native x86 decompilation using semantics-preserving ... · native x86 decompilation using...
TRANSCRIPT
![Page 1: Native x86 Decompilation Using Semantics-Preserving ... · Native x86 Decompilation Using Semantics-Preserving Structural Analysis and Iterative Control-Flow Structuring Edward J](https://reader033.vdocuments.mx/reader033/viewer/2022042810/5f9dc2890a2ac3769365ee06/html5/thumbnails/1.jpg)
Native x86 Decompilation Using Semantics-Preserving Structural Analysis
and Iterative Control-Flow Structuring
Edward J. Schwartz*, JongHyup Lee✝,
Maverick Woo*, and David Brumley*
Carnegie Mellon University *
Korea National University of Transportation ✝
![Page 2: Native x86 Decompilation Using Semantics-Preserving ... · Native x86 Decompilation Using Semantics-Preserving Structural Analysis and Iterative Control-Flow Structuring Edward J](https://reader033.vdocuments.mx/reader033/viewer/2022042810/5f9dc2890a2ac3769365ee06/html5/thumbnails/2.jpg)
Which would you rather analyze?
8/15/13 Usenix Security 2013 2
push %ebp
mov %esp,%ebp
sub $0x10,%esp
movl $0x1,-0x4(%ebp)
jmp 1d <f+0x1d>
mov -0x4(%ebp),%eax
imul 0x8(%ebp),%eax
mov %eax,-0x4(%ebp)
subl $0x1,0x8(%ebp)
cmpl $0x1,0x8(%ebp)
jg f <f+0xf>
mov -0x4(%ebp),%eax
leave
ret
int f(int c) {
int accum = 1;
for (; c > 1; c--) {
accum = accum * c;
}
return accum;
}
Functions
Variables
Types
ControlFlow
![Page 3: Native x86 Decompilation Using Semantics-Preserving ... · Native x86 Decompilation Using Semantics-Preserving Structural Analysis and Iterative Control-Flow Structuring Edward J](https://reader033.vdocuments.mx/reader033/viewer/2022042810/5f9dc2890a2ac3769365ee06/html5/thumbnails/3.jpg)
8/15/13 3
int f (int x) {int y = 1;while (x > y) {y++;
}
return y;
010100101010101001010110111010101001010101010101111100010100010101101001010100010010101101010101011010111
OriginalSource
int f (int a) {int v = 1;while (a > v++) {}
return v;
RecoveredSource
CompiledBinary
![Page 4: Native x86 Decompilation Using Semantics-Preserving ... · Native x86 Decompilation Using Semantics-Preserving Structural Analysis and Iterative Control-Flow Structuring Edward J](https://reader033.vdocuments.mx/reader033/viewer/2022042810/5f9dc2890a2ac3769365ee06/html5/thumbnails/4.jpg)
Decompilers for Software Security
• Manual reverse-engineering– Traditional decompiler application
• Apply wealth of existing source-code techniques to compiled programs [Chang06]
– Find bugs, vulnerabilities
• Heard at Usenix Security 2013, during Dowsing for Overflows– “We need source code to access the high-level
control flow structure and types”
8/15/13 Usenix Security 2013 4
![Page 5: Native x86 Decompilation Using Semantics-Preserving ... · Native x86 Decompilation Using Semantics-Preserving Structural Analysis and Iterative Control-Flow Structuring Edward J](https://reader033.vdocuments.mx/reader033/viewer/2022042810/5f9dc2890a2ac3769365ee06/html5/thumbnails/5.jpg)
Desired Properties for Security
1. Effective abstraction recovery
– Abstractions improve comprehension
8/15/13 Usenix Security 2013 5
![Page 6: Native x86 Decompilation Using Semantics-Preserving ... · Native x86 Decompilation Using Semantics-Preserving Structural Analysis and Iterative Control-Flow Structuring Edward J](https://reader033.vdocuments.mx/reader033/viewer/2022042810/5f9dc2890a2ac3769365ee06/html5/thumbnails/6.jpg)
Effective Abstraction Recovery
8/15/13 Usenix Security 2013 6
