research-article

A jump-target identification method for multi-architecture static binary translation

Authors:

Alessandro Di Federico,

Giovanni AgostaAuthors Info & Claims

CASES '16: Proceedings of the International Conference on Compilers, Architectures and Synthesis for Embedded Systems

Article No.: 17, Pages 1 - 10

https://doi.org/10.1145/2968455.2968514

Published: 01 October 2016 Publication History

Abstract

Static binary translation is a technique that allows an executable program for a given architecture to be translated into a different one, with a reduced overhead compared to emulators and dynamic binary translators. The main downside of the static approach lies in the absence of runtime information, which is available in other solutions. In particular, one of the key issues consists in the identification of data and code in the program, and, more specifically, in the detection of basic block start addresses (jump targets). The presence of indirect jump instructions whose target is not immediately evident, in particular due to C switch statements, makes the recovery of jump targets a challenging task.

In this paper, we present an effective technique for jump targets identification composed by an initial step of global data harvesting followed by two novel analyses: the Simple Expression Tracker and the Offset Shifted Range Analysis. Both analyses work on a Single Statement Assignment (SSA) intermediate representation and are iterated multiple times until they provide no additional information. In particular, OSRA is a data-flow analysis modeled after the typical code generated for switch statements. It tracks each SSA value in terms of an offset, a scaling factor, and another SSA value, comprised between a lower and an upper bound (e.g., b = 10 + 4 · x, with 8 ≤ x ≤ 10).

To validate the effectiveness of the proposed technique, we employ revamb, an in-house tool for binary translation leveraging QEMU and the LLVM compiler framework. Our experimental results show that we are able to run the coreutils test suite on ARM, MIPS and x86-64 without significant failures due to unidentified jump targets.

References

[1]

G. Balakrishnan and T. Reps. Compiler Construction: 13th Int. Conf., CC 2004, chapter Analyzing Memory Accesses in x86 Executables, pages 5--23. Springer Berlin Heidelberg, Berlin, Heidelberg, 2004.

[2]

V. Chipounov, V. Kuznetsov, and G. Candea. S2E: A Platform for In-vivo Multi-path Analysis of Software Systems. In Proc. of the 16th Int. Conf. on Architectural Support for Programming Languages and Operating Systems, ASPLOS XVI, pages 265--278, New York, NY, USA, 2011. ACM.

Digital Library

[3]

M.-K. Chung and C.-M. Kyung. Improvement of compiled instruction set simulator by increasing flexibility and reducing compile time. In Rapid System Prototyping, 2004. Proceedings. 15th IEEE International Workshop on, pages 38--44, June 2004.

Digital Library

[4]

C. Cifuentes and M. V. Emmerik. Recovery of Jump Table Case Statements from Binary Code. In Proc. of the 7th Int. Workshop on Program Comprehension, IWPC '99, pages 192--, Washington, DC, USA, 1999. IEEE Computer Society.

Digital Library

[5]

C. Cifuentes and V. Malhotra. Binary translation: Static, dynamic, retargetable? In Software Maintenance 1996, Proc., Int. Conf. on, pages 340--349. IEEE, 1996.

Digital Library

[6]

M. Damschen, H. Riebler, G. Vaz, and C. Plessl. Transparent Offloading of Computational Hotspots from Binary Code to Xeon Phi. In Proc. of the 2015 Design, Automation & Test in Europe Conf. & Exhibition, DATE '15, pages 1078--1083, San Jose, CA, USA, 2015. EDA Consortium.

Digital Library

[7]

J. C. Dehnert, B. K. Grant, J. P. Banning, R. Johnson, T. Kistler, A. Klaiber, and J. Mattson. The Transmeta Code Morphing™ Software: Using Speculation, Recovery, and Adaptive Retranslation to Address Real-life Challenges. In Proc. of the Int. Symp. on Code Generation and Optimization: Feedback-directed and Runtime Optimization, CGO '03, pages 15--24, Washington, DC, USA, 2003. IEEE Computer Society.

