rev ng
play

rev.ng A unified static binary analysis framework Alessandro Di - PowerPoint PPT Presentation

Nov 05, 2022 •371 likes •908 views

rev.ng A unified static binary analysis framework Alessandro Di Federico PhD student at Politecnico di Milano LLVM developers meeting 2016 November 3, 2016 Index Introduction A peek inside Recovery of switch cases Function detection

  1. rev.ng A unified static binary analysis framework Alessandro Di Federico PhD student at Politecnico di Milano LLVM developers meeting 2016 November 3, 2016

  2. Index Introduction A peek inside Recovery of switch cases Function detection Results Conclusions

  3. What is rev.ng ? rev.ng is a unified suite of tools for static binary analysis

  4. Features • Static binary translation • Recovery of the control-flow graph • Recovery of function boundaries

  5. revamb : the static binary translator 1 Parse the binary and load it in memory 2 Identify all the basic blocks in a binary 3 Lift them using QEMU’s tiny code generator 4 Translate the output to a single LLVM IR function 5 Recompile it

  6. Alpha ARM CRIS AArch64 Unicore RISC V SPARC64 Hexagon SPARC SuperH x86 QEMU IR SystemZ x86-64 MicroBlaze PowerPC OpenRISC PowerPC64 MIPS64 MIPS XCore

  7. Alpha ARM CRIS AArch64 Unicore RISC V SPARC64 Hexagon SPARC SuperH x86 LLVM IR SystemZ x86-64 MicroBlaze PowerPC OpenRISC PowerPC64 MIPS64 MIPS XCore

  8. Alpha ARM CRIS AArch64 Unicore RISC V SPARC64 Hexagon SPARC SuperH x86 revamb SystemZ x86-64 MicroBlaze PowerPC OpenRISC PowerPC64 MIPS64 MIPS XCore

  9. Alpha ARM CRIS AArch64 Unicore RISC V SPARC64 Hexagon SPARC SuperH x86 revamb SystemZ x86-64 MicroBlaze PowerPC OpenRISC PowerPC64 MIPS64 MIPS XCore

  10. Concept mapping Input assembly revamb CPU register LLVM GlobalVariable

  11. Concept mapping Input assembly revamb CPU register LLVM GlobalVariable direct branch direct branch

  12. Concept mapping Input assembly revamb CPU register LLVM GlobalVariable direct branch direct branch indirect branch jump to the dispatcher

  13. Dispatcher example %0 = load i32 , i32* @pc switch i32 %0 , label %abort [ i32 0x10074 , label %bb.0 x10074 i32 0x10080 , label %bb.0 x10080 i32 0x10084 , label %bb.0 x10084 ... ]

  14. Concept mapping Input assembly revamb CPU register LLVM GlobalVariable direct branch direct branch indirect branch jump to the dispatcher

  15. Concept mapping Input assembly revamb CPU register LLVM GlobalVariable direct branch direct branch indirect branch jump to the dispatcher complex instruction QEMU helper function

  16. Concept mapping Input assembly revamb CPU register LLVM GlobalVariable direct branch direct branch indirect branch jump to the dispatcher complex instruction QEMU helper function syscalls QEMU Linux subsystem

  17. We statically link all the necessary QEMU helper functions

  18. Example: original assembly ldr r3 , [fp , #-8] bl 0x1234

  19. Example: QEMU’s IR mov_i32 tmp5 ,fp movi_i32 tmp6 ,$0xfffffff8 ldr r3 , [fp , #-8] add_i32 tmp5 ,tmp5 ,tmp6 qemu_ld_i32 tmp6 ,tmp5 mov_i32 r3 ,tmp6 movi_i32 tmp5 ,$0x10088 mov_i32 lr ,tmp5 bl 0x1234 movi_i32 pc ,$0x1234 exit_tb $0x0

  20. Example: LLVM IR %1 = load i32 , i32* @fp %2 = add i32 %1 , -8 ldr r3 , [fp , #-8] %3 = inttoptr i32 %2 to i32* %4 = load i32 , i32* %3 store i32 %4 , i32* @r3 store i32 0x10088 , i32* @lr bl 0x1234 store i32 0x1234 , i32* @pc br label %bb.0 x1234