s1;
while (e1) {
if (e2) { break; }
s2;
}
s3;
MoreAbstract
s1;
L1: if (e1) { goto L2; }
else { goto L4; }
L2: if (e2) { goto L4; }
L3: s2; goto L1;
L4: s3;
Less Abstract
![Page 7: Native x86 Decompilation Using Semantics-Preserving ... · Native x86 Decompilation Using Semantics-Preserving Structural Analysis and Iterative Control-Flow Structuring Edward J](https://reader033.vdocuments.mx/reader033/viewer/2022042810/5f9dc2890a2ac3769365ee06/html5/thumbnails/7.jpg)
Desired Properties for Security
1. Effective abstraction recovery
– Abstractions improve comprehension
2. Correctness
– Buggy(Decompiled) Buggy(Original)
8/15/13 Usenix Security 2013 7
![Page 8: Native x86 Decompilation Using Semantics-Preserving ... · Native x86 Decompilation Using Semantics-Preserving Structural Analysis and Iterative Control-Flow Structuring Edward J](https://reader033.vdocuments.mx/reader033/viewer/2022042810/5f9dc2890a2ac3769365ee06/html5/thumbnails/8.jpg)
Correctness
8/15/13 8
010100101010101001010110111010101001010101010101111100010100010101101001010100010010101101010101011010111
CompiledBinary
int f (int x) {int y = 1;while (x > y) {y++;
}
return y;
OriginalSource
int f (int a) {int v = 1;while (a > v++) {}
return v;
RecoveredSource
Are these two programs semantically equivalent?
![Page 9: Native x86 Decompilation Using Semantics-Preserving ... · Native x86 Decompilation Using Semantics-Preserving Structural Analysis and Iterative Control-Flow Structuring Edward J](https://reader033.vdocuments.mx/reader033/viewer/2022042810/5f9dc2890a2ac3769365ee06/html5/thumbnails/9.jpg)
Prior Work on Decompilation
• Over 60 years of decompilation research
• Emphasis on manual reverse engineering– Readability metrics
• Compression ratio: 1 −𝐿𝑂𝐶 𝑑𝑒𝑐𝑜𝑚𝑝𝑖𝑙𝑒𝑑
𝐿𝑂𝐶 𝑎𝑠𝑠𝑒𝑚𝑏𝑙𝑦
• Smaller is better
• Little emphasis on other applications– Correctness is rarely explicitly tested
8/15/13 Usenix Security 2013 9
![Page 10: Native x86 Decompilation Using Semantics-Preserving ... · Native x86 Decompilation Using Semantics-Preserving Structural Analysis and Iterative Control-Flow Structuring Edward J](https://reader033.vdocuments.mx/reader033/viewer/2022042810/5f9dc2890a2ac3769365ee06/html5/thumbnails/10.jpg)
The Phoenix C Decompiler
8/15/13 Usenix Security 2013 10
![Page 11: Native x86 Decompilation Using Semantics-Preserving ... · Native x86 Decompilation Using Semantics-Preserving Structural Analysis and Iterative Control-Flow Structuring Edward J](https://reader033.vdocuments.mx/reader033/viewer/2022042810/5f9dc2890a2ac3769365ee06/html5/thumbnails/11.jpg)
How to build a better decompiler?
• Recover missing abstractions one at a time
– Semantics preserving abstraction recovery
• Rewrite program to use abstraction
• Don’t change behavior of program
• Similar to compiler optimization passes
8/15/13 Usenix Security 2013 11
![Page 12: Native x86 Decompilation Using Semantics-Preserving ... · Native x86 Decompilation Using Semantics-Preserving Structural Analysis and Iterative Control-Flow Structuring Edward J](https://reader033.vdocuments.mx/reader033/viewer/2022042810/5f9dc2890a2ac3769365ee06/html5/thumbnails/12.jpg)
Semantics Preservation
8/15/13 Usenix Security 2013 12
s1;
while (e1) {
if (e2) { break; }
s2;
}
s3;
s1;
L1: if (e1) { goto L2; }
else { goto L4; }
L2: if (e2) { goto L4; }
L3: s2; goto L1;
L4: s3;
AbstractionRecovery
Are these two programs semantically equivalent?
