基于路径约束的间接跳转目标地址识别

计算机科学 ›› 2013, Vol. 40 ›› Issue (Z6): 315-319.

基于路径约束的间接跳转目标地址识别

李丹,王震宇,井靖,王国好

信息工程大学郑州450002;信息工程大学郑州450002;信息工程大学郑州450002;信息工程大学郑州450002

出版日期:2018-11-16 发布日期:2018-11-16

Recognition of Indirect Jump Targets Based on Trace Constraint

LI Dan,WANG Zhen-yu,JING Jing and WANG Guo-hao

Online:2018-11-16 Published:2018-11-16

摘要/Abstract

摘要： 间接跳转目标地址的识别一直是二进制代码控制流重构的难点之一,其跳转目标一般依赖于程序动态执行时的信息,传统方法无法精确识别。通过对控制流重构技术的研究,提出一种基于路径约束的间接跳转目标地址识别方法,即对于一个间接跳转,在初始控制流图的基础上构建从程序入口点到间接跳转的路径集合,对于每条路径,首先通过数据流分析相关技术得到跳转目标地址关于自由变量的一个表达式,然后对路径约束求解,得到满足约束的自由变量的一组特定解,并以此确定跳转目标表达式的值。通过该方法,每个间接跳转都可以根据路径集合确定跳转目标的地址集合。

关键词: 控制流重构,间接跳转,目标地址识别,路径约束,数据流分析

Abstract: The recognition of indirect jump targets is one of the most difficult problems for control flow reconstruction from binary all the time．Due to dependency for runtime information,traditional solutions of indirect jump cannot meet the demand of precision．Through research of control flow reconstruction technical,we presented a new method for recognition of indirect jump targets based on trace constraint．For an indirect jump,a trace set from entry point to indirect jump can be constructed from a given initial control flow graph．Then for every element of the trace set,a target address can be determined through trace constraint resolve and target address expression which is constructed with relevant control flow analysis technical．By this means,a set of jump targets can be determined for every indirect jump.

Key words: Control flow reconstruction,Indirect jump,Recognition of target address,Trace constraint,Data flow analysis

李丹,王震宇,井靖,王国好. 基于路径约束的间接跳转目标地址识别[J]. 计算机科学, 2013, 40(Z6): 315-319. https://doi.org/

LI Dan,WANG Zhen-yu,JING Jing and WANG Guo-hao. Recognition of Indirect Jump Targets Based on Trace Constraint[J]. Computer Science, 2013, 40(Z6): 315-319. https://doi.org/

参考文献

[1] Balakrishnan G.WYSINWYX:What you see is not what you execute[D]．Wisconsin:University of Wisconsin,2007
[2] Cifuentes C．Reverse Compilation Techniques [D]．Queensland:Queensland University of Technology,1994
[3] Bardin S,Herrmann P,Vedrine F．Refinement-Based CFG Re-construction from Unstructured Program[C]∥Verification Model Checking and Abstract Interpretation (VMCAI),2011．Berlin:LNCS 6538,2011:54-69
[4] Larus J R,Schnarr E．EEL:Machine-Independent ExecutableEditing[C]∥Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation．1995:291-300
[5] De Sutter B,De Bus B,De Bosschere K.Link-time binary rewriting techniques for program compaction[J]．ACM Trans．Program．Lang．Syst．,2005,27(5):882-945
[6] Kinder J,Zuleger F,Veith H．An Abstract Interpretation-Based Framework for Control Flow Reconstruction from Binaries[C]∥Verification Model Checking and Abstract Interpretation (VMCAI),2009．Berlin:LNCS 5043,2009:214-228
[7] Kinder J,Kravchenko D．Alternating Control Flow Reconstruction[C]∥Verification Model Checking and Abstract Interpretation (VMCAI),2012．Berlin:LNCS 7148,2012:267-282
[8] Xu L,Sun F,Su Z．Constructing precise control flow graphsfrom binaries[R]．Tech．Rep.University of California,Davis,2009
[9] Binary analysis platform (BAP)．http://bap.ece.cmu.edu,2012-11-25
[10] Song D,Brumley D,Yin Heng,et al．BitBlaze:A New Approach to Computer Security via Binary Analysis[C]∥Intelligent Computing and Integrated Systems Security (ICISS),2008．Berlin:LNCS 5352,2008:1-25
[11] STP:A Decision Procedure for Bitvectors and Arrays．http://people.csail.mit.edu/vganesh/STP_files/stp.html,2012-11-01
[12] 方霞.代码逆向分析中的语句恢复与算法识别技术研究[D]．郑州:信息工程大学,2009
[13] 殷文建.面向ARM体系结构的代码逆向分析关键技术研究[D]．郑州:信息工程大学,2009
[14] Schwartz E J,Avgerinos T,Brumely D．All You Ever Wanted to Know About Dynamic Taint Analysis and Forward Symbolic Execution[C]∥IEEE Symposium on Security and Privacy,2010．Pittsburgh:DOI 10.1109/SP,2010,26

Metrics

Viewed

Full text

Abstract

Cited

Shared

Discussed