refinement based cfg reconstruction from unstructured
play

Refinement-Based CFG Reconstruction from Unstructured Programs S - PowerPoint PPT Presentation

Nov 08, 2023 •381 likes •1.15k views

Refinement-Based CFG Reconstruction from Unstructured Programs S ebastien Bardin, Philippe Herrmann, Franck V edrine CEA LIST (Paris, France) Bardin, S., Herrmann, P., V edrine, F. 1/ 49 Binary code analysis Bardin, S., Herrmann,

  1. Refinement-Based CFG Reconstruction from Unstructured Programs S´ ebastien Bardin, Philippe Herrmann, Franck V´ edrine CEA LIST (Paris, France) Bardin, S., Herrmann, P., V´ edrine, F. 1/ 49

  2. Binary code analysis Bardin, S., Herrmann, P., V´ edrine, F. 2/ 49

  3. Binary code analysis at a glimpse Recent renew interest [Codesurfer/x86, SAGE, Jakstab, Osmose, TraceAnalyzer, McVeto, Vine, BAP] Many promising applications off-the-shelf components (including libraries) mobile code (including malware) third-party certification Advantages over source-code analysis always available no “compilation gap” allows precise quantitative analysis (ex : wcet) Very challenging conceptual challenges practical issues Bardin, S., Herrmann, P., V´ edrine, F. 3/ 49

  4. Outline • A gentle introduction to binary-level program analysis • Focus : refinement-based CFG reconstruction • Conclusion and perspectives Bardin, S., Herrmann, P., V´ edrine, F. 4/ 49

  5. Main challenges of binary code analysis Low-level semantic of data Low-level semantic of control [see technical focus] Practical issues Bardin, S., Herrmann, P., V´ edrine, F. 5/ 49

  6. PB1 : Low-level semantic of data machine (integer) arithmetic overflows, flags bit-vector operations bitwise logical operations, shifts, rotate, etc. systematic usage of memory (stack) only very few variables and one single very large array up-to-date formal techniques do not adress well these issues Bardin, S., Herrmann, P., V´ edrine, F. 6/ 49

  7. PB1 : Low-level semantic of data (2) Example 1 : value analysis with machine arithmetic (8 bit) [250 .. 255] + 5 = [0 .. 4] ∪ [255] with any convex-domain : [250 .. 255] + # 5 = [0 .. 255] Example 2 : decision procedures with machine arithmetic a popular theory on integers is difference logic � i x i − y i ≤ k i reasonably expressive and in P but difference logic over modular arithmetic is NP-hard Example 3 : reified comparisons + move from memory to registers R := @100 ; Flag := cmp(R,0); assert(Flag == 1); perfect deduction after assert : Flag = 1 ∧ R = 0 ∧ @100 = 0 standard forward deduction after assert : Flag = 1 Bardin, S., Herrmann, P., V´ edrine, F. 7/ 49

  8. PB2 : Low-level semantic of control No clear distinction between data and control No clean encapsulation of procedure calls Dynamic jumps ( goto R0 ) [the enemy !] And others : instruction overlapping, self-modifying code Recovering the Control Flow Graph (CFG) is already non-trivial Bardin, S., Herrmann, P., V´ edrine, F. 8/ 49

  9. PB3 : Practical issues Engineering issue : many different (large) ISAs supporting a new ISA : time-consuming, error-prone, tedious consequence : each tool support only a few ISAs (often one !) Semantic issue : each tool comes with its own formal( ?) model exact semantics seldom available modelling hypothesises often unclear Consequences lots of redundant engineering work between analysers difficult to achieve empiric comparisons difficult to combine / reuse tools Bardin, S., Herrmann, P., V´ edrine, F. 9/ 49

  10. A renew of interest since 2000’s CFG reconstruction [Reps et al.] [Kinder et al.] [Brauer et al.] [BHV] variables and types recovery [Reps et al.] test data generation [Godefroid et al.] [BH] malware analysis and other security analyses [Song et al.] semantics [Reps et al.] [Bardin et al.] [Brumley et al.] dedicated Dagstuhl seminar in 2012 Bardin, S., Herrmann, P., V´ edrine, F. 10/ 49