Digital Library

[8]

GrammaTech, Inc. CodeSurfer. http://bit.ly/1TGy7u2.

[9]

Hex-Rays. IDA. http://bit.ly/1gybdzm, retrieved Feb. 2016.

[10]

C. Mendis, J. Bosboom, K. Wu, S. Kamil, J. Ragan-Kelley, S. Paris, Q. Zhao, and S. Amarasinghe. Helium: Lifting High-performance Stencil Kernels from Stripped x86 Binaries to Halide DSL Code. In Proc. of the 36th ACM SIGPLAN Conf. on Programming Language Design and Implementation, PLDI 2015, pages 391--402, New York, NY, USA, 2015. ACM.

Digital Library

[11]

Santa Cruz Operation. System V Application Binary Interface, 2013. http://bit.ly/1qcy5xS.

[12]

B.-Y. Shen, J.-Y. Chen, W.-C. Hsu, and W. Yang. LLBT: An LLVM-based Static Binary Translator. In Proc. of the 2012 Int. Conf. on Compilers, Architectures and Synthesis for Embedded Systems, CASES '12, pages 51--60, New York, NY, USA, 2012. ACM.

Digital Library

[13]

A. Wailly. Towards ultimate deobfuscation. Journée Sécurité Lille, Feb. 2015.

[14]

S. Wang, P. Wang, and D. Wu. Reassembleable Disassembling. In 24th USENIX Security Symp. (USENIX Security 15), pages 627--642, Washington, D.C., Aug. 2015. USENIX Association.

Digital Library

[15]

M. Zhang, R. Qiao, N. Hasabnis, and R. Sekar. A Platform for Secure Static Binary Instrumentation. In Proc. of the 10th ACM SIGPLAN/SIGOPS Int. Conf. on Virtual Execution Environments, VEE '14, pages 129--140, New York, NY, USA, 2014. ACM.

Digital Library

Cited By

Nguyen HPriyadarshan SSekar RChristakis MPradel M(2024)Scalable, Sound, and Accurate Jump Table AnalysisProceedings of the 33rd ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3650212.3680301(541-552)Online publication date: 11-Sep-2024
https://dl.acm.org/doi/10.1145/3650212.3680301
Deshpande CParzefall FHetzelt FFranz M(2024)Polynima: Practical Hybrid Recompilation for Multithreaded BinariesProceedings of the Nineteenth European Conference on Computer Systems10.1145/3627703.3650065(1126-1141)Online publication date: 22-Apr-2024
https://dl.acm.org/doi/10.1145/3627703.3650065
Lan YHu QNiu GLi XWang LZhang F(2024)LAST: An Efficient In-place Static Binary Translator for RISC ArchitecturesAlgorithms and Architectures for Parallel Processing10.1007/978-981-97-0801-7_14(235-254)Online publication date: 1-Mar-2024
https://doi.org/10.1007/978-981-97-0801-7_14
Show More Cited By

Recommendations

On Static Binary Translation of ARM/Thumb Mixed ISA Binaries
Special Issue on Embedded Computing for IoT, Special Issue on Big Data and Regular Papers

Code discovery has been a main challenge for static binary translation, especially when the source instruction set architecture has variable-length instructions, such as the x86 architectures. Due to embedded data such as PC (program counter)-relative ...
Static analysis of multi-staged programs via unstaging translation
POPL '11

Static analysis of multi-staged programs is challenging because the basic assumption of conventional static analysis no longer holds: the program text itself is no longer a fixed static entity, but rather a dynamically constructed value. This article ...
Undecidability of static analysis

Static analysis of programs is indispensable to any software tool, environment, or system that requires compile-time information about the semantics of programs. With the emergence of languages like C and LISP, static analysis of programs with dynamic ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

CASES '16: Proceedings of the International Conference on Compilers, Architectures and Synthesis for Embedded Systems

