Extracting safe and precise control flow from binaries

Abstract: As a starting point for static program analysis a control flow graph (CFG) is needed. If only the binary executable is available, this CFG has to be reconstructed from sequences of instructions.The usual way to do this is a top-down approach: the executable's information about routines is used to split the sequence into routines, and then, each instruction is analysed for branch targets in order to compute basic block boundaries.When analysing safety critical real-time systems, safe and precise results are nee… Show more

“…Earlier work [1,5,3,7,6] has shown that data flow analysis can be used to augment the results of disassembly, but no conclusive answer was given on the best way to handle states with unresolved control flow successors during data flow analysis. Further, updating the control flow graph could render previous data flow information invalid, which would require backtracking and could cause the analysis to diverge.…”

“…The compiler literature knows the concept of link-time-and post-link-optimizers [14,7], which exploit the fact that the whole program including libraries and hand-written assembly routines can be analyzed and optimized at linktime, i.e., after all code has been translated to binary with the symbol information still present. Precise tools for determining worst case execution time (WCET) of programs running on real time systems also have to process machine code, since they need to take compiler optimizations into account, and thus face similar problems of reconstructing the control flow [1,15,5]. Other applications of binary analysis include binary instrumentation [16], binary translation [17], or profiling [4].…”

“…In Section 2.2, we already discussed the approach by De Sutter et al [7], which targets code with symbol and relocation information and uses an overapproximating unknown-node for unresolved branch targets. In his bottom-up disassembly strategy, Theiling [1] assumes architectures in which all jump targets can be computed directly form the instruction, effectively disallowing indirect jumps. For extending his method to indirect jumps, he also suggests the use of an overapproximating unknown node.…”

“…Often, data flow analysis can aid in resolving such indirect branches; however, data flow analysis already requires a precise control flow graph to work on. This seemingly paradox situation has been referred to as an inherent "chicken and egg" problem in the literature [1,2].…”

An Abstract Interpretation-Based Framework for Control Flow Reconstruction from Binaries

“…Earlier work [1,5,3,7,6] has shown that data flow analysis can be used to augment the results of disassembly, but no conclusive answer was given on the best way to handle states with unresolved control flow successors during data flow analysis. Further, updating the control flow graph could render previous data flow information invalid, which would require backtracking and could cause the analysis to diverge.…”

“…The compiler literature knows the concept of link-time-and post-link-optimizers [14,7], which exploit the fact that the whole program including libraries and hand-written assembly routines can be analyzed and optimized at linktime, i.e., after all code has been translated to binary with the symbol information still present. Precise tools for determining worst case execution time (WCET) of programs running on real time systems also have to process machine code, since they need to take compiler optimizations into account, and thus face similar problems of reconstructing the control flow [1,15,5]. Other applications of binary analysis include binary instrumentation [16], binary translation [17], or profiling [4].…”

“…In Section 2.2, we already discussed the approach by De Sutter et al [7], which targets code with symbol and relocation information and uses an overapproximating unknown-node for unresolved branch targets. In his bottom-up disassembly strategy, Theiling [1] assumes architectures in which all jump targets can be computed directly form the instruction, effectively disallowing indirect jumps. For extending his method to indirect jumps, he also suggests the use of an overapproximating unknown node.…”

“…Often, data flow analysis can aid in resolving such indirect branches; however, data flow analysis already requires a precise control flow graph to work on. This seemingly paradox situation has been referred to as an inherent "chicken and egg" problem in the literature [1,2].…”

An Abstract Interpretation-Based Framework for Control Flow Reconstruction from Binaries

“…Traditional techniques for inferring worst-case execution times apply [20,7]: If a performance model for the processor is available, the actual machine code could be analysed. Otherwise, test runs can be performed for individual instructions, and upper boundaries for the worst-case execution time can be inferred.…”

Towards a Real-Time Implementation of the ECMA Common Language Infrastructure

Applying Abstract Interpretation to Demonstrate Functional Safety