  11. More or less related topics Analysis of low-level C programs many low-level constructs : *f , longjump , stack overflow, etc. BUT ◮ ANSI-C forbids most of the nasty behaviours ◮ most analyzers consider a very nice subset of C Analysis of Java bytecode Java byte-code is very high level ◮ strong static typing for primitive types ◮ clean functional abstraction ◮ very restricted dynamic jumps Analysis of assembly languages should be the same than binary code but often rely on very optimistic assumptions ◮ no hidden instruction, sets of dynamic jumps known in advance, call/return policy Bardin, S., Herrmann, P., V´ edrine, F. 11/ 49

  12. Binary-level program analysis at CEA Osmose [ICST-08,ICST-09,STVR-11] automatic test data generation (dynamic symbolic execution) bitvector reasoning [TACAS-10] front-ends : PPC, M6800, Intel c509 TraceAnalyzer [VMCAI-11] [see technical focus] safe CFG reconstruction (refinement-based static analysis) front-end : PPC Dynamic Bitvector Automata [CAV-11] concise formal model for binary code analysis basic tool support : OCaml type, XML DTD safe DBA reduction Bardin, S., Herrmann, P., V´ edrine, F. 12/ 49

  13. Outline • A gentle introduction to binary-level program analysis • Focus : Refinement-based CFG reconstruction • Conclusion and perspectives Bardin, S., Herrmann, P., V´ edrine, F. 13/ 49

  14. CFG recovery A key issue for binary-level program analysis prior to any other static analysis (SA) must be safe : otherwise, other SA unsafe must be precise : otherwise, other SA imprecise Our approach [VMCAI-11] safe, precise, efficient and robust technique based on abstraction-refinement Bardin, S., Herrmann, P., V´ edrine, F. 14/ 49

  15. CFG reconstruction Input an executable file, i.e. an array of bytes the address of the initial instruction a basic decoder : exec f. × address �→ instruction × size Output : CFG of the program Bardin, S., Herrmann, P., V´ edrine, F. 15/ 49

  16. CFG reconstruction (2) Successor addresses are often syntactically known � addr: move a b � → � addr: goto 100 � → � addr: ble 100 � → Bardin, S., Herrmann, P., V´ edrine, F. 16/ 49

  17. CFG reconstruction (2) Successor addresses are often syntactically known � addr: move a b � → successor at addr+size � addr: goto 100 � → successor at 100 � addr: ble 100 � → successors at 100 and addr+size Bardin, S., Herrmann, P., V´ edrine, F. 16/ 49

  18. CFG reconstruction (2) Successor addresses are often syntactically known � addr: move a b � → successor at addr+size � addr: goto 100 � → successor at 100 � addr: ble 100 � → successors at 100 and addr+size But not always : successors of � addr: goto a � ? Bardin, S., Herrmann, P., V´ edrine, F. 16/ 49

  19. CFG reconstruction (2) Successor addresses are often syntactically known � addr: move a b � → successor at addr+size � addr: goto 100 � → successor at 100 � addr: ble 100 � → successors at 100 and addr+size But not always : successors of � addr: goto a � ? Dynamic jump is the enemy ! Bardin, S., Herrmann, P., V´ edrine, F. 16/ 49

  20. Know your enemy Dynamic jumps are pervasive [introduced by compilers] switch , function pointers, virtual methods, etc. Sets of jump targets lack regularity [arbitrary values from compiler] convex sets plus congruence information are not well-suited False jump targets cannot be easily detected almost any address in an exec. file correspond to a legal instruction no pragmatic trick like “detect pb - warn user - correct value” Bardin, S., Herrmann, P., V´ edrine, F. 17/ 49

  21. Unsafe approaches to CFG recovery ... current industrial practise ... Linear sweep decoding [brute force] decode instructions at each code address • miss every “dynamic” edge of the CFG • may still miss instructions [too optimistic hypothesises] Recursive traversal decode recursively from entry point, stop on dynamic jump • miss large parts of CFG Bardin, S., Herrmann, P., V´ edrine, F. 18/ 49

  22. Safe CFG recovery VA and CFG reconstruction must be interleaved Very difficult to get precise : imprecision on jumps in VA → imprecision on CFG → more propagation / imprecision on VA → . . . Bardin, S., Herrmann, P., V´ edrine, F. 19/ 49

