/38.jpg)
Pseudo C LLVM IR OSRA
a = r1b = a - 4c = (b >= 4)if (c)
{d = (b == 0)if (!d)
return}
e = a << 2f = e + 0x100cpc = f
BB1:%1 = load i32 , i32* @r1%2 = sub i32 %1, 4%3 = icmp uge i32 %1, 4br i1 %3, %BB2 , %BB3
BB2:%4 = icmp eq i32 %2, 0br i1 %4, %BB3 , %exit
BB3:
%5 = shl i32 %1, 2%6 = add i32 0x100c , %5store i32 %6, i32* @pc
; [x]; [x - 4]; (x >= 4, u)
; (x >= 4, u); (x == 4, u)
; (x <= 4, u)
; [4 * x]
![Page 39: A unified static binary analysis framework Alessandro Di ...llvm.org/devmtg/2016-11/Slides/DiFederico-rev.ng.pdf · A unified static binary analysis framework Alessandro Di Federico](https://reader031.vdocuments.us/reader031/viewer/2022022112/5c65b10b09d3f2916e8d2d97/html5/thumbnails/39.jpg)
Pseudo C LLVM IR OSRA
a = r1b = a - 4c = (b >= 4)if (c)
{d = (b == 0)if (!d)
return}
e = a << 2f = e + 0x100cpc = f
BB1:%1 = load i32 , i32* @r1%2 = sub i32 %1, 4%3 = icmp uge i32 %1, 4br i1 %3, %BB2 , %BB3
BB2:%4 = icmp eq i32 %2, 0br i1 %4, %BB3 , %exit
BB3:
%5 = shl i32 %1, 2%6 = add i32 0x100c , %5store i32 %6, i32* @pc
; [x]; [x - 4]; (x >= 4, u)
; (x >= 4, u); (x == 4, u)
; (x <= 4, u)
; [4 * x]; [0x100c + 4 * x]
![Page 40: A unified static binary analysis framework Alessandro Di ...llvm.org/devmtg/2016-11/Slides/DiFederico-rev.ng.pdf · A unified static binary analysis framework Alessandro Di Federico](https://reader031.vdocuments.us/reader031/viewer/2022022112/5c65b10b09d3f2916e8d2d97/html5/thumbnails/40.jpg)
Possible jump targets
[0x100c + 4 * x] with (x <= 4, u):
0x100c + 4 * 0 = 0x100c0x100c + 4 * 1 = 0x10100x100c + 4 * 2 = 0x10140x100c + 4 * 3 = 0x10180x100c + 4 * 4 = 0x101c
![Page 41: A unified static binary analysis framework Alessandro Di ...llvm.org/devmtg/2016-11/Slides/DiFederico-rev.ng.pdf · A unified static binary analysis framework Alessandro Di Federico](https://reader031.vdocuments.us/reader031/viewer/2022022112/5c65b10b09d3f2916e8d2d97/html5/thumbnails/41.jpg)
Index
Introduction
A peek insideRecovery of switch casesFunction detection
Results
Conclusions
![Page 42: A unified static binary analysis framework Alessandro Di ...llvm.org/devmtg/2016-11/Slides/DiFederico-rev.ng.pdf · A unified static binary analysis framework Alessandro Di Federico](https://reader031.vdocuments.us/reader031/viewer/2022022112/5c65b10b09d3f2916e8d2d97/html5/thumbnails/42.jpg)
Generality of function detection
We don’t use any architecture-specific heuristic
![Page 43: A unified static binary analysis framework Alessandro Di ...llvm.org/devmtg/2016-11/Slides/DiFederico-rev.ng.pdf · A unified static binary analysis framework Alessandro Di Federico](https://reader031.vdocuments.us/reader031/viewer/2022022112/5c65b10b09d3f2916e8d2d97/html5/thumbnails/43.jpg)
The function detection process
1 Identify function calls and return instructions2 Create a set of candidate function entry points (CFEP):
1 called basic blocks2 unused code pointers in global data (e.g., not jump tables)3 code pointers embedded in the code
3 Compute the basic blocks reachable from each CFEP4 Keep a CFEP only if:
1 it’s a called basic block, or2 it’s reached by a skipping jump instruction
![Page 44: A unified static binary analysis framework Alessandro Di ...llvm.org/devmtg/2016-11/Slides/DiFederico-rev.ng.pdf · A unified static binary analysis framework Alessandro Di Federico](https://reader031.vdocuments.us/reader031/viewer/2022022112/5c65b10b09d3f2916e8d2d97/html5/thumbnails/44.jpg)
noreturn functions
abort, exit We identify syscalls killing the process and trivial infinite loopslongjmp Any instruction overwriting the stack pointer with a value different
from sp + value or loaded from such an address.