  21. System overview Collect JTs 1 md5sum.arm from global data Lift to QEMU IR new JT new JT Collect JTs from Collect JTs from Translate indirect jumps direct jumps to LLVM IR Identify function Link runtime md5sum.x86-64 boundaries functions 1 JT: a jump target , i.e., a basic block starting address

  22. Index Introduction A peek inside Recovery of switch cases Function detection Results Conclusions

  23. Index Introduction A peek inside Recovery of switch cases Function detection Results Conclusions

  24. Typical lowering of a switch on ARM 1000: cmp r1 , #5 1004: addls pc , pc , r1 , lsl #2 1008: ... 100c: ...

  25. OSR Analysis • A data-flow analysis to handle switch • It considers each SSA value • Tracks of it can be expressed w.r.t. x : • plus an offset a • and a factor b • For each basic block it tracks: • the boundaries of x • the signedness of x

  26. An Offset Shifted Range (OSR) Given two SSA values x and y : � � x : x ∈ [ c , d ] signed y = a + b · x , with ∈ [ c , d ] and x is x / unsigned

  27. Example: the input 1000: cmp r1 , #5 1004: addls pc , pc , r1 , lsl #2 1008: ... 100c: ...

  28. Pseudo C LLVM IR OSRA BB1: a = r1 %1 = load i32 , i32* @r1 b = a - 4 %2 = sub i32 %1 , 4 c = (b >= 4) %3 = icmp uge i32 %1 , 4 if (c) br i1 %3 , %BB2 , %BB3 { BB2: d = (b == 0) %4 = icmp eq i32 %2 , 0 if (!d) br i1 %4 , %BB3 , %exit return } BB3: e = a << 2 %5 = shl i32 %1 , 2 f = e + 0x100c %6 = add i32 0x100c , %5 pc = f store i32 %6 , i32* @pc

  29. Pseudo C LLVM IR OSRA BB1: a = r1 %1 = load i32 , i32* @r1 ; [x] b = a - 4 %2 = sub i32 %1 , 4 c = (b >= 4) %3 = icmp uge i32 %1 , 4 if (c) br i1 %3 , %BB2 , %BB3 { BB2: d = (b == 0) %4 = icmp eq i32 %2 , 0 if (!d) br i1 %4 , %BB3 , %exit return } BB3: e = a << 2 %5 = shl i32 %1 , 2 f = e + 0x100c %6 = add i32 0x100c , %5 pc = f store i32 %6 , i32* @pc

  30. Pseudo C LLVM IR OSRA BB1: a = r1 %1 = load i32 , i32* @r1 ; [x] b = a - 4 %2 = sub i32 %1 , 4 ; [x - 4] c = (b >= 4) %3 = icmp uge i32 %1 , 4 if (c) br i1 %3 , %BB2 , %BB3 { BB2: d = (b == 0) %4 = icmp eq i32 %2 , 0 if (!d) br i1 %4 , %BB3 , %exit return } BB3: e = a << 2 %5 = shl i32 %1 , 2 f = e + 0x100c %6 = add i32 0x100c , %5 pc = f store i32 %6 , i32* @pc

  31. Pseudo C LLVM IR OSRA BB1: a = r1 %1 = load i32 , i32* @r1 ; [x] b = a - 4 %2 = sub i32 %1 , 4 ; [x - 4] c = (b >= 4) %3 = icmp uge i32 %1 , 4 ; (x >= 4, u) if (c) br i1 %3 , %BB2 , %BB3 { BB2: d = (b == 0) %4 = icmp eq i32 %2 , 0 if (!d) br i1 %4 , %BB3 , %exit return } BB3: e = a << 2 %5 = shl i32 %1 , 2 f = e + 0x100c %6 = add i32 0x100c , %5 pc = f store i32 %6 , i32* @pc