  23. Existing safe approaches CodeSurfer/x86 [Balakrishnan-Reps 04,05,07,...] abstract domain : strided intervals (+ affine relationships) • imprecise : abstract domain not suited to sets of jump targets (arbitrary values from compiler) • in practise many false targets Jakstab [Kinder-Veith 08,09,10] abstract domain : sets of bounded cardinality (k-sets) precise when the bound k is well-tuned • not robust to the parameter k : possibly inefficient if k too large, very imprecise if k not large enough Bardin, S., Herrmann, P., V´ edrine, F. 20/ 49

  24. Our work Key observations k-sets are the only domain well-suited to precise CFG reconstruction for most programs, only a few facts need to be tracked precisely to resolve dynamic jumps good candidate for abstraction-refinement Contribution [VMCAI 2011] A refinement-based approach dedicated to CFG reconstruction An implementation and a few experiments The technique is safe, precise, robust and efficient Bardin, S., Herrmann, P., V´ edrine, F. 21/ 49

  25. Formalisation Unstructured Programs : P = ( L , V , A , T , l 0 ) L ⊆ N finite set of code addresses V finite set of program variables A finite set of arrays T maps code addresses to instructions l 0 initial code address Instructions assignments v := e and a [ e 1 ] := e 2 static jumps goto l branching instructions ite ( cond , l 1 , l 2 ) dynamic jumps cgoto ( v ) Bardin, S., Herrmann, P., V´ edrine, F. 22/ 49

  26. Formalisation (2) Our problem input : an unstructured program P output : compute an invariant of P such that no dynamic target expression evaluates to ⊤ , or fail Informal requirements do not fail “too often” do not add “too many” false targets Bardin, S., Herrmann, P., V´ edrine, F. 23/ 49

Recommend

Refinement of Surface Mesh for Accurate Multi-View Reconstruction International Workshop on

Refinement of Surface Mesh for Accurate Multi-View Reconstruction International Workshop on

Introduction Depth Map Fusion Mesh Refinement Experiments Refinement of Surface Mesh for Accurate Multi-View Reconstruction International Workshop on Representation and Modeling of Large-scale 3D Environments Asian Conference on Computer

543 views • 28 slides
A new multidimensional-type reconstruction and limiting procedure for unstructured (cell-centered)

A new multidimensional-type reconstruction and limiting procedure for unstructured (cell-centered)

A new multidimensional-type reconstruction and limiting procedure for unstructured (cell-centered) FVs solving hyperbolic conservation laws Argiris I. Delis & Ioannis K. Nikolos (TUC) Department of Sciences-Division of Mathematics

1.1k views • 95 slides
Type Reconstruction for General Refinement Types Kenn Knowles University of California, Santa

Type Reconstruction for General Refinement Types Kenn Knowles University of California, Santa

Type Reconstruction for General Refinement Types Kenn Knowles University of California, Santa Cruz joint work with: Cormac Flanagan (University of California, Santa Cruz) March 25, 2007 Assertions / Refinement Types The role of assertions in

386 views • 37 slides
Single Particle Reconstruction with EMAN GroEL Methods for High Resolution Refinement Donghua

Single Particle Reconstruction with EMAN GroEL Methods for High Resolution Refinement Donghua

Single Particle Reconstruction with EMAN GroEL Methods for High Resolution Refinement Donghua Chen in Single Particle Processing Joanita Jakana Wah Chiu Steve Ludtke Jiu-Li Song (UT-SW Med) David Chuang (UT-SW Med) Asst. Professor,

291 views • 14 slides
Surface Reconstruction S. Ohrhallinger, S. Mudur and M. Wimmer 2 Surface Reconstruction Dense

Surface Reconstruction S. Ohrhallinger, S. Mudur and M. Wimmer 2 Surface Reconstruction Dense

Minimizing Edge Length to Connect Sparsely Sampled Unstructured Point Sets in 3D S. Ohrhallinger 1,2 , S. Mudur 2 and M. Wimmer 1 1 Vienna University of Technology, 2 Concordia University, Montral Surface Reconstruction S. Ohrhallinger, S.

