TIE: Principled Reverse Engineering of Types in Binary ...€¦ · TIE: Principled Reverse...
Transcript of TIE: Principled Reverse Engineering of Types in Binary ...€¦ · TIE: Principled Reverse...
![Page 1: TIE: Principled Reverse Engineering of Types in Binary ...€¦ · TIE: Principled Reverse Engineering of Types in Binary Programs! JongHyup Lee, Thanassis Avgerinos, and David Brumley](https://reader033.fdocuments.us/reader033/viewer/2022050513/5f9dc2890a2ac3769365ee07/html5/thumbnails/1.jpg)
TIE: Principled Reverse Engineering of Types in Binary Programs!
JongHyup Lee, Thanassis Avgerinos, and David Brumley
![Page 2: TIE: Principled Reverse Engineering of Types in Binary ...€¦ · TIE: Principled Reverse Engineering of Types in Binary Programs! JongHyup Lee, Thanassis Avgerinos, and David Brumley](https://reader033.fdocuments.us/reader033/viewer/2022050513/5f9dc2890a2ac3769365ee07/html5/thumbnails/2.jpg)
Reverse engineering on binary programs!
2
1. Code structure 2. Data abstractions
TIE
![Page 3: TIE: Principled Reverse Engineering of Types in Binary ...€¦ · TIE: Principled Reverse Engineering of Types in Binary Programs! JongHyup Lee, Thanassis Avgerinos, and David Brumley](https://reader033.fdocuments.us/reader033/viewer/2022050513/5f9dc2890a2ac3769365ee07/html5/thumbnails/3.jpg)
3
Reconstruct data abstractions conservatively
and
accurately
Goal:
![Page 4: TIE: Principled Reverse Engineering of Types in Binary ...€¦ · TIE: Principled Reverse Engineering of Types in Binary Programs! JongHyup Lee, Thanassis Avgerinos, and David Brumley](https://reader033.fdocuments.us/reader033/viewer/2022050513/5f9dc2890a2ac3769365ee07/html5/thumbnails/4.jpg)
4
Reconstruct data abstractions conservatively
and
accurately
Goal:
![Page 5: TIE: Principled Reverse Engineering of Types in Binary ...€¦ · TIE: Principled Reverse Engineering of Types in Binary Programs! JongHyup Lee, Thanassis Avgerinos, and David Brumley](https://reader033.fdocuments.us/reader033/viewer/2022050513/5f9dc2890a2ac3769365ee07/html5/thumbnails/5.jpg)
5
All types are lost.
![Page 6: TIE: Principled Reverse Engineering of Types in Binary ...€¦ · TIE: Principled Reverse Engineering of Types in Binary Programs! JongHyup Lee, Thanassis Avgerinos, and David Brumley](https://reader033.fdocuments.us/reader033/viewer/2022050513/5f9dc2890a2ac3769365ee07/html5/thumbnails/6.jpg)
6
Assign variables to memory
slots
Remove types
Source code
Translate into machine code
Binary code
Type checking
Compilation
unsigned int foo(!!char *buf, !!unsigned int *out)!
{! unsigned int c;! c = 0;!! if (buf) {! *out = strlen(buf);! c = *out - 1;! }! return c;!}!
push %ebp!mov %esp,%ebp!sub $0x28,%esp!movl $0x0,-0xc(%ebp)!cmpl $0x0,0x8(%ebp)!je 804844d <foo+0x2e>!mov 0x8(%ebp),%eax!mov %eax,(%esp)!call 804831c <strlen@plt>!mov 0xc(%ebp),%edx!mov %eax,(%edx)!mov 0xc(%ebp),%eax!mov (%eax),%eax!sub $0x1,%eax!mov %eax,-0xc(%ebp)!mov -0xc(%ebp),%eax!leave!ret!
?
![Page 7: TIE: Principled Reverse Engineering of Types in Binary ...€¦ · TIE: Principled Reverse Engineering of Types in Binary Programs! JongHyup Lee, Thanassis Avgerinos, and David Brumley](https://reader033.fdocuments.us/reader033/viewer/2022050513/5f9dc2890a2ac3769365ee07/html5/thumbnails/7.jpg)
7
Assign variables to memory
slots
Remove types
Source code
Translate into machine code
Binary code
Type checking Type checking unsigned int foo(!
!char *buf, !!unsigned int *out)!
{! unsigned int c;! c = 0;!! if (buf) {! *out = strlen(buf);! c = *out - 1;! }! return c;!}!
unsigned int foo(!!char *buf, !!unsigned int *out)!