![Page 13: Native x86 Decompilation Using Semantics-Preserving ... · Native x86 Decompilation Using Semantics-Preserving Structural Analysis and Iterative Control-Flow Structuring Edward J](https://reader033.vdocuments.mx/reader033/viewer/2022042810/5f9dc2890a2ac3769365ee06/html5/thumbnails/13.jpg)
How to build a better decompiler?
• Recover missing abstractions one at a time– Semantics preserving abstraction recovery
• Rewrite program to use abstraction
• Don’t change behavior of program
• Similar to compiler optimization passes
• Challenge: building semantics preserving recovery algorithms– This talk
• Focus on control flow structuring
• Empirical demonstration
8/15/13 Usenix Security 2013 13
![Page 14: Native x86 Decompilation Using Semantics-Preserving ... · Native x86 Decompilation Using Semantics-Preserving Structural Analysis and Iterative Control-Flow Structuring Edward J](https://reader033.vdocuments.mx/reader033/viewer/2022042810/5f9dc2890a2ac3769365ee06/html5/thumbnails/14.jpg)
Phoenix Overview
8/15/13 Usenix Security 2013 14
010100101010101001010110111010101001010101010101111100010100010101101001010100010010101101010101011010111
CFG RecoveryType
Recovery
ControlFlow
Structuring
Source-code Output
int f (int x) {int y = 1;while (x > y) {
y++;}
return y;
New in Phoenix
![Page 15: Native x86 Decompilation Using Semantics-Preserving ... · Native x86 Decompilation Using Semantics-Preserving Structural Analysis and Iterative Control-Flow Structuring Edward J](https://reader033.vdocuments.mx/reader033/viewer/2022042810/5f9dc2890a2ac3769365ee06/html5/thumbnails/15.jpg)
Control Flow Graph Recovery
8/15/13 Usenix Security 2013 15
010100101010101001010110111010101001010101010101111100010100010101101001010100010010101101010101011010111
• Vertex represents straight-line binary code• Edges represents possible control-flow transitions• Challenge: Where does jmp %eax go?• Phoenix uses Value Set Analysis [Balakrishnan10]
CFG Recovery
e¬e
![Page 16: Native x86 Decompilation Using Semantics-Preserving ... · Native x86 Decompilation Using Semantics-Preserving Structural Analysis and Iterative Control-Flow Structuring Edward J](https://reader033.vdocuments.mx/reader033/viewer/2022042810/5f9dc2890a2ac3769365ee06/html5/thumbnails/16.jpg)
Type Inference on Executables (TIE) [Lee11]
8/15/13 Usenix Security 2013 16
movl (%eax), %ebx
• Constraint 1: %eax is a pointer to type <a>
• Constraint 2: %ebx has type <a>• Solve all constraints to find <a>
How does each instruction constrain the types?
