Analysis of Low-Level Code Using Cooperating Decompilers

  • Bor-Yuh Evan Chang
  • Matthew Harren
  • George C. Necula
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4134)


Analysis or verification of low-level code is useful for minimizing the disconnect between what is verified and what is actually executed and is necessary when source code is unavailable or is, say, intermingled with inline assembly. We present a modular framework for building pipelines of cooperating decompilers that gradually lift the level of the language to something appropriate for source-level tools. Each decompilation stage contains an abstract interpreter that encapsulates its findings about the program by translating the program into a higher-level intermediate language. We provide evidence for the modularity of this framework through the implementation of multiple decompilation pipelines for both x86 and MIPS assembly produced by gcc, gcj, and coolc (a compiler for a pedagogical Java-like language) that share several low-level components. Finally, we discuss our experimental results that apply the BLAST model checker for C and the Cqual analyzer to decompiled assembly.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Aiken, A.: Cool: A portable project for teaching compiler construction. ACM SIGPLAN Notices 31(7), 19–24 (1996)CrossRefGoogle Scholar
  2. 2.
    Alpern, B., Wegman, M.N., Zadeck, F.K.: Detecting equality of variables in programs. In: Principles of Programming Languages (POPL), pp. 1–11 (1988)Google Scholar
  3. 3.
    Appel, A.W.: Foundational proof-carrying code. In: Logic in Computer Science (LICS), pp. 247–258 (June 2001)Google Scholar
  4. 4.
    Balakrishnan, G., Reps, T.: Analyzing memory accesses in x86 executables. In: Duesterwald, E. (ed.) CC 2004. LNCS, vol. 2985, pp. 5–23. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  5. 5.
    Balakrishnan, G., Reps, T., Kidd, N., Lal, A.K., Lim, J., Melski, D., Gruian, R., Yong, S., Chen, C.-H., Teitelbaum, T.: Model checking x86 executables with codeSurfer/x86 and WPDS++. In: Etessami, K., Rajamani, S.K. (eds.) CAV 2005. LNCS, vol. 3576, pp. 158–163. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  6. 6.
    Barnett, M., Chang, B.-Y.E., DeLine, R., Jacobs, B., M. Leino, K.R.: Boogie: A modular reusable verifier for object-oriented programs. In: de Boer, F.S., Bonsangue, M.M., Graf, S., de Roever, W.-P. (eds.) FMCO 2005. LNCS, vol. 4111, pp. 364–387. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  7. 7.
    Chang, B.-Y.E., Chlipala, A., Necula, G.C.: A framework for certified program analysis and its applications to mobile-code safety. In: Emerson, E.A., Namjoshi, K.S. (eds.) VMCAI 2006. LNCS, vol. 3855, pp. 174–189. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  8. 8.
    Chang, B.-Y.E., Chlipala, A., Necula, G.C., Schneck, R.R.: Type-based verification of assembly language for compiler debugging. In: Types in Language Design and Implementation (TLDI), pp. 91–102 (2005)Google Scholar
  9. 9.
    Chang, B.-Y.E., Harren, M., Necula, G.C.: Analysis of low-level code using cooperating decompilers. Technical Report EECS-2006-86, UC Berkeley (2006)Google Scholar
  10. 10.
    Cifuentes, C., Simon, D., Fraboulet, A.: Assembly to high-level language translation. In: Software Maintenance (ICSM), pp. 228–237 (1998)Google Scholar
  11. 11.
    Codish, M., Mulkers, A., Bruynooghe, M., de la Banda, M.J.G., Hermenegildo, M.V.: Improving abstract interpretations by combining domains. ACM Trans. Program. Lang. Syst. 17(1), 28–44 (1995)CrossRefGoogle Scholar
  12. 12.
    Colby, C., Lee, P., Necula, G.C., Blau, F., Plesko, M., Cline, K.: A certifying compiler for Java. In: Programming Language Design and Implementation (PLDI), pp. 95–107 (2000)Google Scholar
  13. 13.
    Cortesi, A., Charlier, B.L., Hentenryck, P.V.: Combinations of abstract domains for logic programming. In: Principles of Programming Languages (POPL), pp. 227–239 (1994)Google Scholar
  14. 14.
    Cousot, P., Cousot, R.: Abstract interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: Principles of Programming Languages (POPL), pp. 234–252 (1977)Google Scholar
  15. 15.
    Cousot, P., Cousot, R.: Systematic design of program analysis frameworks. In: Principles of Programming Languages (POPL), pp. 269–282 (1979)Google Scholar
  16. 16.
    Cousot, P., Cousot, R.: Systematic design of program transformation frameworks by abstract interpretation. In: Principles of Programming Languages (POPL), pp. 178–190 (2002)Google Scholar
  17. 17.
    Foster, J., Terauchi, T., Aiken, A.: Flow-sensitive type qualifiers. In: Programming Language Design and Implementation (PLDI), pp. 1–12 (2002)Google Scholar
  18. 18.
    Henzinger, T.A., Jhala, R., Majumdar, R., Necula, G.C., Sutre, G., Weimer, W.: Temporal-safety proofs for systems code. In: Brinksma, E., Larsen, K.G. (eds.) CAV 2002. LNCS, vol. 2404, pp. 526–538. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  19. 19.
    IDA Pro disassembler,
  20. 20.
    Johnson, R., Wagner, D.: Finding user/kernel pointer bugs with type inference. In: USENIX Security Symposium, pp. 119–134 (2004)Google Scholar
  21. 21.
    Lerner, S., Grove, D., Chambers, C.: Composing dataflow analyses and transformations. In: Principles of Programming Languages (POPL), pp. 270–282 (2002)Google Scholar
  22. 22.
    Lindholm, T., Yellin, F.: The Java Virtual Machine Specification. The Java Series. Addison-Wesley, Reading (1997)Google Scholar
  23. 23.
    Morrisett, J.G., Walker, D., Crary, K., Glew, N.: From system F to typed assembly language. ACM Trans. Program. Lang. Syst. 21(3), 527–568 (1999)CrossRefGoogle Scholar
  24. 24.
    Mycroft, A.: Type-based decompilation. In: Swierstra, S.D. (ed.) ESOP 1999. LNCS, vol. 1576, p. 208. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  25. 25.
    Necula, G.C.: Proof-carrying code. In: Principles of Programming Languages (POPL), pp. 106–119 (January 1997)Google Scholar
  26. 26.
    Rival, X.: Abstract interpretation-based certification of assembly code. In: Zuck, L.D., Attie, P.C., Cortesi, A., Mukhopadhyay, S. (eds.) VMCAI 2003. LNCS, vol. 2575, pp. 41–55. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  27. 27.
    Tröger, J., Cifuentes, C.: Analysis of virtual method invocation for binary translation. In: Reverse Engineering (WCRE), pp. 65–74 (2002)Google Scholar
  28. 28.
    Vallée-Rai, R., Co, P., Gagnon, E., Hendren, L.J., Lam, P., Sundaresan, V.: Soot - a Java bytecode optimization framework. In: Centre for Advanced Studies on Collaborative Research (CASCON), p. 13 (1999)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Bor-Yuh Evan Chang
    • 1
  • Matthew Harren
    • 1
  • George C. Necula
    • 1
  1. 1.University of CaliforniaBerkeleyUSA

Personalised recommendations