Probabilistic Disassembly



Abstract - Disassembling stripped binaries is a prominent challenge for binary analysis, due to the interleaving of code segments and data, and the difficulties of resolving control transfer targets of indirect calls and jumps. As a result, most existing disassemblers have both false positives (FP) and false negatives (FN). We observe that uncertainty is inevitable in disassembly due to the information loss during compilation and code generation. Therefore, we propose to model such uncertainty using probabilities and propose a novel disassembly technique, which computes a probability for each address in the code space, indicating its likelihood of being a true positive instruction. The probability is computed from a set of features that are reachable to an address, including control flow and data flow features. Our experiments with more than two thousands binaries show that our technique does not have any FN and has only 3.7% FP. In comparison, a state-of-the-art superset disassembly technique has 85% FP. A rewriter built on our disassembly can generate binaries that are only half of the size of those by superset disassembly and run 3% faster. While many widelyused disassemblers such as IDA and BAP suffer from missing function entries, our experiment also shows that even without any function entry information, our disassembler can still achieve 0 FN and 6.8% FP.

--> Link <--

-----
RE In Progress [!] Coding Hazard [!] Stay Clear of this Cube

| Сообщение посчитали полезным: plutos, Jupiter

Для кода, сгенерированного стандартными компилерами 6.8% ложных срабатываний не особенно впечатляют. Но глумеж над автоанализом иды засчитан

-----
2 оттенка серого

| Сообщение посчитали полезным:

Эти доки публикуют чуть ли не каждый день, там даже оформление автоматикой сделано. Какой там вообще смысл ?
Дизасмить мы тоже умеем. Суть то в чём ?

-----
vx

| Сообщение посчитали полезным:

Spedi - Speculative disassembly, CFG recovery, and call-graph recovery from stripped binaries.

Spedi is a speculative disassembler for the variable-size Thumb ISA. Given an ELF file as input, Spedi can:

Recover correct assembly instructions.
Recover targets of switch jumps tables.
Identify functions in the binary and their call graph.
Spedi works directly on the binary without using symbol information. We found Spedi to outperform IDA Pro in our experiments.

Dependencies
This project depends on Capstone disassembly library (v3.0.4).

Result summary
Spedi (almost) perfectly recovers assembly instructions from our benchmarks binaries with 99.96% average. In comparison, IDA Pro has an average of 95.83% skewed by the relative poor performance on sha benchmark.

Callgraph
Spedi precisely recovers 97.46% of functions on average. That is, it identifies the correct start address and end address. Compare that to 40.53% average achieved by IDA Pro.

Disassembly time
A nice property of our technique is that it's also fast and scales well with increased benchmark size. For example, spedi disassembles du (50K instructions) in about 150 ms. Note that there is good room for further optimizations.

Spedi - --> Link <--
Speculative disassembly of binary code - --> Link <--



Nucleus, a tool for function identification in x64 binaries. Their paper "Compiler-Agnostic Function Detection in Binaries" was accepted at IEEE Euro S&P 2017. They use more or less the same function identification techniques implemented in Spedi.

Nucleus - --> Link <--
Compiler-Agnostic Function Detection in Binaries - --> Link <--

-----
RE In Progress [!] Coding Hazard [!] Stay Clear of this Cube

| Сообщение посчитали полезным: Bronco, r_e, plutos