Programming and Computer Software

, Volume 44, Issue 3, pp 200–206 | Cite as

On the Representation of Results of Binary Code Reverse Engineering

  • V. A. Padaryan
  • I. N. Ledovskikh


A representation of algorithms extracted from binary code by reverse engineering is discussed. Both intermediate representations designed for automatic analysis and final representations passed to the end user are considered. The two main tasks of reverse engineering—automatic detection of exploitable vulnerabilities and discovery of undocumented features— are analyzed. The basic scheme of the system implementing the automatic detection of exploitable vulnerabilities is presented and the key properties of the intermediate representation designed for solving this problem using an efficient generation of a system of equations for an SMT solver are described. The workflow for discovering undocumented features is described. These steps are the localization of the algorithm, its representation in the form that is convenient for analysis, and investigation of its properties. To automate the first phase, a combined static and dynamic representation is constructed, which includes OS-level events and calls to library functions; they serve as anchor points used by the analyst for the algorithm localization. The further support of localization uses code slicing and navigation algorithms. Once the algorithm is localized, the further work goes in two directions: interactive construction of a compact annotated representation of the algorithm by a flowchart and automated investigation of the algorithm properties aimed at determining declared and undeclared data flows. The representation of the algorithm is based on the construction of simplified models of functions taking into account input and output buffers and on the automatic detection of data dependences between buffers of various function calls. The overall scenario of the analyst' work with such a flowchart in the context of discovering undocumented features is described; this scenario is based on annotating the declared data flows and on the automatic detection of undeclared data flows. In conclusion, an example of the resulting representation is discussed and the directions of further research are discussed.


binary code combined analysis intermediate representation 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Wang, X., Zeldovich, N., Kaashoek, M.F., and Solar-Lezama, A., A Differntial Approach to Undefined Behavior Detection, ACM Trans. Comput. Syst., 2015, vol. 33, no. 1, pp. 1–29.CrossRefGoogle Scholar
  2. 2.
    Song, D., Brumley, D., Yin, H., et al., BitBlaze: A new approach to computer security via binary analysis, Inf. Syst. Security, 2008, pp. 1–25Google Scholar
  3. 3.
    Brumley, D., Jager, I., Avgerinos, T., et al., BAP: A binary analysis platform, in Int. Conf. on Computer Aided Verification, 2011, pp. 463–469CrossRefGoogle Scholar
  4. 4.
    Shoshitaishvili, Y., Wang, R., Salls, C., et al., Sok: (state of) the art of war: Offensive techniques in binary analysis, in IEEE Symposium on Security and Privacy (SP), 2016, pp. 138–157Google Scholar
  5. 5.
    Cha, S. K., Avgerinos, T., Rebert, A., et al., Unleashing mayhem on binary code, in IEEE Symposium on Security and Privacy (SP), 2012, pp. 380–394Google Scholar
  6. 6.
    Defense Advanced Research Projects Agency Program Information: Cyber Grand Challenge (CGC).
  7. 7.
    Padaryan, V.A., Get’man, A.I., Solov’ev, M.A., Bakulin, M.G., Borzilov, A.I., Kaushan, V.V., Ledovskykh, I.N., Markin, Yu.V., and Panasenko, S.S., Methods and software tools supporting the combined analysis of binary code, Trudy ISP RAN, 2014, vol. 26, no. 1, pp. 251–276.Google Scholar
  8. 8.
    Ivannikov, V.P., Belevantsev, A.A., Borodin, A.E., Ignatiev, V.N., Zhurikhin, D.M., and Avetisyan, A.I., Static analyzer Svace for finding defects in a source program code, Program. Comput. Software, 2014, vol. 40, no. 5, pp. 265–275.CrossRefGoogle Scholar
  9. 9.
    Koshelev, V.K., Ignat’ev, V.N., Borzilov, A.I., and Belevantsev, A.A., SharpChecker static analysis tool for C, Program. Comput. Software, 2017, vol. 43, no. 4, pp. 268–276.CrossRefGoogle Scholar
  10. 10.
    Dudina, I.A. and Belevantsev, A.A., Using static symbolic execution to detect buffer overflows, Program. Comput. Software, 2017, vol. 43, no. 5, pp. 277–288.MathSciNetCrossRefGoogle Scholar
  11. 11.
    Belevantsev, A.A., Multilevel static analysis for improving program quality, Program. Comput. Software, 2017, vol. 43, no. 6, pp. 321–336.MathSciNetCrossRefGoogle Scholar
  12. 12.
    Kaushan, V.V., Mamontov, A.Yu., Padaryan, V.A., and Fedotov, A.N., A method for detecting some types of memory bugs in binary code, Trudy ISP RAN, 2015, vol. 27, no. 2, pp. 105–126.Google Scholar
  13. 13.
    Nethercote, N. and Seward, J., Valgrind: A framework for heavyweight dynamic binary instrumentation, ACM SIGPLAN Notices, 2007, vol. 42, no. 6, pp. 89–100.CrossRefGoogle Scholar
  14. 14.
    Luk, C.K., Cohn, R., Muth, R., et al., Pin: Building customized program analysis tools with dynamic instrumentation, ACM SIGPLAN Notices, 2005, vol. 40, no. 6, pp. 190–200.CrossRefGoogle Scholar
  15. 15.
    Bellard, F., QEMU, a fast and portable dynamic translator, in USENIX Annual Technical Conference, FREENIX Track, 2005, pp. 41–46Google Scholar
  16. 16.
    De Moura, L. and Bjorner, N., Z3: An efficient SMT solver, in Tools and Algorithms for the Construction and Analysis of Systems, 2008, pp. 337–340CrossRefGoogle Scholar
  17. 17.
    Padaryan, V.A., Solov’ev, M.A., and Kononov, A.I., Simulation of operational semantics of machine instructions, Program. Comput. Software, 2011, vol. 37, no. 3, pp. 161–170.CrossRefzbMATHGoogle Scholar
  18. 18.
    Dullien, T. and Porst, S., REIL: A platform-independent intermediate representation of disassembled code for static code analysis, in Proc. of CanSecWest, 2009.Google Scholar
  19. 19.
    Fedotov, A.N., Padaryan, V.A., Kaushan, V.V., Kurmangaleev, Sh.F., Vishnyakov, A.V., and Nurmukhametov, A.R., Assesing the criticality of software vulnerabilities under the conditions of modern protection mechanisms, Trudy ISP RAN, 2016, vol. 28, no. 5, pp. 73–92.Google Scholar
  20. 20.
    Caselden, D., Bazhanyuk, A., Payer, M., McCamant, S., and Song, D., HI-CFG: Construction by binary analysis and application to attack polymorphism, in Computer Security–ESORICS 2013, Lect. Notes Comput. Sci., 2013, vol. 8134. pp. 164–181.Google Scholar

Copyright information

© Pleiades Publishing, Ltd. 2018

Authors and Affiliations

  1. 1.Institute for System ProgrammingRussian Academy of SciencesMoscowRussia

Personalised recommendations