  32. Pseudo C LLVM IR OSRA BB1: a = r1 %1 = load i32 , i32* @r1 ; [x] b = a - 4 %2 = sub i32 %1 , 4 ; [x - 4] c = (b >= 4) %3 = icmp uge i32 %1 , 4 ; (x >= 4, u) if (c) br i1 %3 , %BB2 , %BB3 { BB2: ; (x >= 4, u) d = (b == 0) %4 = icmp eq i32 %2 , 0 if (!d) br i1 %4 , %BB3 , %exit return } BB3: e = a << 2 %5 = shl i32 %1 , 2 f = e + 0x100c %6 = add i32 0x100c , %5 pc = f store i32 %6 , i32* @pc

  33. Pseudo C LLVM IR OSRA BB1: a = r1 %1 = load i32 , i32* @r1 ; [x] b = a - 4 %2 = sub i32 %1 , 4 ; [x - 4] c = (b >= 4) %3 = icmp uge i32 %1 , 4 ; (x >= 4, u) if (c) br i1 %3 , %BB2 , %BB3 { BB2: ; (x >= 4, u) d = (b == 0) %4 = icmp eq i32 %2 , 0 if (!d) br i1 %4 , %BB3 , %exit return } BB3: ; (x < 4, u) e = a << 2 %5 = shl i32 %1 , 2 f = e + 0x100c %6 = add i32 0x100c , %5 pc = f store i32 %6 , i32* @pc

  34. Pseudo C LLVM IR OSRA BB1: a = r1 %1 = load i32 , i32* @r1 ; [x] b = a - 4 %2 = sub i32 %1 , 4 ; [x - 4] c = (b >= 4) %3 = icmp uge i32 %1 , 4 ; (x >= 4, u) if (c) br i1 %3 , %BB2 , %BB3 { BB2: ; (x >= 4, u) d = (b == 0) %4 = icmp eq i32 %2 , 0 ; (x - 4 == 0, u) if (!d) br i1 %4 , %BB3 , %exit return } BB3: ; (x < 4, u) e = a << 2 %5 = shl i32 %1 , 2 f = e + 0x100c %6 = add i32 0x100c , %5 pc = f store i32 %6 , i32* @pc

  35. Pseudo C LLVM IR OSRA BB1: a = r1 %1 = load i32 , i32* @r1 ; [x] b = a - 4 %2 = sub i32 %1 , 4 ; [x - 4] c = (b >= 4) %3 = icmp uge i32 %1 , 4 ; (x >= 4, u) if (c) br i1 %3 , %BB2 , %BB3 { BB2: ; (x >= 4, u) d = (b == 0) %4 = icmp eq i32 %2 , 0 ; (x == 4, u) if (!d) br i1 %4 , %BB3 , %exit return } BB3: ; (x < 4, u) e = a << 2 %5 = shl i32 %1 , 2 f = e + 0x100c %6 = add i32 0x100c , %5 pc = f store i32 %6 , i32* @pc

  36. Pseudo C LLVM IR OSRA BB1: a = r1 %1 = load i32 , i32* @r1 ; [x] b = a - 4 %2 = sub i32 %1 , 4 ; [x - 4] c = (b >= 4) %3 = icmp uge i32 %1 , 4 ; (x >= 4, u) if (c) br i1 %3 , %BB2 , %BB3 { BB2: ; (x >= 4, u) d = (b == 0) %4 = icmp eq i32 %2 , 0 ; (x == 4, u) if (!d) br i1 %4 , %BB3 , %exit return } BB3: ; (x < 4, u) ; (x == 4, u) e = a << 2 %5 = shl i32 %1 , 2 f = e + 0x100c %6 = add i32 0x100c , %5 pc = f store i32 %6 , i32* @pc

  37. Pseudo C LLVM IR OSRA BB1: a = r1 %1 = load i32 , i32* @r1 ; [x] b = a - 4 %2 = sub i32 %1 , 4 ; [x - 4] c = (b >= 4) %3 = icmp uge i32 %1 , 4 ; (x >= 4, u) if (c) br i1 %3 , %BB2 , %BB3 { BB2: ; (x >= 4, u) d = (b == 0) %4 = icmp eq i32 %2 , 0 ; (x == 4, u) if (!d) br i1 %4 , %BB3 , %exit return } BB3: ; (x <= 4, u) e = a << 2 %5 = shl i32 %1 , 2 f = e + 0x100c %6 = add i32 0x100c , %5 pc = f store i32 %6 , i32* @pc