{! unsigned int c;! c = 0;!! if (buf) {! *out = strlen(buf);! c = *out - 1;! }! return c;!}!
Remove types
32-bit!
32-bit!
32-bit!
32-bit!
![Page 8: TIE: Principled Reverse Engineering of Types in Binary ...€¦ · TIE: Principled Reverse Engineering of Types in Binary Programs! JongHyup Lee, Thanassis Avgerinos, and David Brumley](https://reader033.fdocuments.us/reader033/viewer/2022050513/5f9dc2890a2ac3769365ee07/html5/thumbnails/8.jpg)
8
Assign variables to memory
slots
Remove types
Source code
Translate into machine code
Binary code
Type checking Type checking
Remove types
Assign variables to memory
slots
out [+12]
buf [+8]
c [-‐12]
unsigned int foo(!!char *[+8], !!unsigned int *[+12])!
{! unsigned int [-12];! [-12] = 0;!! if ([+8]) {! *[+12] = strlen([+8]);! [-12] = *[+12] - 1;! }! return [-12];!}!
32-bit!
32-bit!
32-bit!
32-bit!
unsigned int foo(!!char *buf, !!unsigned int *out)!
{! unsigned int c;! c = 0;!! if (buf) {! *out = strlen(buf);! c = *out - 1;! }! return c;!}!
32-bit!
32-bit!
32-bit!
32-bit!
![Page 9: TIE: Principled Reverse Engineering of Types in Binary ...€¦ · TIE: Principled Reverse Engineering of Types in Binary Programs! JongHyup Lee, Thanassis Avgerinos, and David Brumley](https://reader033.fdocuments.us/reader033/viewer/2022050513/5f9dc2890a2ac3769365ee07/html5/thumbnails/9.jpg)
9
Assign variables to memory
slots
Remove types
Source code
Translate into machine code
Binary code
Type checking Type checking
Remove types
Assign variables to memory
slots
Translate into machine code
unsigned int foo(!!char *[+8], !!unsigned int *[+12])!
{! unsigned int [-12];! [-12] = 0;!! if ([+8]) {! *[+12] = strlen([+8]);! [-12] = *[+12] - 1;! }! return [-12];!}!
32-bit!
32-bit!
32-bit!
32-bit!
push %ebp!mov %esp,%ebp!sub $0x28,%esp!movl $0x0,-0xc(%ebp)!cmpl $0x0,0x8(%ebp)!je 804844d <foo+0x2e>!mov 0x8(%ebp),%eax!mov %eax,(%esp)!call 804831c <strlen@plt>!mov 0xc(%ebp),%edx!mov %eax,(%edx)!mov 0xc(%ebp),%eax!mov (%eax),%eax!sub $0x1,%eax!mov %eax,-0xc(%ebp)!mov -0xc(%ebp),%eax!leave!ret!
![Page 10: TIE: Principled Reverse Engineering of Types in Binary ...€¦ · TIE: Principled Reverse Engineering of Types in Binary Programs! JongHyup Lee, Thanassis Avgerinos, and David Brumley](https://reader033.fdocuments.us/reader033/viewer/2022050513/5f9dc2890a2ac3769365ee07/html5/thumbnails/10.jpg)
push %ebp!mov %esp,%ebp!sub $0x28,%esp!movl $0x0,-0xc(%ebp)!cmpl $0x0,0x8(%ebp)!je 804844d <foo+0x2e>!mov 0x8(%ebp),%eax!mov %eax,(%esp)!call 804831c <strlen@plt>!mov 0xc(%ebp),%edx!mov %eax,(%edx)!mov 0xc(%ebp),%eax!mov (%eax),%eax!sub $0x1,%eax!mov %eax,-0xc(%ebp)!mov -0xc(%ebp),%eax!leave!ret!
10
Make a stackframe
c = 0
return
No types, no variables
if (buf)
FuncPon call strlen
subtracPon
![Page 11: TIE: Principled Reverse Engineering of Types in Binary ...€¦ · TIE: Principled Reverse Engineering of Types in Binary Programs! JongHyup Lee, Thanassis Avgerinos, and David Brumley](https://reader033.fdocuments.us/reader033/viewer/2022050513/5f9dc2890a2ac3769365ee07/html5/thumbnails/11.jpg)
TIE!
