Interprocedural Control Flow Reconstruction

  • Andrea Flexeder
  • Bogdan Mihaila
  • Michael Petter
  • Helmut Seidl
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6461)


In this paper we provide an interprocedural algorithm for reconstructing the control flow of assembly code in presence of indirect jumps, call instructions and returns. In case that the underlying assembly code is the output of a compiler, indirect jumps primarily originate from high-level switch statements. For these, our methods succeed in resolving indirect jumps with high accuracy. We show that by explicitly handling procedure calls, additional precision is gained at calls to procedures exiting the program as well as through the analysis of side-effects of procedures onto the local state of the caller. Our prototypical implementation applied to real-world examples shows that this approach yields reliable and meaningful results with decent efficiency.


static analysis binary analysis control flow reconstruction reverse engineering 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
  2. 2.
    IDAPro disassembler,
  3. 3.
    Sicherheitsgarantien Unter REALzeitanforderungen,
  4. 4.
  5. 5.
    Balakrishnan, G.: WYSINWYX: What You See Is Not What You eXecute. PhD thesis, University of Wisconsin, Madison, WI, USA (August 2007)Google Scholar
  6. 6.
    Balakrishnan, G., Reps, T.W.: Recency-abstraction for heap-allocated storage. In: Yi, K. (ed.) SAS 2006. LNCS, vol. 4134, pp. 221–239. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  7. 7.
    Brauer, J., King, A.: Automatic abstraction for intervals using boolean formulae. In: Static Analysis Symposium (SAS 2010), Perpignan, France. LNCS. Springer, Heidelberg (2010)Google Scholar
  8. 8.
    Cifuentes, C.: Reverse Compilation Techniques. Ph.D. thesis, Queensland University of Technology (July 1994)Google Scholar
  9. 9.
    Cifuentes, C., Emmerik, M.V.: Recovery of jump table case statements from binary code. Science of Computer Programming 40, 171–188 (2001)CrossRefzbMATHGoogle Scholar
  10. 10.
    Cifuentes, C., Simon, D., Fraboulet, A.: Assembly to high-level language translation. In: ICSM, pp. 228–237 (1998)Google Scholar
  11. 11.
    Cousot, P., Cousot, R.: Comparing the Galois connection and widening/narrowing approaches to abstract interpretation. In: Bruynooghe, M., Wirsing, M. (eds.) PLILP 1992. LNCS, vol. 631, pp. 269–295. Springer, Heidelberg (1992)CrossRefGoogle Scholar
  12. 12.
    Ferdinand, C., Heckmann, R., Langenbach, M., Martin, F., Schmidt, M., Theiling, H., Thesing, S., Wilhelm, R.: Reliable and precise WCET determination for a real-life processor. In: Henzinger, T.A., Kirsch, C.M. (eds.) EMSOFT 2001. LNCS, vol. 2211, pp. 469–485. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  13. 13.
    Flexeder, A., Petter, M., Seidl, H.: Analysis of Executables for WCET Concerns. Technical Report TUM-I0838, Technische Universität München (2008)Google Scholar
  14. 14.
    Kinder, J., Veith, H.: Jakstab: A static analysis platform for binaries. In: Gupta, A., Malik, S. (eds.) CAV 2008. LNCS, vol. 5123, pp. 423–427. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  15. 15.
    Kinder, J., Veith, H., Zuleger, F.: An abstract interpretation-based framework for control flow reconstruction from binaries. In: Jones, N.D., Müller-Olm, M. (eds.) VMCAI 2009. LNCS, vol. 5403, pp. 214–228. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  16. 16.
    Levine, J.R.: Linkers and Loaders. Morgan Kaufmann Publishers Inc., San Francisco (1999)Google Scholar
  17. 17.
    Müller-Olm, M., Seidl, H.: Precise interprocedural analysis through linear algebra. In: 31st ACM Symp. on Principles of Programming Languages (POPL), pp. 330–341 (2004)Google Scholar
  18. 18.
    Myreen, M.O.: Formal verification of machine-code programs. PhD thesis, University of Cambridge (2008)Google Scholar
  19. 19.
    Ramon, F.B., Moore, E.: Methods and Applications of Interval Analysis (SIAM Studies in Applied and Numerical Mathematics) (Siam Studies in Applied Mathematics, 2). Soc. for Industrial & Applied Math. (1979)Google Scholar
  20. 20.
    Reps, T., Balakrishnan, G., Lim, J.: Intermediate-representation recovery from low-level code. In: PEPM 2006: Proceedings of the 2006 ACM SIGPLAN symposium on Partial evaluation and semantics-based program manipulation, pp. 100–111 (2006)Google Scholar
  21. 21.
    Schwarz, B., Debray, S., Andrews, G.: Disassembly of executable code revisited. In: WCRE 2002: Proceedings of the Ninth Working Conference on Reverse Engineering (WCRE 2002), Washington, DC, USA, p. 45. IEEE Computer Society, Los Alamitos (2002)CrossRefGoogle Scholar
  22. 22.
    Simon, A.: Splitting the control flow with boolean flags. In: Alpuente, M., Vidal, G. (eds.) SAS 2008. LNCS, vol. 5079, pp. 315–331. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  23. 23.
    Sobek, S., Burke, K.: PowerPC Embedded Application Binary Interface (EABI): 32-Bit Implementation. Freescale Semiconductor (2004),
  24. 24.
    Theiling, H.: Extracting safe and precise control flow from binaries. In: RTCSA 2000: Proceedings of the Seventh International Conference on Real-Time Systems and Applications, Washington, DC, USA, p. 23. IEEE Computer Society, Los Alamitos (2000)CrossRefGoogle Scholar
  25. 25.
    Theiling, H.: Control Flow Graphs for Real-Time System Analysis. PhD thesis, Universität des Saarlandes (2003)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Andrea Flexeder
    • 1
  • Bogdan Mihaila
    • 1
  • Michael Petter
    • 1
  • Helmut Seidl
    • 1
  1. 1.Technische Universität MünchenGarchingGermany

Personalised recommendations