![Page 17: Native x86 Decompilation Using Semantics-Preserving ... · Native x86 Decompilation Using Semantics-Preserving Structural Analysis and Iterative Control-Flow Structuring Edward J](https://reader033.vdocuments.mx/reader033/viewer/2022042810/5f9dc2890a2ac3769365ee06/html5/thumbnails/17.jpg)
Control Flow Structuring
8/15/13 Usenix Security 2013 17
![Page 18: Native x86 Decompilation Using Semantics-Preserving ... · Native x86 Decompilation Using Semantics-Preserving Structural Analysis and Iterative Control-Flow Structuring Edward J](https://reader033.vdocuments.mx/reader033/viewer/2022042810/5f9dc2890a2ac3769365ee06/html5/thumbnails/18.jpg)
Compilation¬ee
Control Flow Structuring
if (e)
{…;}
else
{…;}
8/15/13 Usenix Security 2013 18
if (e)
{…;}
else
{…;}
¬eeControl Flow Structuring
![Page 19: Native x86 Decompilation Using Semantics-Preserving ... · Native x86 Decompilation Using Semantics-Preserving Structural Analysis and Iterative Control-Flow Structuring Edward J](https://reader033.vdocuments.mx/reader033/viewer/2022042810/5f9dc2890a2ac3769365ee06/html5/thumbnails/19.jpg)
Control Flow Structuring:Don’t Reinvent the Wheel
• Existing algorithms– Interval analysis [Allen70]
• Identifies intervals or regions
– Structural analysis [Sharir80]
• Classifies regions into more specific types
• Both have been used in decompilers
• Phoenix based on structural analysis
8/15/13 Usenix Security 2013 19
![Page 20: Native x86 Decompilation Using Semantics-Preserving ... · Native x86 Decompilation Using Semantics-Preserving Structural Analysis and Iterative Control-Flow Structuring Edward J](https://reader033.vdocuments.mx/reader033/viewer/2022042810/5f9dc2890a2ac3769365ee06/html5/thumbnails/20.jpg)
Structural Analysis
• Iteratively match patterns to CFG– Collapse matching regions
• Returns a skeleton: while (e) { if (e’) {…} }
8/15/13 Usenix Security 2013 20
B2
if-then-else
B3
B1
B2
B1
while
![Page 21: Native x86 Decompilation Using Semantics-Preserving ... · Native x86 Decompilation Using Semantics-Preserving Structural Analysis and Iterative Control-Flow Structuring Edward J](https://reader033.vdocuments.mx/reader033/viewer/2022042810/5f9dc2890a2ac3769365ee06/html5/thumbnails/21.jpg)
Structural Analysis Example
8/15/13 Usenix Security 2013 21
WHILE
SEQ
ITE1 SEQ
1
...;
while (...) { if (...) {...} else {...} };
...; ...;
![Page 22: Native x86 Decompilation Using Semantics-Preserving ... · Native x86 Decompilation Using Semantics-Preserving Structural Analysis and Iterative Control-Flow Structuring Edward J](https://reader033.vdocuments.mx/reader033/viewer/2022042810/5f9dc2890a2ac3769365ee06/html5/thumbnails/22.jpg)
Structural Analysis Property Checklist
1. Effective abstraction recovery
8/15/13 Usenix Security 2013 22
![Page 23: Native x86 Decompilation Using Semantics-Preserving ... · Native x86 Decompilation Using Semantics-Preserving Structural Analysis and Iterative Control-Flow Structuring Edward J](https://reader033.vdocuments.mx/reader033/viewer/2022042810/5f9dc2890a2ac3769365ee06/html5/thumbnails/23.jpg)
Structural Analysis Property Checklist
1. Effective abstraction recovery
– Graceless failures for unstructured programs• break, continue, and goto statements
• Failures cascade to large subgraphs
8/15/13 Usenix Security 2013 23
![Page 24: Native x86 Decompilation Using Semantics-Preserving ... · Native x86 Decompilation Using Semantics-Preserving Structural Analysis and Iterative Control-Flow Structuring Edward J](https://reader033.vdocuments.mx/reader033/viewer/2022042810/5f9dc2890a2ac3769365ee06/html5/thumbnails/24.jpg)