11
Assign variables to memory slots
Remove types
…
…
Variable recovery 1
2 Type inference
![Page 12: TIE: Principled Reverse Engineering of Types in Binary ...€¦ · TIE: Principled Reverse Engineering of Types in Binary Programs! JongHyup Lee, Thanassis Avgerinos, and David Brumley](https://reader033.fdocuments.us/reader033/viewer/2022050513/5f9dc2890a2ac3769365ee07/html5/thumbnails/12.jpg)
1. Variable Recovery!
12
memory
Binary Program
read %eax = -‐0x4(%ebp)
write
-‐0x8(%ebp) = 0x1
read %edx = -‐0x8(%ebp)
Analyze the value of “addresses”
A variant of VSA (Value Set Analysis) [Balakrishnan, 2007]
![Page 13: TIE: Principled Reverse Engineering of Types in Binary ...€¦ · TIE: Principled Reverse Engineering of Types in Binary Programs! JongHyup Lee, Thanassis Avgerinos, and David Brumley](https://reader033.fdocuments.us/reader033/viewer/2022050513/5f9dc2890a2ac3769365ee07/html5/thumbnails/13.jpg)
1. Variable Recovery!
13
push %ebp mov %esp,%ebp sub $0x28,%esp movl $0x0,-‐0xc(%ebp) cmpl $0x0,0x8(%ebp) je 804844d <foo+0x2e> mov 0x8(%ebp),%eax mov %eax,(%esp) call 804831c <strlen@plt> mov 0xc(%ebp),%edx mov %eax,(%edx) mov 0xc(%ebp),%eax mov (%eax),%eax sub $0x1,%eax mov %eax,-‐0xc(%ebp) mov -‐0xc(%ebp),%eax leave ret
A 12
B 8
C -‐12
@EBP
![Page 14: TIE: Principled Reverse Engineering of Types in Binary ...€¦ · TIE: Principled Reverse Engineering of Types in Binary Programs! JongHyup Lee, Thanassis Avgerinos, and David Brumley](https://reader033.fdocuments.us/reader033/viewer/2022050513/5f9dc2890a2ac3769365ee07/html5/thumbnails/14.jpg)
2. Type Inference!
Source code
a : int32_t
b : char *
32 bit
32 bit
Binary Program
Behavior has not changed!
14
signed
division
dereferencing
a + 3
a / -‐3
signed division
addiPon
b / -‐3
*b = 3
signed
division
dereferencing
add 3, %eax
idiv %eax
signed division
addiPon
idiv, %edx
mov 4, (%edx)
![Page 15: TIE: Principled Reverse Engineering of Types in Binary ...€¦ · TIE: Principled Reverse Engineering of Types in Binary Programs! JongHyup Lee, Thanassis Avgerinos, and David Brumley](https://reader033.fdocuments.us/reader033/viewer/2022050513/5f9dc2890a2ac3769365ee07/html5/thumbnails/15.jpg)
15
ANALYZE the behavior on variables
COLLECT
INFER the type of variables
the clues
![Page 16: TIE: Principled Reverse Engineering of Types in Binary ...€¦ · TIE: Principled Reverse Engineering of Types in Binary Programs! JongHyup Lee, Thanassis Avgerinos, and David Brumley](https://reader033.fdocuments.us/reader033/viewer/2022050513/5f9dc2890a2ac3769365ee07/html5/thumbnails/16.jpg)
16
Reconstruct data abstractions conservatively
and
accurately
Goal:
![Page 17: TIE: Principled Reverse Engineering of Types in Binary ...€¦ · TIE: Principled Reverse Engineering of Types in Binary Programs! JongHyup Lee, Thanassis Avgerinos, and David Brumley](https://reader033.fdocuments.us/reader033/viewer/2022050513/5f9dc2890a2ac3769365ee07/html5/thumbnails/17.jpg)
17
No single answer (vs. general types)
![Page 18: TIE: Principled Reverse Engineering of Types in Binary ...€¦ · TIE: Principled Reverse Engineering of Types in Binary Programs! JongHyup Lee, Thanassis Avgerinos, and David Brumley](https://reader033.fdocuments.us/reader033/viewer/2022050513/5f9dc2890a2ac3769365ee07/html5/thumbnails/18.jpg)
Multiple types are possible!
18
push %ebp!mov %esp,%ebp!sub $0x10,%esp!mov 0xc(%ebp),%eax!mov 0x8(%ebp),%edx!add %edx,%eax!mov %eax,-0x4(%ebp)!mov -0x4(%ebp),%eax!leave !ret !
int sum(int a, int b)!{! int c;! c = a + b;! return c;!}!
char * advance(char * str, !!unsigned int m)!
{! char * tmp;! tmp = str + m;! return tmp;!}!
