Skip to main content
SpringerLink
Log in

An Abstract Interpretation-Based Framework for Control Flow Reconstruction from Binaries

  • Conference paper
Verification, Model Checking, and Abstract Interpretation (VMCAI 2009)

Part of the book series: Lecture Notes in Computer Science ((LNTCS,volume 5403))

Abstract

Due to indirect branch instructions, analyses on executables commonly suffer from the problem that a complete control flow graph of the program is not available. Data flow analysis has been proposed before to statically determine branch targets in many cases, yet a generic strategy without assumptions on compiler idioms or debug information is lacking.

We have devised an abstract interpretation-based framework for generic low level programs with indirect jumps which safely combines a pluggable abstract domain with the notion of partial control flow graphs. Using our framework, we are able to show that the control flow reconstruction algorithm of our disassembly tool Jakstab produces the most precise overapproximation of the control flow graph with respect to the used abstract domain.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Theiling, H.: Extracting safe and precise control flow from binaries. In: 7th Int’l. Workshop on Real-Time Computing and Applications Symp (RTCSA 2000), pp. 23–30. IEEE Computer Society, Los Alamitos (2000)

    Google Scholar 

  2. Schwarz, B., Debray, S.K., Andrews, G.R.: Disassembly of executable code revisited. In: 9th Working Conf. Reverse Engineering (WCRE 2002), pp. 45–54. IEEE Computer Society, Los Alamitos (2002)

    Google Scholar 

  3. Balakrishnan, G., Reps, T.W.: Analyzing memory accesses in x86 executables. In: Duesterwald, E. (ed.) CC 2004. LNCS, vol. 2985, pp. 5–23. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  4. Harris, L.C., Miller, B.P.: Practical analysis of stripped binary code. SIGARCH Comput. Archit. News 33(5), 63–68 (2005)

    Article  Google Scholar 

  5. Kästner, D., Wilhelm, S.: Generic control flow reconstruction from assembly code. In: 2002 Jt. Conf. Languages, Compilers, and Tools for Embedded Systems & Software and Compilers for Embedded Systems (LCTES 2002-SCOPES 2002), pp. 46–55. ACM Press, New York (2002)

    Google Scholar 

  6. Kinder, J., Veith, H.: Jakstab: A static analysis platform for binaries. In: Gupta, A., Malik, S. (eds.) CAV 2008. LNCS, vol. 5123, pp. 423–427. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  7. De Sutter, B., De Bus, B., De Bosschere, K.: Link-time binary rewriting techniques for program compaction. ACM Trans. Program. Lang. Syst. 27(5), 882–945 (2005)

    Article  Google Scholar 

  8. Chang, P.P., Mahlke, S.A., Chen, W.Y., Hwu, W.W.: Profile-guided automatic inline expansion for C programs. Softw., Pract. Exper. 22(5), 349–369 (1992)

    Article  Google Scholar 

  9. Nielson, F., Nielson, H.R., Hankin, C.: Principles of Program Analysis. Springer, Heidelberg (1999)

    Book  MATH  Google Scholar 

  10. Tarski, A.: A lattice-theoretical fixpoint theorem and its applications. Pacific J. Math. 5(2), 285–309 (1955)

    Article  MathSciNet  MATH  Google Scholar 

  11. Cifuentes, C., Gough, K.J.: Decompilation of binary programs. Softw., Pract. Exper. 25(7), 811–829 (1995)

    Article  Google Scholar 

  12. van Emmerik, M., Waddington, T.: Using a decompiler for real-world source recovery. In: 11th Working Conf. Reverse Engineering (WCRE 2004), pp. 27–36. IEEE Computer Society Press, Los Alamitos (2004)

    Google Scholar 

  13. Chang, B., Harren, M., Necula, G.: Analysis of low-level code using cooperating decompilers. In: Yi, K. (ed.) SAS 2006. LNCS, vol. 4134, pp. 318–335. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  14. Schwarz, B., Debray, S.K., Andrews, G.R.: PLTO: A link-time optimizer for the intel IA-32 architecture. In: Proc. Workshop on Binary Translation, WBT 2001 (2001)

    Google Scholar 

  15. Ferdinand, C., Heckmann, R., Langenbach, M., Martin, F., Schmidt, M., Theiling, H., Thesing, S., Wilhelm, R.: Reliable and precise WCET determination for a real-life processor. In: Henzinger, T.A., Kirsch, C.M. (eds.) EMSOFT 2001. LNCS, vol. 2211, pp. 469–485. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  16. Nethercote, N., Seward, J.: Valgrind: a framework for heavyweight dynamic binary instrumentation. In: Proc. ACM SIGPLAN 2007 Conf. Programming Language Design and Implementation (PLDI 2007), pp. 89–100. ACM Press, New York (2007)

    Chapter  Google Scholar 

  17. Cifuentes, C., van Emmerik, M.: UQBT: Adaptive binary translation at low cost. IEEE Computer 33(3), 60–66 (2000)

    Article  Google Scholar 

  18. Kinder, J., Katzenbeisser, S., Schallhart, C., Veith, H.: Detecting malicious code by model checking. In: Julisch, K., Krügel, C. (eds.) DIMVA 2005. LNCS, vol. 3548, pp. 174–187. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  19. Christodorescu, M., Jha, S., Seshia, S.A., Song, D.X., Bryant, R.E.: Semantics-aware malware detection. In: IEEE Symp. Security and Privacy (S&P 2005), pp. 32–46. IEEE Computer Society, Los Alamitos (2005)

    Chapter  Google Scholar 

  20. Cifuentes, C., van Emmerik, M.: Recovery of jump table case statements from binary code. Sci. Comput. Program. 40(2-3), 171–188 (2001)

    Article  MATH  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Technische Universität Darmstadt, 64289, Darmstadt, Germany

    Johannes Kinder, Florian Zuleger & Helmut Veith

  2. Technische Universität München, 85748, Garching, Germany

    Florian Zuleger

Authors
  1. Johannes Kinder
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Florian Zuleger
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Helmut Veith
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. (Emeritus University of Copenhagen), Bukkeballevej 88, 2960, Rungsted, Denmark

    Neil D. Jones

  2. Institut für Informatik, Fachbereich Mathematik und Informatik, Westfälische Wilhelms-Universität, 48149, Münster, Germany

    Markus Müller-Olm

Rights and permissions

Reprints and permissions

Copyright information

© 2008 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Kinder, J., Zuleger, F., Veith, H. (2008). An Abstract Interpretation-Based Framework for Control Flow Reconstruction from Binaries. In: Jones, N.D., Müller-Olm, M. (eds) Verification, Model Checking, and Abstract Interpretation. VMCAI 2009. Lecture Notes in Computer Science, vol 5403. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-93900-9_19

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-93900-9_19

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-93899-6

  • Online ISBN: 978-3-540-93900-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation