Presentation is loading. Please wait.

Presentation is loading. Please wait.

Native x86 Decompilation Using Semantics-Preserving Structural Analysis and Iterative Control-Flow Structuring Edward J. Schwartz *, JongHyup Lee ✝, Maverick.

Published byJaheim Cashman Modified over 9 years ago

Similar presentations

Presentation on theme: "Native x86 Decompilation Using Semantics-Preserving Structural Analysis and Iterative Control-Flow Structuring Edward J. Schwartz *, JongHyup Lee ✝, Maverick."— Presentation transcript:

1 Native x86 Decompilation Using Semantics-Preserving Structural Analysis and Iterative Control-Flow Structuring Edward J. Schwartz *, JongHyup Lee ✝, Maverick Woo *, and David Brumley * Carnegie Mellon University * Korea National University of Transportation ✝

2 Which would you rather analyze? 8/15/13Usenix Security 20132 push %ebp mov %esp,%ebp sub $0x10,%esp movl $0x1,-0x4(%ebp) jmp 1d mov -0x4(%ebp),%eax imul 0x8(%ebp),%eax mov %eax,-0x4(%ebp) subl $0x1,0x8(%ebp) cmpl $0x1,0x8(%ebp) jg f mov -0x4(%ebp),%eax leave ret int f(int c) { int accum = 1; for (; c > 1; c--) { accum = accum * c; } return accum; } Functions Variables Types Control Flow

3 8/15/133 int f (int x) { int y = 1; while (x > y) { y++; } return y; 010100101010101 001010110111010 101001010101010 101111100010100 010101101001010 100010010101101 010101011010111 Compiler Original Source int f (int a) { int v = 1; while (a > v++) {} return v; Decompiler Recovered Source Compiled Binary

4 Decompilers for Software Security Manual reverse-engineering – Traditional decompiler application Apply wealth of existing source-code techniques to compiled programs [Chang06] – Find bugs, vulnerabilities Heard at Usenix Security 2013, during Dowsing for Overflows – “We need source code to access the high-level control flow structure and types” 8/15/13Usenix Security 20134

5 Desired Properties for Security 1.Effective abstraction recovery – Abstractions improve comprehension 8/15/13Usenix Security 20135

6 Effective Abstraction Recovery 8/15/13Usenix Security 20136 s1; while (e1) { if (e2) { break; } s2; } s3; More Abstract s1; L1: if (e1) { goto L2; } else { goto L4; } L2: if (e2) { goto L4; } L3: s2; goto L1; L4: s3; Less Abstract

7 Desired Properties for Security 1.Effective abstraction recovery – Abstractions improve comprehension 2.Correctness – Buggy(Decompiled)  Buggy(Original) 8/15/13Usenix Security 20137

8 Correctness 8/15/138 010100101010101 001010110111010 101001010101010 101111100010100 010101101001010 100010010101101 010101011010111 Compiler Decompiler Compiled Binary int f (int x) { int y = 1; while (x > y) { y++; } return y; Original Source int f (int a) { int v = 1; while (a > v++) {} return v; Recovered Source Are these two programs semantically equivalent?

9 Prior Work on Decompilation 8/15/13Usenix Security 20139

10 The Phoenix C Decompiler 8/15/13Usenix Security 201310

11 How to build a better decompiler? Recover missing abstractions one at a time – Semantics preserving abstraction recovery Rewrite program to use abstraction Don’t change behavior of program Similar to compiler optimization passes 8/15/13Usenix Security 201311

12 Semantics Preservation 8/15/13Usenix Security 201312 s1; while (e1) { if (e2) { break; } s2; } s3; s1; L1: if (e1) { goto L2; } else { goto L4; } L2: if (e2) { goto L4; } L3: s2; goto L1; L4: s3; Abstraction Recovery Are these two programs semantically equivalent?