October 2016

187 pages

ISBN:9781450344821

DOI:10.1145/2968455

Copyright © 2016 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 October 2016

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

ESWEEK'16

ESWEEK'16: TWELFTH EMBEDDED SYSTEM WEEK

October 1 - 7, 2016

Pennsylvania, Pittsburgh

Acceptance Rates

Overall Acceptance Rate 52 of 230 submissions, 23%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

11
Total Citations
View Citations
261
Total Downloads

Downloads (Last 12 months)22
Downloads (Last 6 weeks)1

Reflects downloads up to 04 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Nguyen HPriyadarshan SSekar RChristakis MPradel M(2024)Scalable, Sound, and Accurate Jump Table AnalysisProceedings of the 33rd ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3650212.3680301(541-552)Online publication date: 11-Sep-2024
https://dl.acm.org/doi/10.1145/3650212.3680301
Deshpande CParzefall FHetzelt FFranz M(2024)Polynima: Practical Hybrid Recompilation for Multithreaded BinariesProceedings of the Nineteenth European Conference on Computer Systems10.1145/3627703.3650065(1126-1141)Online publication date: 22-Apr-2024
https://dl.acm.org/doi/10.1145/3627703.3650065
Lan YHu QNiu GLi XWang LZhang F(2024)LAST: An Efficient In-place Static Binary Translator for RISC ArchitecturesAlgorithms and Architectures for Parallel Processing10.1007/978-981-97-0801-7_14(235-254)Online publication date: 1-Mar-2024
https://doi.org/10.1007/978-981-97-0801-7_14
Sun LWu YLi LZhang CTang J(2023)A Dynamic and Static Binary Translation Method Based on Branch PredictionElectronics10.3390/electronics1214302512:14(3025)Online publication date: 10-Jul-2023
https://doi.org/10.3390/electronics12143025
Priyadarshan SNguyen HSekar RAamodt TSwift MJerger N(2023)Accurate Disassembly of Complex Binaries Without Use of Compiler MetadataProceedings of the 28th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 410.1145/3623278.3624766(1-18)Online publication date: 25-Mar-2023
https://dl.acm.org/doi/10.1145/3623278.3624766
Wang QLi XYue CHe Y(2023)A Survey of Control Flow Graph Recovery for Binary CodeComputer Applications10.1007/978-981-99-8761-0_16(225-244)Online publication date: 16-Dec-2023
https://doi.org/10.1007/978-981-99-8761-0_16
Zhang HRen MLei YMing JFalsafi BFerdman MLu SWenisch T(2022)One size does not fit all: security hardening of MIPS embedded systems via static binary debloating for shared librariesProceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems10.1145/3503222.3507768(255-270)Online publication date: 28-Feb-2022
https://dl.acm.org/doi/10.1145/3503222.3507768
Romana SBandgar AKumar MPatil MLakshmi Eswari P(2021)Raising MIPS Binaries to LLVM IRInformation Systems Security10.1007/978-3-030-92571-0_6(94-108)Online publication date: 10-Dec-2021
https://doi.org/10.1007/978-3-030-92571-0_6
Altinay ANash JKroes TRajasekaran PZhou DDabrowski AGens DNa YVolckaert SGiuffrida CBos HFranz MBilas AMagoutis KMarkatos EKostic DSeltzer M(2020)BinRecProceedings of the Fifteenth European Conference on Computer Systems10.1145/3342195.3387550(1-16)Online publication date: 15-Apr-2020
https://dl.acm.org/doi/10.1145/3342195.3387550
Di Federico AGoodacre JLuján MAgosta GBarenghi AKoren IPelosi G(2018)rev.ngProceedings of the Fifth Workshop on Cryptography and Security in Computing Systems10.1145/3178291.3178297(20-20)Online publication date: 24-Jan-2018
https://dl.acm.org/doi/10.1145/3178291.3178297
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents