Information Technology Reference
In-Depth Information
(for reverse engineering intermediate language), to next section. For now, we only show
the mapping.
After the REIL IR is constructed, a set of simple static analysis may be conducted.
For example, one analysis may be used to measure the Cyclomatic complexity of each
function in the IR. The cyclomatic complexity is believed to be useful in identifying
a set of functions where bugs most likely hide. Another analysis may be used to de-
tect loops heuristically and annotate the loop counters whenever possible. This is useful
because loops, as well as recursive call sites, are places where out-of-bound buffer ac-
cesses and non-termination most likely occur.
Ta b l e 1 .
The Mapping from Native Instructions to REIL IR Instructions
Native Instruction (x86) REIL IR Instruction
00401073 movsx edx, byte
40107300: add [DWORD FFFFFFF0, DWORD ebp, QWORD t0]
ss:[ebp-10]
40107301: and [QWORD t0, DWORD FFFFFFFF, DWORD t1]
40107302: ldm [DWORD t1, EMPTY , BYTE t2]
40107303: xor [BYTE t2, BYTE 0x80, BYTE t3]
40107304: sub [BYTE t3, BYTE 0x80, DWORD t4]
40107305: and [DWORD t4, BYTE FFFFFFFF, BYTE t5]
40107306: str [DWORD t5, EMPTY , DWORD edx]
00401077 cmp edx, 0x62
40107700: and [DWORD edx, DWORD 0x80000000, DWORD t0]
40107701: and [DWORD 98, DWORD 0x80000000, DWORD t1]
40107702: sub [DWORD edx, DWORD 98, QWORD t2]
40107703: and [QWORD t2, QWORD 0x80000000, DWORD t3]
40107704: bsh [DWORD t3, DWORD -31, BYTE SF]
40107705: xor [DWORD t0, DWORD t1, DWORD t4]
40107706: xor [DWORD t0, DWORD t3, DWORD t5]
40107707: and [DWORD t4, DWORD t5, DWORD t6]
40107708: bsh [DWORD t6, DWORD -31, BYTE OF]
40107709: and [QWORD t2, QWORD 0x100000000, QWORD t7]
4010770A: bsh [QWORD t7, QWORD -32, BYTE CF]
4010770B: and [QWORD t2, QWORD FFFFFFFF, DWORD t8]
4010770C: bisz [DWORD t8, EMPTY , BYTE ZF]
0040107a jnz loc 40108e
40107A00: bisz [BYTE ZF, EMPTY , BYTE t0]
40107A01: jcc [BYTE t0, EMPTY , DWORD 0x40108e]
Dynamic Tracing.
There are three main components for dynamic tracing. Together,
they are responsible for generating a logged execution trace, which will be the starting
point of the subsequent offline analysis. Notice that, in our system, there is a clear
separation between
online
trace generation and
offline
trace analysis. This makes our
trace analysis as platform independent as possible. Among the existing binary analysis
tools, some have adopted online analysis [6,14], meaning that the analysis takes place
at the time the program is executed, while others have adopted offline analysis [1],
meaning that the trace is captured and then analyzed later. However, all of them are
tied to a particular platform, making it difficult to maintain and extend to a different
platform. In contrast, our system does not have such problems.
In Fig.1, the components labeled Dynamic Binary Instrumentation and Whole-system
Emulation implement the two popular approaches adopted by many existing tools.
However, these two components alone doe not meet the demand of our system, for
the following reasons. Popular DBI tools, such as PIN and DynamoRIO, provide user
mode x86 binary instrumentation but do not support non-x86 ISAs. Valgrind supports