13 How to build a better decompiler? Recover missing abstractions one at a time – Semantics preserving abstraction recovery Rewrite program to use abstraction Don’t change behavior of program Similar to compiler optimization passes Challenge: building semantics preserving recovery algorithms – This talk Focus on control flow structuring Empirical demonstration 8/15/13Usenix Security 201313

14 Phoenix Overview 8/15/13Usenix Security 201314 010100101010101 001010110111010 101001010101010 101111100010100 010101101001010 100010010101101 010101011010111 CFG Recovery Type Recovery Control Flow Structuring Source-code Output int f (int x) { int y = 1; while (x > y) { y++; } return y; New in Phoenix

15 Control Flow Graph Recovery 8/15/13Usenix Security 201315 010100101010101 001010110111010 101001010101010 101111100010100 010101101001010 100010010101101 010101011010111 Vertex represents straight-line binary code Edges represents possible control-flow transitions Challenge: Where does jmp %eax go? Phoenix uses Value Set Analysis [Balakrishnan10] CFG Recovery e¬e

16 Type Inference on Executables (TIE) [Lee11] 8/15/13Usenix Security 201316 movl (%eax), %ebx Constraint 1: %eax is a pointer to type Constraint 2: %ebx has type Solve all constraints to find How does each instruction constrain the types?

17 Control Flow Structuring 8/15/13Usenix Security 201317

18 Compilation ¬e e Control Flow Structuring if (e) {…;} else {…;} 8/15/13Usenix Security 201318 if (e) {…;} else {…;} ? ¬e e Control Flow Structuring

19 Control Flow Structuring: Don’t Reinvent the Wheel Existing algorithms – Interval analysis [Allen70] Identifies intervals or regions – Structural analysis [Sharir80] Classifies regions into more specific types Both have been used in decompilers Phoenix based on structural analysis 8/15/13Usenix Security 201319

20 Structural Analysis Iteratively match patterns to CFG – Collapse matching regions Returns a skeleton: while (e) { if (e’) {…} } 8/15/13Usenix Security 201320 B2 if-then-else B3 B1 B2 B1 while

21 Structural Analysis Example 8/15/13Usenix Security 201321 WHILE SEQ ITE 1 SEQ 1...; while (...) { if (...) {...} else {...} };...;

22 Structural Analysis Property Checklist 1.Effective abstraction recovery 8/15/13Usenix Security 201322

23 Structural Analysis Property Checklist 1.Effective abstraction recovery – Graceless failures for unstructured programs break, continue, and goto statements Failures cascade to large subgraphs 8/15/13Usenix Security 201323

24 Unrecovered Structure 8/15/13Usenix Security 201324 This break edge prevents progress UNKNOWN SEQ s1; while (e1) { if (e2) { break; } s2; } s3; s1; L1: if (e1) { goto L2; } else { goto L4; } L2: if (e2) { goto L4; } L3: s2; goto L1; L4: s3; OriginalDecompiled Fix: New structuring algorithm featuring Iterative Refinement Fix: New structuring algorithm featuring Iterative Refinement

25 Remove edges that are preventing a match – Represent in decompiled source as break, goto, continue Allows structuring algorithm to make more progress 8/15/13Usenix Security 201325

26 Iterative Refinement 8/15/13Usenix Security 201326 s1; while (e1) { if (e2) { break; } s2; } s3; s1; while (e1) { if (e2) { break; } s2; } s3; OriginalDecompiled BREAK SEQ 1 WHILE SEQ

27 Structural Analysis Property Checklist 1.Effective abstraction recovery – Graceless failures for unstructured programs break, continue, and goto s Failures cascade to large subgraphs 2.Correctness 8/15/13Usenix Security 201327

28 Structural Analysis Property Checklist 1.Effective abstraction recovery – Graceless failures for unstructured programs break, continue, and goto s Failures cascade to large subgraphs 2.Correctness – Not originally intended for decompilation – Structure can be incorrect for decompilation 8/15/13Usenix Security 201328