Unrecovered Structure
8/15/13 Usenix Security 2013 24
This break edge prevents progress
UNKNOWN
SEQ
s1;
while (e1) {
if (e2) { break; }
s2;
}
s3;
s1;
L1: if (e1) { goto L2; }
else { goto L4; }
L2: if (e2) { goto L4; }
L3: s2; goto L1;
L4: s3;
Original Decompiled
Fix: New structuring algorithm featuringIterative Refinement
![Page 25: Native x86 Decompilation Using Semantics-Preserving ... · Native x86 Decompilation Using Semantics-Preserving Structural Analysis and Iterative Control-Flow Structuring Edward J](https://reader033.vdocuments.mx/reader033/viewer/2022042810/5f9dc2890a2ac3769365ee06/html5/thumbnails/25.jpg)
Iterative Refinement
• Remove edges that are preventing a match
– Represent in decompiled source as break, goto, continue
• Allows structuring algorithm to make more progress
8/15/13 Usenix Security 2013 25
![Page 26: Native x86 Decompilation Using Semantics-Preserving ... · Native x86 Decompilation Using Semantics-Preserving Structural Analysis and Iterative Control-Flow Structuring Edward J](https://reader033.vdocuments.mx/reader033/viewer/2022042810/5f9dc2890a2ac3769365ee06/html5/thumbnails/26.jpg)
Iterative Refinement
8/15/13 Usenix Security 2013 26
s1;
while (e1) {
if (e2) { break; }
s2;
}
s3;
s1;
while (e1) {
if (e2) { break; }
s2;
}
s3;
Original Decompiled
BREAKSEQ1
WHILE
SEQ
![Page 27: Native x86 Decompilation Using Semantics-Preserving ... · Native x86 Decompilation Using Semantics-Preserving Structural Analysis and Iterative Control-Flow Structuring Edward J](https://reader033.vdocuments.mx/reader033/viewer/2022042810/5f9dc2890a2ac3769365ee06/html5/thumbnails/27.jpg)
Structural Analysis Property Checklist
1. Effective abstraction recovery
– Graceless failures for unstructured programs• break, continue, and gotos
• Failures cascade to large subgraphs
2. Correctness
8/15/13 Usenix Security 2013 27
![Page 28: Native x86 Decompilation Using Semantics-Preserving ... · Native x86 Decompilation Using Semantics-Preserving Structural Analysis and Iterative Control-Flow Structuring Edward J](https://reader033.vdocuments.mx/reader033/viewer/2022042810/5f9dc2890a2ac3769365ee06/html5/thumbnails/28.jpg)
Structural Analysis Property Checklist
1. Effective abstraction recovery
– Graceless failures for unstructured programs• break, continue, and gotos
• Failures cascade to large subgraphs
2. Correctness
– Not originally intended for decompilation
– Structure can be incorrect for decompilation
8/15/13 Usenix Security 2013 28
![Page 29: Native x86 Decompilation Using Semantics-Preserving ... · Native x86 Decompilation Using Semantics-Preserving Structural Analysis and Iterative Control-Flow Structuring Edward J](https://reader033.vdocuments.mx/reader033/viewer/2022042810/5f9dc2890a2ac3769365ee06/html5/thumbnails/29.jpg)
Natural Loop Correctness Problem
8/15/13 Usenix Security 2013 29
x=1y=2
x≠1y≠2
NATURALLOOP
y=2 x=1
while (true) {
s1; if (x==1) goto L2;
if (y==2) goto L1;
}
Non-determinism
Fix: Ensure patterns areSemantics Preserving
![Page 30: Native x86 Decompilation Using Semantics-Preserving ... · Native x86 Decompilation Using Semantics-Preserving Structural Analysis and Iterative Control-Flow Structuring Edward J](https://reader033.vdocuments.mx/reader033/viewer/2022042810/5f9dc2890a2ac3769365ee06/html5/thumbnails/30.jpg)
Semantics Preservation
• Applies inside of control flow structuring too
8/15/13 Usenix Security 2013 30
x=1y=2
x≠1y≠2
NATURALLOOP
y=2 x=1
![Page 31: Native x86 Decompilation Using Semantics-Preserving ... · Native x86 Decompilation Using Semantics-Preserving Structural Analysis and Iterative Control-Flow Structuring Edward J](https://reader033.vdocuments.mx/reader033/viewer/2022042810/5f9dc2890a2ac3769365ee06/html5/thumbnails/31.jpg)
Phoenix Implementation and Evaluation
8/15/13 Usenix Security 2013 31
![Page 32: Native x86 Decompilation Using Semantics-Preserving ... · Native x86 Decompilation Using Semantics-Preserving Structural Analysis and Iterative Control-Flow Structuring Edward J](https://reader033.vdocuments.mx/reader033/viewer/2022042810/5f9dc2890a2ac3769365ee06/html5/thumbnails/32.jpg)
Readability: Phoenix Output
8/15/13 Usenix Security 2013 32
int f (void) {
int a = 42;
int b = 0;
while (a) {
if (b) {
puts("c");
break;
} else {
puts("d");
}
a--;
b++;
}
puts ("e");
return 0;
}
t_reg32 f (void) {
t_reg32 v20 = 42;
t_reg32 v24;
for (v24 = 0; v20 != 0;
v24 = v24 + 1) {
if (v24 != 0) {
puts ("c");
break;
}
puts ("d");
v20 = v20 - 1;
}
puts ("e");
return 0;
}
Original Decompiled
![Page 33: Native x86 Decompilation Using Semantics-Preserving ... · Native x86 Decompilation Using Semantics-Preserving Structural Analysis and Iterative Control-Flow Structuring Edward J](https://reader033.vdocuments.mx/reader033/viewer/2022042810/5f9dc2890a2ac3769365ee06/html5/thumbnails/33.jpg)
Large Scale Experiment Details
• Decompilers tested– Phoenix– Hex-Rays (industry state of the art)– Boomerang (academic state of the art)
• Boomerang• Did not terminate in <1 hour for most programs
• GNU coreutils 8.17, compiled with gcc– Programs of varying complexity– Test suite
8/15/13 Usenix Security 2013 33
![Page 34: Native x86 Decompilation Using Semantics-Preserving ... · Native x86 Decompilation Using Semantics-Preserving Structural Analysis and Iterative Control-Flow Structuring Edward J](https://reader033.vdocuments.mx/reader033/viewer/2022042810/5f9dc2890a2ac3769365ee06/html5/thumbnails/34.jpg)
Metrics (end-to-end decompiler)
1. Effective abstraction recovery
– Control flow structuring
2. Correctness
8/15/13 Usenix Security 2013 34
![Page 35: Native x86 Decompilation Using Semantics-Preserving ... · Native x86 Decompilation Using Semantics-Preserving Structural Analysis and Iterative Control-Flow Structuring Edward J](https://reader033.vdocuments.mx/reader033/viewer/2022042810/5f9dc2890a2ac3769365ee06/html5/thumbnails/35.jpg)
Control Flow Structure:Gotos Emitted (Fewer Better)
8/15/13 Usenix Security 2013 35
40
51
Phoenix Hex-Rays
![Page 36: Native x86 Decompilation Using Semantics-Preserving ... · Native x86 Decompilation Using Semantics-Preserving Structural Analysis and Iterative Control-Flow Structuring Edward J](https://reader033.vdocuments.mx/reader033/viewer/2022042810/5f9dc2890a2ac3769365ee06/html5/thumbnails/36.jpg)
Control Flow Structure:Gotos Emitted (Fewer is Better)
8/15/13 Usenix Security 2013 36
40
1229
51
Phoenix Phoenix (orig. structuralanalysis)
Hex-Rays
![Page 37: Native x86 Decompilation Using Semantics-Preserving ... · Native x86 Decompilation Using Semantics-Preserving Structural Analysis and Iterative Control-Flow Structuring Edward J](https://reader033.vdocuments.mx/reader033/viewer/2022042810/5f9dc2890a2ac3769365ee06/html5/thumbnails/37.jpg)
Ideal: Correctness
8/15/13 37
010100101010101001010110111010101001010101010101111100010100010101101001010100010010101101010101011010111
CompiledBinary
int f (int x) {int y = 1;while (x > y) {y++;
}
return y;
int f (int a) {int v = 1;while (a > v++) {}
return v;
OriginalSource
RecoveredSource
Are these two programs semantically equivalent?