  38. Pseudo C LLVM IR OSRA BB1: a = r1 %1 = load i32 , i32* @r1 ; [x] b = a - 4 %2 = sub i32 %1 , 4 ; [x - 4] c = (b >= 4) %3 = icmp uge i32 %1 , 4 ; (x >= 4, u) if (c) br i1 %3 , %BB2 , %BB3 { BB2: ; (x >= 4, u) d = (b == 0) %4 = icmp eq i32 %2 , 0 ; (x == 4, u) if (!d) br i1 %4 , %BB3 , %exit return } BB3: ; (x <= 4, u) e = a << 2 %5 = shl i32 %1 , 2 ; [4 * x] f = e + 0x100c %6 = add i32 0x100c , %5 pc = f store i32 %6 , i32* @pc

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Product Feature Discovery and Ranking for Sentiment Analysis from Online Reviews. Analysis from

Product Feature Discovery and Ranking for Sentiment Analysis from Online Reviews. Analysis from

Product Feature Discovery and Ranking for Sentiment Analysis from Online Reviews. Analysis from Online Reviews. _______________________________________________________________________________________________________________ SHASHWAT CHANDRA

256 views • 11 slides
The Spotify Platform WOW Hack Gteborg 2014 Per-Olov Jernberg @possan @SpotifyPlatform Spotify

The Spotify Platform WOW Hack Gteborg 2014 Per-Olov Jernberg @possan @SpotifyPlatform Spotify

The Spotify Platform WOW Hack Gteborg 2014 Per-Olov Jernberg @possan @SpotifyPlatform Spotify APIs, SDKs and Widgets Spotify Widgets Play Button Follow Button Libspotify Embed Spotify in your application or hardware. iOS SDK Beta

326 views • 21 slides
Project Overview Device network architecture Decentralized, robust, distributed

Project Overview Device network architecture Decentralized, robust, distributed

Project #: 9807-04 Wireless Networks of Devices Hari Balakrishnan and John Guttag Project Overview Device network architecture Decentralized, robust, distributed Resource discovery, mobility Intentional naming system

304 views • 3 slides
Queues 15-121 Fall 2020 Margaret Reid-Miller Logistics Midsemester Grades: 37% A 30% B

Queues 15-121 Fall 2020 Margaret Reid-Miller Logistics Midsemester Grades: 37% A 30% B

Queues 15-121 Fall 2020 Margaret Reid-Miller Logistics Midsemester Grades: 37% A 30% B 20% C 13% &lt; C (mostly poor homework grades) Exam 2: Thursday Nov 5? Tuesday Nov 9? Fall 2020 15-121 (Reid-Miller) 3 Today

964 views • 34 slides
6. Code Generation 6.1 Overview 6.2 The MicroJava VM 6.3 Code Buffer 6.4 Operands 6.5

6. Code Generation 6.1 Overview 6.2 The MicroJava VM 6.3 Code Buffer 6.4 Operands 6.5

6. Code Generation 6.1 Overview 6.2 The MicroJava VM 6.3 Code Buffer 6.4 Operands 6.5 Expressions 6.6 Assignments 6.7 Jumps 6.8 Control Structures 6.9 Methods 1 Tasks of Code Generation Generation of machine instructions selecting

802 views • 67 slides
Junction Tree Algorithm and a case study of the Hidden Markov Model Probabilistic Graphical

Junction Tree Algorithm and a case study of the Hidden Markov Model Probabilistic Graphical

School of Computer Science Junction Tree Algorithm and a case study of the Hidden Markov Model Probabilistic Graphical Models (10- Probabilistic Graphical Models (10 -708) 708) Lecture 6, Oct 3, 2007 Receptor A Receptor A X 1 X 1 X 1

555 views • 23 slides
Junction-tree algorithm Probabilistic Graphical Models Sharif University of Technology Spring