≠
int, uint, pointer of …
Make a stackframe
1st arg + 2nd arg
Return the result
![Page 19: TIE: Principled Reverse Engineering of Types in Binary ...€¦ · TIE: Principled Reverse Engineering of Types in Binary Programs! JongHyup Lee, Thanassis Avgerinos, and David Brumley](https://reader033.fdocuments.us/reader033/viewer/2022050513/5f9dc2890a2ac3769365ee07/html5/thumbnails/19.jpg)
19
int uint pointer
GUESS!
![Page 20: TIE: Principled Reverse Engineering of Types in Binary ...€¦ · TIE: Principled Reverse Engineering of Types in Binary Programs! JongHyup Lee, Thanassis Avgerinos, and David Brumley](https://reader033.fdocuments.us/reader033/viewer/2022050513/5f9dc2890a2ac3769365ee07/html5/thumbnails/20.jpg)
20
Tell the type as it is
int
uint pointer
TIE
Expressive type system
Type interval
![Page 21: TIE: Principled Reverse Engineering of Types in Binary ...€¦ · TIE: Principled Reverse Engineering of Types in Binary Programs! JongHyup Lee, Thanassis Avgerinos, and David Brumley](https://reader033.fdocuments.us/reader033/viewer/2022050513/5f9dc2890a2ac3769365ee07/html5/thumbnails/21.jpg)
TIE type system!
21
int32 uint32
num32
reg32
pointer
allows us to express the type of variables as they are used
C-types
![Page 22: TIE: Principled Reverse Engineering of Types in Binary ...€¦ · TIE: Principled Reverse Engineering of Types in Binary Programs! JongHyup Lee, Thanassis Avgerinos, and David Brumley](https://reader033.fdocuments.us/reader033/viewer/2022050513/5f9dc2890a2ac3769365ee07/html5/thumbnails/22.jpg)
Type lattice!
• Basic types
reg32_t
num32_t ptr(α)
⊥
⊥
int32_t uint32_t
reg16_t
num16_t
int16_t uint16_t
reg8_t reg1_t
num8_t
int8_t uint8_t
code_t
22
![Page 23: TIE: Principled Reverse Engineering of Types in Binary ...€¦ · TIE: Principled Reverse Engineering of Types in Binary Programs! JongHyup Lee, Thanassis Avgerinos, and David Brumley](https://reader033.fdocuments.us/reader033/viewer/2022050513/5f9dc2890a2ac3769365ee07/html5/thumbnails/23.jpg)
Type specificity!
23
A <: B
A is more specific than B
A is a subtype of B
Ex) int32 <: num32
![Page 24: TIE: Principled Reverse Engineering of Types in Binary ...€¦ · TIE: Principled Reverse Engineering of Types in Binary Programs! JongHyup Lee, Thanassis Avgerinos, and David Brumley](https://reader033.fdocuments.us/reader033/viewer/2022050513/5f9dc2890a2ac3769365ee07/html5/thumbnails/24.jpg)
Type interval!
24
reg32
num32
uint32
⊥
⊥ uint32
reg32
“How much does a binary program tell us about a variable?”
![Page 25: TIE: Principled Reverse Engineering of Types in Binary ...€¦ · TIE: Principled Reverse Engineering of Types in Binary Programs! JongHyup Lee, Thanassis Avgerinos, and David Brumley](https://reader033.fdocuments.us/reader033/viewer/2022050513/5f9dc2890a2ac3769365ee07/html5/thumbnails/25.jpg)
Type interval!
25
reg32
num32
uint32
⊥ ⊥
[⊥, T] [⊥,reg32] [uint32,num32] [uint32,uint32]
refined as we know more about the variable
uint32
num32
⊥
T
⊥
reg32
![Page 26: TIE: Principled Reverse Engineering of Types in Binary ...€¦ · TIE: Principled Reverse Engineering of Types in Binary Programs! JongHyup Lee, Thanassis Avgerinos, and David Brumley](https://reader033.fdocuments.us/reader033/viewer/2022050513/5f9dc2890a2ac3769365ee07/html5/thumbnails/26.jpg)
Conservativeness of result!
reg32_t
num32_t ptr(α)
⊥
⊥int32_t uint32_t
reg16_t
num16_t
int16_t uint16_t
reg8_t reg1_t
num8_t
int8_t uint8_t
code_t
Inferred type: [uint32_t, reg32_t]
26
Conservative ←
Real type: uint32_t
“Is the real type within the inferred type interval?”≈
![Page 27: TIE: Principled Reverse Engineering of Types in Binary ...€¦ · TIE: Principled Reverse Engineering of Types in Binary Programs! JongHyup Lee, Thanassis Avgerinos, and David Brumley](https://reader033.fdocuments.us/reader033/viewer/2022050513/5f9dc2890a2ac3769365ee07/html5/thumbnails/27.jpg)
27
Reconstruct data abstractions conservatively
and
accurately
Goal:
![Page 28: TIE: Principled Reverse Engineering of Types in Binary ...€¦ · TIE: Principled Reverse Engineering of Types in Binary Programs! JongHyup Lee, Thanassis Avgerinos, and David Brumley](https://reader033.fdocuments.us/reader033/viewer/2022050513/5f9dc2890a2ac3769365ee07/html5/thumbnails/28.jpg)
28
ANALYZE the behavior on variables
COLLECT every clue
INFER the type of variables
![Page 29: TIE: Principled Reverse Engineering of Types in Binary ...€¦ · TIE: Principled Reverse Engineering of Types in Binary Programs! JongHyup Lee, Thanassis Avgerinos, and David Brumley](https://reader033.fdocuments.us/reader033/viewer/2022050513/5f9dc2890a2ac3769365ee07/html5/thumbnails/29.jpg)
29
ANALYZE the behavior on variables
COLLECT every clue
SOLVE
GENERATE type constraints
type constraints
Type constraints generation rules
![Page 30: TIE: Principled Reverse Engineering of Types in Binary ...€¦ · TIE: Principled Reverse Engineering of Types in Binary Programs! JongHyup Lee, Thanassis Avgerinos, and David Brumley](https://reader033.fdocuments.us/reader033/viewer/2022050513/5f9dc2890a2ac3769365ee07/html5/thumbnails/30.jpg)
Type Constraints from Usage Clues!
Usage clue Type Constraint
value = load(index,s) Memory load
‘index’ is a pointer of ‘value’ and the size of ‘value’ is ‘s’.
30
Equality Subtype relaPonship
[e1] = ptr([e2]) ∧ [e2] <: reg32 t
type variable for
e1
conjuncPve
e2 = load( e1 ,32)
movl (e1), e2
![Page 31: TIE: Principled Reverse Engineering of Types in Binary ...€¦ · TIE: Principled Reverse Engineering of Types in Binary Programs! JongHyup Lee, Thanassis Avgerinos, and David Brumley](https://reader033.fdocuments.us/reader033/viewer/2022050513/5f9dc2890a2ac3769365ee07/html5/thumbnails/31.jpg)
Type Constraints from Usage Clues!
Usage clue Type constraint
c = a +32 b 32-‐bit addiPon
(‘a’: number, ‘b’: number, ‘c’:number) or
(‘a’: pointer, ‘b’: number, ‘c’:pointer) or
(‘a’: number, ‘b’: pointer, ‘c’:pointer)
31
e3 = e1 +32 e2
([e1] <: ptr(α) ∧ [e2] <: num32 t ∧ ptr(β) <: [e3])∨ ([e1] <: num32 t ∧ [e2] <: ptr(α) ∧ ptr(β) <: [e3])
∨ · · ·
conjuncPve
disjuncPve
![Page 32: TIE: Principled Reverse Engineering of Types in Binary ...€¦ · TIE: Principled Reverse Engineering of Types in Binary Programs! JongHyup Lee, Thanassis Avgerinos, and David Brumley](https://reader033.fdocuments.us/reader033/viewer/2022050513/5f9dc2890a2ac3769365ee07/html5/thumbnails/32.jpg)
• Type of passing arguments = Type of passed arguments
FuncPon f2 (arg1, arg2) … var4 = arg2
FuncPon f1 () var2 = var3 … call f2 (var1, var2) …
Inter-procedural Type Inference!
[var2] = [arg2] [var1] = [arg1]
32
![Page 33: TIE: Principled Reverse Engineering of Types in Binary ...€¦ · TIE: Principled Reverse Engineering of Types in Binary Programs! JongHyup Lee, Thanassis Avgerinos, and David Brumley](https://reader033.fdocuments.us/reader033/viewer/2022050513/5f9dc2890a2ac3769365ee07/html5/thumbnails/33.jpg)
Type Constraints from Well-known Functions!
a = strlen(b) uint32_t char *
strcpy(d, s) char *
[a] = uint32_t [b] = char *
[d] = char * [s] = char *
33
![Page 34: TIE: Principled Reverse Engineering of Types in Binary ...€¦ · TIE: Principled Reverse Engineering of Types in Binary Programs! JongHyup Lee, Thanassis Avgerinos, and David Brumley](https://reader033.fdocuments.us/reader033/viewer/2022050513/5f9dc2890a2ac3769365ee07/html5/thumbnails/34.jpg)
34
ANALYZE the behavior on variables
COLLECT every clue
SOLVE
GENERATE type constraints
type constraints
![Page 35: TIE: Principled Reverse Engineering of Types in Binary ...€¦ · TIE: Principled Reverse Engineering of Types in Binary Programs! JongHyup Lee, Thanassis Avgerinos, and David Brumley](https://reader033.fdocuments.us/reader033/viewer/2022050513/5f9dc2890a2ac3769365ee07/html5/thumbnails/35.jpg)
Solving type constraints!
35
• Equality, A = B – Unification
• Subtype relationship, A <: B – Closure algorithm
• Conjunctive, A ∧ B – Solve all
• Disjunctive, A ∨ B – Merge compatible terms
![Page 36: TIE: Principled Reverse Engineering of Types in Binary ...€¦ · TIE: Principled Reverse Engineering of Types in Binary Programs! JongHyup Lee, Thanassis Avgerinos, and David Brumley](https://reader033.fdocuments.us/reader033/viewer/2022050513/5f9dc2890a2ac3769365ee07/html5/thumbnails/36.jpg)
Equality constraints!(unification)!
36
[a] = ptr( [b] ) [b] = [c] [c] = uint32
[c]
[c]
uint32
uint32 uint32
uint32
![Page 37: TIE: Principled Reverse Engineering of Types in Binary ...€¦ · TIE: Principled Reverse Engineering of Types in Binary Programs! JongHyup Lee, Thanassis Avgerinos, and David Brumley](https://reader033.fdocuments.us/reader033/viewer/2022050513/5f9dc2890a2ac3769365ee07/html5/thumbnails/37.jpg)
Subtype relationship constraints!(closure alg.)!
37
int32_t <: [a] <: [b] <: num32_t
reg32
num32
int32
⊥
⊥
[a]
⊥
T
[b]
⊥
T
![Page 38: TIE: Principled Reverse Engineering of Types in Binary ...€¦ · TIE: Principled Reverse Engineering of Types in Binary Programs! JongHyup Lee, Thanassis Avgerinos, and David Brumley](https://reader033.fdocuments.us/reader033/viewer/2022050513/5f9dc2890a2ac3769365ee07/html5/thumbnails/38.jpg)
Subtype relationship constraints!(closure alg.)!
38
int32_t <: [a] <: [b] <: num32_t
reg32
num32
int32
⊥
⊥
[a] <: [b] <: num32_t
[a]
⊥
num32
[b]
⊥
num32
![Page 39: TIE: Principled Reverse Engineering of Types in Binary ...€¦ · TIE: Principled Reverse Engineering of Types in Binary Programs! JongHyup Lee, Thanassis Avgerinos, and David Brumley](https://reader033.fdocuments.us/reader033/viewer/2022050513/5f9dc2890a2ac3769365ee07/html5/thumbnails/39.jpg)
Subtype relationship constraints!(closure alg.)!
39
int32_t <: [a] <: [b] <: num32_t
reg32
num32
int32
⊥
⊥
[a] <: [b] <: num32_t int32_t <: [a] <: [b]
[a] int32
num32
[b] int32
num32
![Page 40: TIE: Principled Reverse Engineering of Types in Binary ...€¦ · TIE: Principled Reverse Engineering of Types in Binary Programs! JongHyup Lee, Thanassis Avgerinos, and David Brumley](https://reader033.fdocuments.us/reader033/viewer/2022050513/5f9dc2890a2ac3769365ee07/html5/thumbnails/40.jpg)
Rest of the talk!
• Limitations • Related work • Evaluation
40
![Page 41: TIE: Principled Reverse Engineering of Types in Binary ...€¦ · TIE: Principled Reverse Engineering of Types in Binary Programs! JongHyup Lee, Thanassis Avgerinos, and David Brumley](https://reader033.fdocuments.us/reader033/viewer/2022050513/5f9dc2890a2ac3769365ee07/html5/thumbnails/41.jpg)
Limitations!
• Works on regular programs compiled from C code – Not very informative for irregular programs
• Infers types as what is in the TIE type system only – Extendable
41
![Page 42: TIE: Principled Reverse Engineering of Types in Binary ...€¦ · TIE: Principled Reverse Engineering of Types in Binary Programs! JongHyup Lee, Thanassis Avgerinos, and David Brumley](https://reader033.fdocuments.us/reader033/viewer/2022050513/5f9dc2890a2ac3769365ee07/html5/thumbnails/42.jpg)
Related work!
