Acta Informatica Pragensia 2013, 2(1), 18-29 | DOI: 10.18267/j.aip.102455

Approaching Retargetable Static, Dynamic, and Hybrid Executable-Code Analysis

Jakub Křoustek, Dušan Kolář
IT4Innovations Centre of Excellence, Faculty of Information Technology, Brno University of Technology, Božetěchova 1/2, 612 66 Brno, Czech Republic

Program comprehension and reverse engineering are two large domains of computer science that have one common goal - analysis of existing programs and understanding their behaviour. In present, methods of source-code analysis are well established and used in practice by software engineers. On the other hand, analysis of executable code is a more challenging task that is not fully covered by existing tools. Furthermore, methods of retargetable executable-code analysis are rare because of their complexity. In this paper, we present a complex platform-independent toolchain for executable-code analysis that supports both static and dynamic analysis. This toolchain, developed within the Lissom project, exploits several previously designed methods and it can be used for debugging user's applications as well as malware analysis, etc. The main contribution of this paper is to interconnect the existing methods and illustrate their usage on the real-world scenarios. Furthermore, we introduce a concept of a new retargetable method - the hybrid analysis. It can eliminate the shortcomings of the static and dynamic analysis in future.

Klíčová slova: Debugger, Decompiler, Reverse Engineering, Lissom

Vloženo: 12. březen 2013; Přijato: 14. červen 2013; Zveřejněno: 29. červen 2013Zobrazit citaci

ACS AIP APA ASA Harvard Chicago IEEE ISO690 MLA NLM Turabian Vancouver
Křoustek, J., & Kolář, D. (2013). Approaching Retargetable Static, Dynamic, and Hybrid Executable-Code Analysis. Acta Informatica Pragensia 2(1), 18-29. doi: 10.18267/j.aip.10.
Stáhnout citaci

Reference

  1. BARBE, P. The PILER system of computer program translation, Technical report, Probe Consultants Inc., 1974.
  2. CIFUENTES, C. Reverse compilation techniques, PhD thesis, School of Computing Science, Queensland University of Technology, Brisbane, AU-QLD, 1994.
  3. ĎURFINA, L., KŘOUSTEK, J., ZEMEK, P., KÁBELE, B. Detection and Recovery of Functions and Their Arguments in a Retargetable Decompiler, In: 19th Working Conference on Reverse Engineering (WCRE'12), Kingston, Ontario, CA, IEEE CS, 2012, pp. 51-60, ISBN 978-0-7695-4891-3.
  4. ĎURFINA, L., KŘOUSTEK, J., ZEMEK, P., KOLÁŘ, D., HRUŠKA, T., MASAŘÍK, K., MEDUNA, A. Design of a Retargetable Decompiler for a Static Platform-Independent Malware Analysis, In: International Journal of Security and Its Applications, Vol. 5, No. 4, 2011, Daejeon, KR, pp. 91-106, ISSN 1738-9976. Přejít k původnímu zdroji...
  5. KÄSTNER D., WILHELM S. Generic control flow reconstruction from assembly code, In Proceedings of the joint conference on Languages, compilers and tools for embedded systems: Software and compilers for embedded systems (LCTES/SCOPES '02), ACM, New York, NY, USA, pp. 46-55. 2002. URL http://www.absint.com
  6. KINDER, J., VEITH, H. Jakstab: A static analysis platform for binaries, In Computer Aided Verification, ser. Lecture Notes in Computer Science. Springer Berlin / Heidelberg, vol. 5123, pp. 423-427, 2008.
  7. KŘOUSTEK, J., MATULA, P., KONČICKÝ, J., KOLÁŘ, D. Accurate Retargetable Decompilation Using Additional Debugging Information, In: Proceedings of the Sixth International Conference on Emerging Security Information, Systems and Technologies (SECURWARE'12), Rome, IT, IARIA, pp. 79-84, ISBN 978 1 61208-209-7, 2012.
  8. KŘOUSTEK, J., PŘIKRYL, Z., KOLÁŘ, D., HRUŠKA, T. Retargetable Multi-level Debugging in HW/SW Codesign, In: The 23rd International Conference on Microelectronics (ICM 2011), Hammamet, TN, IEEE, pp. 6, ISBN 978-1-4577-2209-7, 2011. Přejít k původnímu zdroji...
  9. LATTNER C. LLVM: An Infrastructure for Multi-Stage Optimization, Master's Thesis, Computer Science Dept., University of Illinois at Urbana-Champaign, Dec. 2002. URL http://llvm.org/
  10. MASAŘÍK, K. System for Hardware-Software Co-Design, FIT BUT, ISBN 978-80-214-3863-7, Brno, CZ, 2008, URL http://www.fit.vutbr.cz/research/groups/lissom/
  11. MIPS Technologies Inc., MIPS32 Architecture for Programmers Volume II-A: The MIPS32 Instruction Set, 2010.
  12. PŘIKRYL, Z. Advanced Methods of Microprocessor Simulation, PhD thesis, Brno University of Technology, Faculty of Information Technology, Brno, CZ, p. 103, 2011.
  13. PŘIKRYL, Z., KŘOUSTEK, J., HRUŠKA, T., KOLÁŘ, D. Fast Translated Simulation of ASIPs, In: OpenAccess Series in Informatics (OASIcs), Vol. 16, No. 1, Wadern, DE, pp. 93-100, ISSN 2190-6807, 2011.
  14. RAMOS D. A., ENGLER, D. R. Practical, low-effort equivalence verification of real code, In Proceedings of the 23rd international conference on Computer aided verification (CAV'11), Springer-Verlag, Berlin, Heidelberg, pp. 669-685, 2011. URL http://www.coverity.com/
  15. ROSENBERG, B. J. How Debuggers Work - Algorithms, Data Structures, and Architecture, Wiley Computer Publishing, 1996.
  16. VAN EMMERIK, M. Static Single Assignment for Decompilation, PhD thesis, School of ITEE, University of Queensland, Brisbane, AU-QLD, 2007.

Tento článek je publikován v režimu tzv. otevřeného přístupu k vědeckým informacím (Open Access), který je distribuován pod licencí Uveďte původ / Creative Commons Attribution License (CC BY), která umožňuje distribuci, reprodukci a změny, pokud je původní dílo řádně ocitováno. Není povolena distribuce, reprodukce nebo změna, která není v souladu s podmínkami této licence.