Junction-tree algorithm Probabilistic Graphical Models Sharif University of Technology Spring

Junction-tree algorithm Probabilistic Graphical Models Sharif University of Technology Spring 2016 Soleymani Junction-tree algorithm: a general approach Junction trees as opposed to the sum-product on trees can be applied on general graphs

461 views • 35 slides
Junction Tree Algorithm Examples October 13, 2016 Junction Tree Algorithm Moralize (if

Junction Tree Algorithm Examples October 13, 2016 Junction Tree Algorithm Moralize (if

Junction Tree Algorithm Examples October 13, 2016 Junction Tree Algorithm Moralize (if starting from a directed graphical model) Triangulate (make it chordal) Construct a junction tree (maximum cardinality search) Define

304 views • 13 slides
The silicon detectors and electronics Tran Hoai Nam Osaka University Outline Set up

The silicon detectors and electronics Tran Hoai Nam Osaka University Outline Set up

The silicon detectors and electronics Tran Hoai Nam Osaka University Outline Set up Lessons learned Calibrations Set up Main detectors: 2 Si packages, each consists of: thin silicon: 65 um (MSQ), 4 readout channels

370 views • 12 slides
Unit 5: Electrical network analysis. Introduction: junction, branch, loop, network (multi-loop

Unit 5: Electrical network analysis. Introduction: junction, branch, loop, network (multi-loop

Unit 5: Electrical network analysis. Introduction: junction, branch, loop, network (multi-loop circuit). Kirchhoffs Rules: junction and loop rules. Thvenins theorem. Introduction: definitions Electrical network: Set of

147 views • 10 slides
Test 2 0 0 18 1 5 0 6 10 0 16 11 15 0 14 16 20 0 21 25 0 12 26

Test 2 0 0 18 1 5 0 6 10 0 16 11 15 0 14 16 20 0 21 25 0 12 26

Bin # students Test 2 0 0 18 1 5 0 6 10 0 16 11 15 0 14 16 20 0 21 25 0 12 26 30 3 # Students 31 35 3 10 36 40 4 8 41 45 7 Frequency 46 50 10 6 51 55 1 4 56 60 8 61 65 11 2

418 views • 10 slides
Well-posedness of a monotone solver for traffic junctions Carlotta Donadello 1 , . Andreianov 2

Well-posedness of a monotone solver for traffic junctions Carlotta Donadello 1 , . Andreianov 2

e Well-posedness of a monotone solver for traffic junctions Carlotta Donadello 1 , . Andreianov 2 and Giuseppe M. Coclite 3 in collaboration with Boris P 1 Laboratoire de Mathmatiques de Besanon Universit de Franche-Comt 2 Laboratoire de

353 views • 23 slides
On a model of Josephson effect, dynamical systems on two-torus and double confluent Heun equations

On a model of Josephson effect, dynamical systems on two-torus and double confluent Heun equations

On a model of Josephson effect, dynamical systems on two-torus and double confluent Heun equations V.M.Buchstaber, A.A.Glutsyuk, S.I.Tertychnyi International Conference dedicated to G.M. Henkin, Quasilinear equations, inverse problems and their

832 views • 37 slides
response of photoluminescence in photovoltaics The Student: Mattias Juhl The Supervisors:

response of photoluminescence in photovoltaics The Student: Mattias Juhl The Supervisors:

Application of the spectral response of photoluminescence in photovoltaics The Student: Mattias Juhl The Supervisors: Professor Thorsten Trupke Scientia Profesor Martin Green Photoluminescence? Luminescence: Radiative recombination of

552 views • 32 slides
Method Inlining Method inlining replaces a function call site with the body of the callee.

Method Inlining Method inlining replaces a function call site with the body of the callee.