1.08k views • 74 slides
3D RECONSTRUCTION Reconstruction method Reconstruction from images Reconstruction from video

3D RECONSTRUCTION Reconstruction method Reconstruction from images Reconstruction from video

3D RECONSTRUCTION Reconstruction method Reconstruction from images Reconstruction from video Using Kinect Raw Depth Image Infrared laser projector Monochrome CMOS sensor Demo Kinect Raw data Real-time Reconstruction Pipeline Measurement

508 views • 34 slides
SAT based Abstraction-Refinement using ILP and Machine Learning Techniques Edmund Clarke Anubhav

SAT based Abstraction-Refinement using ILP and Machine Learning Techniques Edmund Clarke Anubhav

SAT based Abstraction-Refinement using ILP and Machine Learning Techniques 1 SAT based Abstraction-Refinement using ILP and Machine Learning Techniques Edmund Clarke Anubhav Gupta James Kukula Ofer Strichman SAT based Abstraction-Refinement

822 views • 36 slides
A Refinement Based Approach to Hybrid Systems: Basics Richard Banach School of Computer Science,

A Refinement Based Approach to Hybrid Systems: Basics Richard Banach School of Computer Science,

A Refinement Based Approach to Hybrid Systems: Basics Richard Banach School of Computer Science, University of Manchester, UK Contents 1. System Development via Model Based Refinement 2. Physical Systems in General, Control Systems in

332 views • 14 slides
Refinement-Based Context-Sensitive Points-To Analysis for Java Manu Sridharan, Rastislav Bodk

Refinement-Based Context-Sensitive Points-To Analysis for Java Manu Sridharan, Rastislav Bodk

Refinement-Based Context-Sensitive Points-To Analysis for Java Manu Sridharan, Rastislav Bodk UC Berkeley PLDI 2006 1 What Does Refinement Buy You? Increased scalability: enable new clients Memory: orders of magnitude savings Time:

596 views • 18 slides
Quantum Dynamics of Systems Under Repeated Observation Reconstruction of Structure from

Quantum Dynamics of Systems Under Repeated Observation Reconstruction of Structure from

Quantum Dynamics of Systems Under Repeated Observation Reconstruction of Structure from Unstructured Perception J urg Fr ohlich (ETH Zurich) Spring, 2017 Outline We start by presenting a short summary of examples of effective

394 views • 27 slides
Schema Refinement and Normal Forms CS430/630 Lecture 16 Slides based on Database Management

Schema Refinement and Normal Forms CS430/630 Lecture 16 Slides based on Database Management

Schema Refinement and Normal Forms CS430/630 Lecture 16 Slides based on Database Management Systems 3 rd ed, Ramakrishnan and Gehrke Why Schema Refinement? We have learnt the advantages of relational tables but how to

360 views • 14 slides
Block-Based Adaptive Mesh Refinement scheme based on numerical density of entropy production for

Block-Based Adaptive Mesh Refinement scheme based on numerical density of entropy production for

Block-Based Adaptive Mesh Refinement scheme based on numerical density of entropy production for conservation laws and applications. Mehmet Ersoy 1 , Fr ed eric Golay, Lyudmyla Yushchenko, Universit e de Toulon, IMATH, and Damien Sous,

1.55k views • 102 slides
A Refinement Based Approach to Hybrid Systems: Hybrid Event-B Richard Banach School of Computer

A Refinement Based Approach to Hybrid Systems: Hybrid Event-B Richard Banach School of Computer

A Refinement Based Approach to Hybrid Systems: Hybrid Event-B Richard Banach School of Computer Science, University of Manchester, UK Contents 1. Discrete Event-B Basics 2. Example 3. Proof Obligations 4. Refinement in Event-B 5.

281 views • 25 slides
Part III Unstructured Data Data Retrieval: III.1 Unstructured data and data retrieval

Part III Unstructured Data Data Retrieval: III.1 Unstructured data and data retrieval

Inf1-DA 20102011 III: 51 / 89 Part III Unstructured Data Data Retrieval: III.1 Unstructured data and data retrieval Statistical Analysis of Data: III.2 Data scales and summary statistics III.3 Hypothesis testing and correlation III.4

344 views • 17 slides
Part III Unstructured Data Data Retrieval: III.1 Unstructured data and data retrieval

Part III Unstructured Data Data Retrieval: III.1 Unstructured data and data retrieval

Inf1-DA 20102011 III: 68 / 91 Part III Unstructured Data Data Retrieval: III.1 Unstructured data and data retrieval Statistical Analysis of Data: III.2 Data scales and summary statistics III.3 Hypothesis testing and correlation III.4 2

