reverse engineering automation

Download Reverse Engineering automation

Post on 12-May-2015




4 download

Embed Size (px)


  • Anton Dorfman PHDAYS 2014, Moscow

2. Fan of & Fun with Assembly language Researcher Scientist Teach Reverse Engineering since 2001 Candidate of technical science Lecturer at Samara State Technical University and Samara State Aerospace University 3. Intro Simple Trace & Coverage Graph Program Slicing All Together 4. Iterative process Understand small piece of code make abstraction in mind Understand all pieces of code in procedure unite all abstractions make abstraction about function And etc Good visualization important Many routine tasks 5. Code localization Data flow dependencies Code flow dependencies Local variables checking Input output procedures parameters checking Variables range checking Labels naming Function naming Function prototyping 6. Biggest science school - Professor Thomas W. Reps - University of Wisconsin-Madison - In Russia Institute for System Programming Russian Academy of Science - 7. Dynamic Binary Instrumentation (DBI) Intermediate representation (IR) System emulators 8. Function Variable Label 9. Also called Execution Trace Trace of program execution Simpe case - just a list of addresses that instruction pointer takes on single run 10. Firstly used as a measure to describe the degree to which the source code of a program is tested by a particular test suite. List of instructions that executed during single run List of unique addresses from program trace 11. Difference between code coverage can help to locate code that do some functionality Common code coverage common functionality More runs more diff between code coverage precise code localization 12. The collection of all memory accesses performed by an application in single run Include both writes and reads 13. Include Code Trace Include all registers values and memory values at every execution point May be absolute save all values Relative just save values that changed at this execution point 14. Directed graph that shows control dependencies between blocks of commands Each node represents basic block Basic block piece of code ends with jump, starts with jump target without any jump or jump target inside block Two special blocks entry block and exit block 15. Directed graph that represents calling relationships between subroutines in a computer program Each node represents procedure Each edge (a, b) indicates that procedure a calls procedure b Cycle in the graph indicates recursive procedure calls Static call graph represents every possible run of the program Dynamic call graph is a record of an execution of the program 16. Directed graph that represents data dependencies between a number of operations Each node represents operation Each edge represents variable 17. Ottenstein & Ottenstein PDG, 1984 Actually Procedure dependence graph because introduced for programs with one procedure Each node represents a statement Two types of edges Control Dependence between a predicate and the statements it controls Data Dependence between statements modifying a variable and those that may reference it Special Entry node is connected to all nodes that are not control dependant 18. Horowitz, Reps & Binkly SDG, 1990 PDG included for procedures New nodes: Call Site, Procedure Entry, Actual-in- argument, Actual-out-argument, Formal-in- parameter, Formal-out-parameter 3 new edge types Call Edge connect call site and procedure entry Parameter-In Edge connect Actual-in with Formal-in Parameter-Out-Edge connect Actual-out with Formal-out 19. Large programs must be decomposed for understanding and manipulation. However, it should be into procedures and abstract data types. Program Slicing is decomposition based on data flow and control flow analysis. A study showed, experienced programmers mentally slicing while debugging. The mental abstraction people make when they are debugging a program [Weiser] 20. All the statements of a program that may affect the values of some variables in a set V at some point of interest i. A slicing criterion of a program P is a tuple (i, V), where i is a statement in P and V is a subset of variables in P. Slicing Criterion: C = (i , V) 21. Direction of slicing Backward Forward Slicing techniques Static Dynamic Conditioned Levels of slices Intraprocedural slicing Interprocedural slicing 22. Original Slicing Method Backward slice of a program with respect to a program point i and set of program variables V consists of all statements and predicates in the program that may affect the value of variables in V at I Answer the question what program components might effect a selected computation? Preserve the meaning of the variable (s) in the slicing criterion for all possible inputs to the program 23. Slice criterion 1 main( ) 2 { 3 int i, sum; 4 sum = 0; 5 i = 1; 6 while(i