4/22/2013 Method Inlining Method inlining replaces a function call site with the body of the callee. Example: int main() { Method Optim izations int max(int a, int b) { int x = 3; if(a &gt; b) return a; int y = 5; else return b; int z; }

407 views • 4 slides
Native Code Generation COMP 520: Compiler Design (4 credits) Professor Laurie Hendren

Native Code Generation COMP 520: Compiler Design (4 credits) Professor Laurie Hendren

COMP 520 Winter 2016 Native Code Generation (1) Native Code Generation COMP 520: Compiler Design (4 credits) Professor Laurie Hendren hendren@cs.mcgill.ca WendyTheWhitespace-IntolerantDragon WendyTheWhitespacenogarDtnarelotnI COMP 520 Winter

842 views • 30 slides
How not to Design a Scripting Language Department of Computer Science and Statistics Trinity

How not to Design a Scripting Language Department of Computer Science and Statistics Trinity

How not to Design a Scripting Language Paul Biggar How not to Design a Scripting Language Department of Computer Science and Statistics Trinity College Dublin StackOverflow London, 28th October, 2009 Paul Biggar Department of Computer Science

734 views • 45 slides
FUSED TABLE SCANS: COMBINING AVX-512 AND JIT Markus Dreseler, Jan Kossmann, Johannes Frohnhofen,

FUSED TABLE SCANS: COMBINING AVX-512 AND JIT Markus Dreseler, Jan Kossmann, Johannes Frohnhofen,

FUSED TABLE SCANS: COMBINING AVX-512 AND JIT Markus Dreseler, Jan Kossmann, Johannes Frohnhofen, Matthias Uflacker, Hasso Plattner Joint Workshop of HardBD &amp; Active @ ICDE Paris, 16th of April 2018 FUSED TABLE SCANS FUSED TABLE SCANS -

502 views • 19 slides
Module 3.1 - CUDA Parallelism Model Kernel-Based SPMD Parallel Programming Objective To

Module 3.1 - CUDA Parallelism Model Kernel-Based SPMD Parallel Programming Objective To

GPU Teaching Kit Accelerated Computing Module 3.1 - CUDA Parallelism Model Kernel-Based SPMD Parallel Programming Objective To learn the basic concepts involved in a simple CUDA kernel function Declaration Built-in variables

268 views • 9 slides
Justifying the State Protection and Power Review: Justifying the state: What are the ultimate

Justifying the State Protection and Power Review: Justifying the state: What are the ultimate

Justifying the State Protection and Power Review: Justifying the state: What are the ultimate goals? How can our loss of freedom can be justified! OK here are some justifications Consent: The social contract Power is its own

916 views • 36 slides
Lecture 7/8: block feedback: many people not seeing value of lecture material data: room

Lecture 7/8: block feedback: many people not seeing value of lecture material data: room

Viz theory How to handle complexity: 4 families of strategies Scenario Lecture 7/8: block feedback: many people not seeing value of lecture material data: room occupancy rates Manipulate Facet Reduce Derive Design &amp;

148 views • 3 slides
Algorithms for Big Data (XIII) Chihao Zhang Shanghai Jiao Tong University Dec. 13, 2019

Algorithms for Big Data (XIII) Chihao Zhang Shanghai Jiao Tong University Dec. 13, 2019

Algorithms for Big Data (XIII) Chihao Zhang Shanghai Jiao Tong University Dec. 13, 2019 Algorithms for Big Data (XIII) 1/11 We introduced the notion of electrical networks. Review We studied random walks on general graphs using spectral

695 views • 47 slides
Homework Assignment 1/3 America COMPETES Reauthorization Act (H.R. 1806 -114 th Congress )

Homework Assignment 1/3 America COMPETES Reauthorization Act (H.R. 1806 -114 th Congress )

Homework Assignment 1/3 America COMPETES Reauthorization Act (H.R. 1806 -114 th Congress ) House Science Majority Bill Provides authorizations for NSF, DOE Science, and NIST Breaking with tradition, bill authorizes at the NSF

292 views • 3 slides
VLSI Testing Automatic Test Pattern Generation Virendra Singh Associate Professor C omputer A

VLSI Testing Automatic Test Pattern Generation Virendra Singh Associate Professor C omputer A

VLSI Testing Automatic Test Pattern Generation Virendra Singh Associate Professor C omputer A rchitecture and D ependable S ystems L ab Department of Electrical Engineering Indian Institute of Technology Bombay

389 views • 15 slides

More recommend