42
Hex-‐Rays TIE
? Principled reverse engineering -‐ Well defined process -‐ Type theory
REWARDS TIE
-‐ Dynamic analysis only -‐ Type propagaPon from
type sinks (unificaPon)
-‐ StaPc + dynamic -‐ Type inference with more
expressive type system(unificaPon + closure alg.)
Boomerang [RE2005] Laika[OSDI2008] Tupni[CCS2008]
![Page 43: TIE: Principled Reverse Engineering of Types in Binary ...€¦ · TIE: Principled Reverse Engineering of Types in Binary Programs! JongHyup Lee, Thanassis Avgerinos, and David Brumley](https://reader033.fdocuments.us/reader033/viewer/2022050513/5f9dc2890a2ac3769365ee07/html5/thumbnails/43.jpg)
43
Evaluation
![Page 44: TIE: Principled Reverse Engineering of Types in Binary ...€¦ · TIE: Principled Reverse Engineering of Types in Binary Programs! JongHyup Lee, Thanassis Avgerinos, and David Brumley](https://reader033.fdocuments.us/reader033/viewer/2022050513/5f9dc2890a2ac3769365ee07/html5/thumbnails/44.jpg)
Hex-Rays!
44
?
push %ebp!mov %esp,%ebp!sub $0x28,%esp!movl $0x0,-0xc(%ebp)!cmpl $0x0,0x8(%ebp)!je 804844d <foo+0x2e>!mov 0x8(%ebp),%eax!mov %eax,(%esp)!call 804831c <strlen@plt>!mov 0xc(%ebp),%edx!mov %eax,(%edx)!mov 0xc(%ebp),%eax!mov (%eax),%eax!sub $0x1,%eax!mov %eax,-0xc(%ebp)!mov -0xc(%ebp),%eax!leave!ret!
Source types Hex-‐Rays
buf char * char *
out unsigned int * int
c unsigned int int
Make a stackframe
IF (buf)
call strlen
subtraction
return
c = 0
![Page 45: TIE: Principled Reverse Engineering of Types in Binary ...€¦ · TIE: Principled Reverse Engineering of Types in Binary Programs! JongHyup Lee, Thanassis Avgerinos, and David Brumley](https://reader033.fdocuments.us/reader033/viewer/2022050513/5f9dc2890a2ac3769365ee07/html5/thumbnails/45.jpg)
REWARDS!
45
push %ebp!mov %esp,%ebp!sub $0x28,%esp!movl $0x0,-0xc(%ebp)!cmpl $0x0,0x8(%ebp)!je 804844d <foo+0x2e>!mov 0x8(%ebp),%eax!mov %eax,(%esp)!call 804831c <strlen@plt>!mov 0xc(%ebp),%edx!mov %eax,(%edx)!mov 0xc(%ebp),%eax!mov (%eax),%eax!sub $0x1,%eax!mov %eax,-0xc(%ebp)!mov -0xc(%ebp),%eax!leave!ret!
Source types
REWARDS (buf=0)
buf char * unsigned int
out unsigned int *
unsigned int
c unsigned int
unsigned int
Make a stackframe
IF (buf)
call strlen
subtraction
return
c = 0
buf = 0
![Page 46: TIE: Principled Reverse Engineering of Types in Binary ...€¦ · TIE: Principled Reverse Engineering of Types in Binary Programs! JongHyup Lee, Thanassis Avgerinos, and David Brumley](https://reader033.fdocuments.us/reader033/viewer/2022050513/5f9dc2890a2ac3769365ee07/html5/thumbnails/46.jpg)
TIE!
46
push %ebp!mov %esp,%ebp!sub $0x28,%esp!movl $0x0,-0xc(%ebp)!cmpl $0x0,0x8(%ebp)!je 804844d <foo+0x2e>!mov 0x8(%ebp),%eax!mov %eax,(%esp)!call 804831c <strlen@plt>!mov 0xc(%ebp),%edx!mov %eax,(%edx)!mov 0xc(%ebp),%eax!mov (%eax),%eax!sub $0x1,%eax!mov %eax,-0xc(%ebp)!mov -0xc(%ebp),%eax!leave!ret!