1 Mark all these basic blocks as killer basic blocks2 Set their successor to a common basic block, the sink3 Compute the set of basic blocks it post-dominates4 Mark as noreturn CFEPs in this set
![Page 45: A unified static binary analysis framework Alessandro Di ...llvm.org/devmtg/2016-11/Slides/DiFederico-rev.ng.pdf · A unified static binary analysis framework Alessandro Di Federico](https://reader031.vdocuments.us/reader031/viewer/2022022112/5c65b10b09d3f2916e8d2d97/html5/thumbnails/45.jpg)
noreturn functions
abort, exit We identify syscalls killing the process and trivial infinite loopslongjmp Any instruction overwriting the stack pointer with a value different
from sp + value or loaded from such an address.
1 Mark all these basic blocks as killer basic blocks2 Set their successor to a common basic block, the sink3 Compute the set of basic blocks it post-dominates4 Mark as noreturn CFEPs in this set
![Page 46: A unified static binary analysis framework Alessandro Di ...llvm.org/devmtg/2016-11/Slides/DiFederico-rev.ng.pdf · A unified static binary analysis framework Alessandro Di Federico](https://reader031.vdocuments.us/reader031/viewer/2022022112/5c65b10b09d3f2916e8d2d97/html5/thumbnails/46.jpg)
Index
Introduction
A peek insideRecovery of switch casesFunction detection
Results
Conclusions
![Page 47: A unified static binary analysis framework Alessandro Di ...llvm.org/devmtg/2016-11/Slides/DiFederico-rev.ng.pdf · A unified static binary analysis framework Alessandro Di Federico](https://reader031.vdocuments.us/reader031/viewer/2022022112/5c65b10b09d3f2916e8d2d97/html5/thumbnails/47.jpg)
Coreutils test suite results
rev.ng QEMU
PassedFailed due tomissing code
Passed
MIPS 90.5% 0.7% 92.0%
ARM 80.6% 0.0% 92.7%
x86-64 92.5% 0.0% 94.6%
![Page 48: A unified static binary analysis framework Alessandro Di ...llvm.org/devmtg/2016-11/Slides/DiFederico-rev.ng.pdf · A unified static binary analysis framework Alessandro Di Federico](https://reader031.vdocuments.us/reader031/viewer/2022022112/5c65b10b09d3f2916e8d2d97/html5/thumbnails/48.jpg)
Function detection
Matched functions (%) Jaccard index
ARM MIPS x86-64 ARM MIPS x86-64
IDA 85.31 93.38 94.47 97.75 93.64 99.69
rev.ng 87.91 95.08 95.66 97.08 92.89 95.72
BAP 80.26 N/A 83.51 75.37 N/A 69.91
angr 97.54 92.56 93.75 51.15 63.71 83.86
![Page 49: A unified static binary analysis framework Alessandro Di ...llvm.org/devmtg/2016-11/Slides/DiFederico-rev.ng.pdf · A unified static binary analysis framework Alessandro Di Federico](https://reader031.vdocuments.us/reader031/viewer/2022022112/5c65b10b09d3f2916e8d2d97/html5/thumbnails/49.jpg)
Index
Introduction
A peek insideRecovery of switch casesFunction detection
Results
Conclusions
![Page 50: A unified static binary analysis framework Alessandro Di ...llvm.org/devmtg/2016-11/Slides/DiFederico-rev.ng.pdf · A unified static binary analysis framework Alessandro Di Federico](https://reader031.vdocuments.us/reader031/viewer/2022022112/5c65b10b09d3f2916e8d2d97/html5/thumbnails/50.jpg)
Current status
Tested on:• statically linked ELF binaries• ARM, MIPS, x86-64• uClibc and musl
![Page 51: A unified static binary analysis framework Alessandro Di ...llvm.org/devmtg/2016-11/Slides/DiFederico-rev.ng.pdf · A unified static binary analysis framework Alessandro Di Federico](https://reader031.vdocuments.us/reader031/viewer/2022022112/5c65b10b09d3f2916e8d2d97/html5/thumbnails/51.jpg)
Future works
• Calling convention detection and stack analysis• Multithreading• Try to upstream our changes to QEMU• Measure our performance vs QEMU vs native• Experiment with instrumentation (fuzzing?)
![Page 53: A unified static binary analysis framework Alessandro Di ...llvm.org/devmtg/2016-11/Slides/DiFederico-rev.ng.pdf · A unified static binary analysis framework Alessandro Di Federico](https://reader031.vdocuments.us/reader031/viewer/2022022112/5c65b10b09d3f2916e8d2d97/html5/thumbnails/53.jpg)
License
This work is licensed under the Creative Commons Attribution-ShareAlike 3.0Unported License. To view a copy of this license, visithttp://creativecommons.org/licenses/by-sa/3.0/ or send a letter to CreativeCommons, 444 Castro Street, Suite 900, Mountain View, California, 94041, USA.