29 Natural Loop Correctness Problem 8/15/13Usenix Security 201329 x=1 y=2 x≠1 y≠2 NATURAL LOOP NATURAL LOOP y=2 x=1 while (true) { s1; if (x==1) goto L2; if (y==2) goto L1; } Non-determinism Fix: Ensure patterns are Semantics Preserving

30 Semantics Preservation Applies inside of control flow structuring too 8/15/13Usenix Security 201330 x=1 y=2 x≠1 y≠2 NATURAL LOOP NATURAL LOOP y=2 x=1

31 Phoenix Implementation and Evaluation 8/15/13Usenix Security 201331

32 Readability: Phoenix Output 8/15/13Usenix Security 201332 int f (void) { int a = 42; int b = 0; while (a) { if (b) { puts("c"); break; } else { puts("d"); } a--; b++; } puts ("e"); return 0; } t_reg32 f (void) { t_reg32 v20 = 42; t_reg32 v24; for (v24 = 0; v20 != 0; v24 = v24 + 1) { if (v24 != 0) { puts ("c"); break; } puts ("d"); v20 = v20 - 1; } puts ("e"); return 0; } Original Decompiled

33 Large Scale Experiment Details Decompilers tested – Phoenix – Hex-Rays (industry state of the art) – Boomerang (academic state of the art) Boomerang Did not terminate in <1 hour for most programs GNU coreutils 8.17, compiled with gcc – Programs of varying complexity – Test suite 8/15/13Usenix Security 201333

34 Metrics (end-to-end decompiler) 1.Effective abstraction recovery – Control flow structuring 2.Correctness 8/15/13Usenix Security 201334

35 Control Flow Structure: Gotos Emitted (Fewer Better) 8/15/13Usenix Security 201335

36 Control Flow Structure: Gotos Emitted (Fewer is Better) 8/15/13Usenix Security 201336

37 Ideal: Correctness 8/15/1337 010100101010101 001010110111010 101001010101010 101111100010100 010101101001010 100010010101101 010101011010111 Compiler Decompiler Compiled Binary int f (int x) { int y = 1; while (x > y) { y++; } return y; int f (int a) { int v = 1; while (a > v++) {} return v; Original Source Recovered Source Are these two programs semantically equivalent?

38 Scalable: Testing 8/15/1338 010100101010101 001010110111010 101001010101010 101111100010100 010101101001010 100010010101101 010101011010111 Compiler Decompiler Compiled Binary int f (int x) { int y = 1; while (x > y) { y++; } return y; int f (int a) { int v = 1; while (a > v++) {} return v; Original Source Recovered Source Passes tests Is the decompiled program consistent with test requirements?

39 Number of Correct Utilities 8/15/13Usenix Security 201339 All Utilities 107

40 Correctness All known correctness errors attributed to type recovery – No known problems in control flow structuring Rare issues in TIE revealed by Phoenix stress testing – Even one type error can cause incorrectness – Undiscovered variables – Overly general type information 8/15/13Usenix Security 201340

41 Conclusion Phoenix decompiler – Ultimate goal: Correct, abstract decompilation – Control-flow structuring algorithm Iterative refinement Semantics preserving schemas End-to-end correctness and abstraction recovery experiments on >100 programs – Phoenix Control flow structuring: Correctness: 50%  Correct, abstract decompilation of real programs is within reach – This paper: improving control flow structuring – Next direction: improved static type recovery 8/15/13Usenix Security 201341

42 Thanks! Questions? Edward J. Schwartz edmcman@cmu.edu http://www.ece.cmu.edu/~ejschwar 8/15/13Usenix Security 201342

43 END

Download ppt "Native x86 Decompilation Using Semantics-Preserving Structural Analysis and Iterative Control-Flow Structuring Edward J. Schwartz *, JongHyup Lee ✝, Maverick."