Source types TIE
buf char * char *
out unsigned int *
unsigned int *
c unsigned int
unsigned int
Make a stackframe
IF (buf)
call strlen
subtraction
return
c = 0
![Page 47: TIE: Principled Reverse Engineering of Types in Binary ...€¦ · TIE: Principled Reverse Engineering of Types in Binary Programs! JongHyup Lee, Thanassis Avgerinos, and David Brumley](https://reader033.fdocuments.us/reader033/viewer/2022050513/5f9dc2890a2ac3769365ee07/html5/thumbnails/47.jpg)
% of variables conservatively typed!
47
Hex-Rays TIE
Hex-Rays REWARDS
(Higher is better)
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
chroot df groups hostid users
Rate
of c
onse
rvat
ivel
y in
ferr
ed ty
pes
on 87 programs in coreutil 8.4 on single execute trace
Static Dynamic
40%+
REW
ARDS
TI
E
Hex-Rays
TIE
![Page 48: TIE: Principled Reverse Engineering of Types in Binary ...€¦ · TIE: Principled Reverse Engineering of Types in Binary Programs! JongHyup Lee, Thanassis Avgerinos, and David Brumley](https://reader033.fdocuments.us/reader033/viewer/2022050513/5f9dc2890a2ac3769365ee07/html5/thumbnails/48.jpg)
Accuracy!
48
Distance to real types
reg32_t
num32_t ptr(α)
⊥
⊥
int32_t uint32_t
reg16_t
num16_t
int16_t uint16_t
reg8_t reg1_t
num8_t
int8_t uint8_t
code_t
Real type
Inferred type →
distance = 2
Difference of level between a real type and an inferred type (selected form type interval)
![Page 49: TIE: Principled Reverse Engineering of Types in Binary ...€¦ · TIE: Principled Reverse Engineering of Types in Binary Programs! JongHyup Lee, Thanassis Avgerinos, and David Brumley](https://reader033.fdocuments.us/reader033/viewer/2022050513/5f9dc2890a2ac3769365ee07/html5/thumbnails/49.jpg)
Distance to real types!
49
Hex-Rays TIE
Hex-Rays REWARDS
(Lower is better)
Diff
eren
ce in
leve
ls to
real
type
s
on 87 programs in coreutil 8.4 on single execute trace
Static Dynamic
0.25
0.50
0.75
1.00
1.25
1.50
1.75
2.00
2.25
2.50
2.75
0.25
0.50
0.75
1.00
1.25
1.50
1.75
2.00
2.25
2.50
2.75
chroot df groups hostid users
30%
REW
ARDS
TI
E
Hex-Rays
TIE
![Page 50: TIE: Principled Reverse Engineering of Types in Binary ...€¦ · TIE: Principled Reverse Engineering of Types in Binary Programs! JongHyup Lee, Thanassis Avgerinos, and David Brumley](https://reader033.fdocuments.us/reader033/viewer/2022050513/5f9dc2890a2ac3769365ee07/html5/thumbnails/50.jpg)
REWARDS-c!
50
Conservativeness Distance
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
chroot df groups hostid users0.25
0.50
0.75
1.00
1.25
1.50
1.75
2.00
2.25
2.50
2.75
chroot df groups hostid users
REW
ARDS
-c
REW
ARDS
-c
TIE
TIE
(Special thanks to Zhiqiang Lin, Dongyan Xu)
![Page 51: TIE: Principled Reverse Engineering of Types in Binary ...€¦ · TIE: Principled Reverse Engineering of Types in Binary Programs! JongHyup Lee, Thanassis Avgerinos, and David Brumley](https://reader033.fdocuments.us/reader033/viewer/2022050513/5f9dc2890a2ac3769365ee07/html5/thumbnails/51.jpg)
Structural types!
51
int32 0
int32 * 4
int16 8 int16
{li : Ti}
struct { !!int a;!!int* b;!!short c;!!short d;!
}!
Record types
{0 : int32, 4 : int32 *, !8 : int16, 10 : int16}!
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
0
0.30
0.60
0.90
1.20
1.50
1.80
2.10
2.40
2.70
3.00Hex-Rays
TIE
Hex-Rays
TIE
Cons
erva
tiven
ess
Dist
ance
![Page 52: TIE: Principled Reverse Engineering of Types in Binary ...€¦ · TIE: Principled Reverse Engineering of Types in Binary Programs! JongHyup Lee, Thanassis Avgerinos, and David Brumley](https://reader033.fdocuments.us/reader033/viewer/2022050513/5f9dc2890a2ac3769365ee07/html5/thumbnails/52.jpg)
TIE: Principled !Reverse Engineering of Types !
in Binary Programs
Well-defined process, Theoretical foundation
Type inference with a rich type system
Static and dynamic binary analysis
Conclusion!
52