579 views • 8 slides
Part III Unstructured Data Data Retrieval: III.1 Unstructured data and data retrieval

Part III Unstructured Data Data Retrieval: III.1 Unstructured data and data retrieval

Inf1-DA 20102011 III: 28 / 89 Part III Unstructured Data Data Retrieval: III.1 Unstructured data and data retrieval Statistical Analysis of Data: III.2 Data scales and summary statistics III.3 Hypothesis testing and correlation III.4

455 views • 23 slides
Part III Unstructured Data Data Retrieval: III.1 Unstructured data and data retrieval

Part III Unstructured Data Data Retrieval: III.1 Unstructured data and data retrieval

Inf1-DA 20102011 III: 68 / 91 Part III Unstructured Data Data Retrieval: III.1 Unstructured data and data retrieval Statistical Analysis of Data: III.2 Data scales and summary statistics III.3 Hypothesis testing and correlation III.4 2

729 views • 24 slides
Towards Refinement and Generalization of Reliability Models Based on Component States Natasha

Towards Refinement and Generalization of Reliability Models Based on Component States Natasha

Towards Refinement and Generalization of Reliability Models Based on Component States Natasha Jarus, Sahra Sedigh Sarvestani, and Ali Hurson Department of Electrical and Computer Engineering Missouri University of Science and Technology Rolla,

579 views • 26 slides
Error Type Refinement for Assurance of Families of Platform- Based Systems

Error Type Refinement for Assurance of Families of Platform- Based Systems

Error Type Refinement for Assurance of Families of Platform- Based Systems http://people.cis.ksu.edu/~samprocter Sam Procter , John Hatcliff Anura Fernando Sandy Weininger SAnToS Lab Underwriters Laboratories Food and Drug Admin. Kansas

467 views • 29 slides
a Tool based Reconstruction Algorithm for Characterising Showers (TRACS) Dom Barker, Ed Tyley,

a Tool based Reconstruction Algorithm for Characterising Showers (TRACS) Dom Barker, Ed Tyley,

a Tool based Reconstruction Algorithm for Characterising Showers (TRACS) Dom Barker, Ed Tyley, Dom Brailsford on Behalf of the SBN Shower Reconstruction Group University of Sheffield August 13, 2019 1 / 75 Introduction The SBN team has

998 views • 75 slides
CFD General Notation System (CGNS) Usage for unstructured grids Edwin van der Weide Stanford

CFD General Notation System (CGNS) Usage for unstructured grids Edwin van der Weide Stanford

CFD General Notation System (CGNS) Usage for unstructured grids Edwin van der Weide Stanford University Example Unstructured Grid 2 3 Unstructured grid storage Several possibilities to store an unstructured grid. Every element type

219 views • 19 slides
Upward Refinement for Conceptual Blending in Description Logic An ASP-based Approach and Case

Upward Refinement for Conceptual Blending in Description Logic An ASP-based Approach and Case

Upward Refinement for Conceptual Blending in Description Logic An ASP-based Approach and Case Study in EL ++ Roberto Confalonieri 1 Manfred Eppe 1 , 2 Marco Schorlemmer 1 Oliver Kutz 3 Rafael Pealoza 3 Enric Plaza 1 1 IIIA-CSIC,

544 views • 28 slides
THETA: a Framework for Abstraction Refinement-Based Model Checking Tams Tth 1 , kos Hajdu

THETA: a Framework for Abstraction Refinement-Based Model Checking Tams Tth 1 , kos Hajdu

THETA: a Framework for Abstraction Refinement-Based Model Checking Tams Tth 1 , kos Hajdu 1,2 , Andrs Vrs 1,2 , Zoltn Micskei 1 , Istvn Majzik 1 1 Budapest University of Technology and Economics Department of Measurement and

786 views • 12 slides
Unstructured Data Typically refers to free text I Allows I G Keyword queries including

Unstructured Data Typically refers to free text I Allows I G Keyword queries including

Unstructured Data Management Advanced Topics in Database Management (INFSCI 2711) Textbooks: Database System Concepts - 2010 Introduction to Information Retrieval - 2008 Vladimir Zadorozhny, DINS, SCI, University of Pittsburgh Unstructured Data

349 views • 12 slides

More recommend