![Page 38: Native x86 Decompilation Using Semantics-Preserving ... · Native x86 Decompilation Using Semantics-Preserving Structural Analysis and Iterative Control-Flow Structuring Edward J](https://reader033.vdocuments.mx/reader033/viewer/2022042810/5f9dc2890a2ac3769365ee06/html5/thumbnails/38.jpg)
Scalable: Testing
8/15/13 38
010100101010101001010110111010101001010101010101111100010100010101101001010100010010101101010101011010111
CompiledBinary
int f (int x) {int y = 1;while (x > y) {y++;
}
return y;
int f (int a) {int v = 1;while (a > v++) {}
return v;
OriginalSource
RecoveredSource
Passes tests Passes tests
Is the decompiled program consistent with
test requirements?
![Page 39: Native x86 Decompilation Using Semantics-Preserving ... · Native x86 Decompilation Using Semantics-Preserving Structural Analysis and Iterative Control-Flow Structuring Edward J](https://reader033.vdocuments.mx/reader033/viewer/2022042810/5f9dc2890a2ac3769365ee06/html5/thumbnails/39.jpg)
Number of Correct Utilities
8/15/13 Usenix Security 2013 39
28
60
46
0
20
40
60
80
100
120
Hex-Rays Phoenix Phoenix (orig. structuralanalysis)
All Utilities
107
![Page 40: Native x86 Decompilation Using Semantics-Preserving ... · Native x86 Decompilation Using Semantics-Preserving Structural Analysis and Iterative Control-Flow Structuring Edward J](https://reader033.vdocuments.mx/reader033/viewer/2022042810/5f9dc2890a2ac3769365ee06/html5/thumbnails/40.jpg)
Correctness
• All known correctness errors attributed to type recovery– No known problems in control flow structuring
• Rare issues in TIE revealed by Phoenix stress testing– Even one type error can cause incorrectness
– Undiscovered variables
– Overly general type information
8/15/13 Usenix Security 2013 40
![Page 41: Native x86 Decompilation Using Semantics-Preserving ... · Native x86 Decompilation Using Semantics-Preserving Structural Analysis and Iterative Control-Flow Structuring Edward J](https://reader033.vdocuments.mx/reader033/viewer/2022042810/5f9dc2890a2ac3769365ee06/html5/thumbnails/41.jpg)
Conclusion
• Phoenix decompiler– Ultimate goal: Correct, abstract decompilation– Control-flow structuring algorithm
• Iterative refinement• Semantics preserving schemas
• End-to-end correctness and abstraction recovery experiments on >100 programs– Phoenix
• Control flow structuring: • Correctness: 50%
• Correct, abstract decompilation of real programs is within reach– This paper: improving control flow structuring– Next direction: improved static type recovery
8/15/13 Usenix Security 2013 41
![Page 42: Native x86 Decompilation Using Semantics-Preserving ... · Native x86 Decompilation Using Semantics-Preserving Structural Analysis and Iterative Control-Flow Structuring Edward J](https://reader033.vdocuments.mx/reader033/viewer/2022042810/5f9dc2890a2ac3769365ee06/html5/thumbnails/42.jpg)
Thanks!
• Questions?
Edward J. Schwartz
http://www.ece.cmu.edu/~ejschwar
8/15/13 Usenix Security 2013 42
![Page 43: Native x86 Decompilation Using Semantics-Preserving ... · Native x86 Decompilation Using Semantics-Preserving Structural Analysis and Iterative Control-Flow Structuring Edward J](https://reader033.vdocuments.mx/reader033/viewer/2022042810/5f9dc2890a2ac3769365ee06/html5/thumbnails/43.jpg)
END