Similar presentations

Code Optimization and Performance Chapter 5 CS 105 Tour of the Black Holes of Computing.

Code Optimization and Performance Chapter 5 CS 105 Tour of the Black Holes of Computing.
Semantics Static semantics Dynamic semantics attribute grammars

Semantics Static semantics Dynamic semantics attribute grammars
ByteWeight: Learning to Recognize Functions in Binary Code

ByteWeight: Learning to Recognize Functions in Binary Code
A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.

A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.
Compilation 2011 Static Analysis Johnni Winther Michael I. Schwartzbach Aarhus University.

Compilation 2011 Static Analysis Johnni Winther Michael I. Schwartzbach Aarhus University.
ECE 454 Computer Systems Programming Compiler and Optimization (I) Ding Yuan ECE Dept., University of Toronto

ECE 454 Computer Systems Programming Compiler and Optimization (I) Ding Yuan ECE Dept., University of Toronto
David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.

David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.
CS412/413 Introduction to Compilers Radu Rugina Lecture 37: DU Chains and SSA Form 29 Apr 02.

CS412/413 Introduction to Compilers Radu Rugina Lecture 37: DU Chains and SSA Form 29 Apr 02.
Chair of Software Engineering From Program slicing to Abstract Interpretation Dr. Manuel Oriol.

Chair of Software Engineering From Program slicing to Abstract Interpretation Dr. Manuel Oriol.
Assembly Code Verification Using Model Checking Hao XIAO Singapore University of Technology and Design.

Assembly Code Verification Using Model Checking Hao XIAO Singapore University of Technology and Design.
Review: Software Security David Brumley Carnegie Mellon University.

Review: Software Security David Brumley Carnegie Mellon University.
SSP Re-hosting System Development: CLBM Overview and Module Recognition SSP Team Department of ECE Stevens Institute of Technology Presented by Hongbing.

SSP Re-hosting System Development: CLBM Overview and Module Recognition SSP Team Department of ECE Stevens Institute of Technology Presented by Hongbing.
Homework Any Questions?. Statements / Blocks, Section 3.1 An expression becomes a statement when it is followed by a semicolon x = 0; Braces are used.

Homework Any Questions?. Statements / Blocks, Section 3.1 An expression becomes a statement when it is followed by a semicolon x = 0; Braces are used.
1 Function Calls Professor Jennifer Rexford COS 217 Reading: Chapter 4 of “Programming From the Ground Up” (available online from the course Web site)

1 Function Calls Professor Jennifer Rexford COS 217 Reading: Chapter 4 of “Programming From the Ground Up” (available online from the course Web site)
Chair of Software Engineering Fundamentals of Program Analysis Dr. Manuel Oriol.

Chair of Software Engineering Fundamentals of Program Analysis Dr. Manuel Oriol.
Validating High-Level Synthesis Sudipta Kundu, Sorin Lerner, Rajesh Gupta Department of Computer Science and Engineering, University of California, San.

Validating High-Level Synthesis Sudipta Kundu, Sorin Lerner, Rajesh Gupta Department of Computer Science and Engineering, University of California, San.
1 Program Analysis Mooly Sagiv Tel Aviv University 640-6706 Textbook: Principles of Program Analysis.

1 Program Analysis Mooly Sagiv Tel Aviv University Textbook: Principles of Program Analysis.
Lecture 25 Generating Code for Basic Blocks Topics Code Generation Readings: 9.4-9.6 April 19, 2006 CSCE 531 Compiler Construction.

Lecture 25 Generating Code for Basic Blocks Topics Code Generation Readings: April 19, 2006 CSCE 531 Compiler Construction.
Overview of program analysis Mooly Sagiv html://www.cs.tau.ac.il/~msagiv/courses/wcc05.html.

Overview of program analysis Mooly Sagiv html://
Compiler Construction

Compiler Construction

Similar presentations

Ads by Google