Presentation is loading. Please wait.

Presentation is loading. Please wait.

Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin April 12-14, 2004 Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin April 12-14, 2004.

Published byArron Butler Modified over 8 years ago

Similar presentations

Presentation on theme: "Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin April 12-14, 2004 Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin April 12-14, 2004."— Presentation transcript:

1 Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin April 12-14, 2004 Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin April 12-14, 2004 Program Provenance Guessing the Source Compiler from Binary Code Nathan Rosenblum

2 Why compiler provenance? 2 Guessing the Source Compiler IDA Pro

3 Why should this work? 3 Guessing the Source Compiler

4 4 test edi,edi jle 4004ae mov eax,0x0 lea eax,[rdx+rax] imul edx,eax add eax,0x1 cmp edi,eax jg 4004a1 mov eax,edx ret xor edx,edx test edi,edi jle 400989 add edx,eax imul eax,edx inc edx cmp edx,edi jl 40097e ret int bar(int foo) { int i, j; for(i=0;i<foo;++i) { i = j + i; j *= i; } return j; } GCCICC

5 Modeling binary code 5 Guessing the Source Compiler program binary gcc icc i i ₋₁ i ₊₁ i ₊₂ icc none …… compiler labels … c7 04 24 10 70 05 08 ff d0 c9 c3 90 81 ec e4 00 00 00 8b b4 24 ec 00 00 00 … underlying bytes 8d b4 26 00 00 00 00 8d bc 27 00 00 00 00 90 80 4c 90 80 4c 94 80 4c 98 80 4c 9b match_init zp_init_keys seekable padding addrs. data

6 Describing code 6 Guessing the Source Compiler 〈mov [IMM], RAX ; * ; sub [IMM], RAX〉 abstracts several IA32 opcodes single-instruction wildcard hide immediate values …… instruction-level control flow- level branch 011101011010 101010101110 101001010101 110001001001 011010110011 010101010101 010010011110 + 〈mov [IMM], RAX ; * ; sub [IMM], RAX〉 〈add[IMM], RDX ; * ; sub RAX, RCX〉 〈push EBP ; mov ESP, EBP〉 〈shl[IMM], RAX ; shr[IMM], RAX〉 〈 *; * ; sub [IMM], RAX〉 [math elided]

7 Guessing the Source Compiler Results [R, Miller, Zhu PASTE ‘10] 7 01110101101 01010101011 10101001010 10111000100 10010110101 10011010101 01010101001 single compiler mixed compiler GCC ICCMSVC 92.5% 93.7% 5.3% 2.3% or 2.8% 6.4% error types

8 Finer detail: compiler versions, optimization 8 Guessing the Source Compiler Major versions? Minor versions? Low optimization vs. high optimization? Highly optimized code? GCC 3.x vs 4.x GCC 4.2 vs 4.3 GCC -O0 vs -O3 GCC –O2 vs –O3 easy 99% easy85-99% easy99% hard60%

9 Future work 9 Guessing the Source Compiler int bar(int foo) { int i, j; for(i=0;i<foo;++i) { i = j + i; j *= i; } return j; }... 0111010110101 0101010111010 1001010101110 0010010010110 1011001101010 1010101010010 0111101010111 0100101101010

Download ppt "Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin April 12-14, 2004 Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin April 12-14, 2004."

Similar presentations

Practical Malware Analysis

Practical Malware Analysis
PASTE 2011 Szeged, Hungary September 5, 2011 Labeling Library Functions in Stripped Binaries Emily R. Jacobson, Nathan Rosenblum, and Barton P. Miller.

PASTE 2011 Szeged, Hungary September 5, 2011 Labeling Library Functions in Stripped Binaries Emily R. Jacobson, Nathan Rosenblum, and Barton P. Miller.
ByteWeight: Learning to Recognize Functions in Binary Code

ByteWeight: Learning to Recognize Functions in Binary Code
University of Washington Procedures and Stacks II The Hardware/Software Interface CSE351 Winter 2013.

University of Washington Procedures and Stacks II The Hardware/Software Interface CSE351 Winter 2013.
© 2006 Nathan RosenblumMarch 2006Unconventional Code Constructs The New Dyninst Code Parser: Binary Code Isn't as Simple as it Used to Be Nathan Rosenblum.

© 2006 Nathan RosenblumMarch 2006Unconventional Code Constructs The New Dyninst Code Parser: Binary Code Isn't as Simple as it Used to Be Nathan Rosenblum.
Machine/Assembler Language Putting It All Together Noah Mendelsohn Tufts University Web:

Machine/Assembler Language Putting It All Together Noah Mendelsohn Tufts University Web:
%rax %eax %rbx %ebx %rdx %edx %rcx %ecx %rsi %esi %rdi %edi %rbp %ebp %rsp %esp %r8 %r8d %r9 %r9d %r11 %r11d %r10 %r10d %r12 %r12d %r13 %r13d.

%rax %eax %rbx %ebx %rdx %edx %rcx %ecx %rsi %esi %rdi %edi %rbp %ebp %rsp %esp %r8 %r8d %r9 %r9d %r11 %r11d %r10 %r10d %r12 %r12d %r13 %r13d.
Introduction to Information Security מרצים : Dr. Eran Tromer: Prof. Avishai Wool: מתרגלים : Itamar Gilad

Introduction to Information Security מרצים : Dr. Eran Tromer: Prof. Avishai Wool: מתרגלים : Itamar Gilad
Binghamton University CS-220 Spring 2015 Binghamton University CS-220 Spring 2015 x86 Assembler.

Binghamton University CS-220 Spring 2015 Binghamton University CS-220 Spring 2015 x86 Assembler.
1 ICS 51 Introductory Computer Organization Fall 2006 updated: Oct. 2, 2006.

1 ICS 51 Introductory Computer Organization Fall 2006 updated: Oct. 2, 2006.
Accessing parameters from the stack and calling functions.

Accessing parameters from the stack and calling functions.
X86 ISA Compiler Baojian Hua Front End source code abstract syntax tree lexical analyzer parser tokens IR semantic analyzer.

X86 ISA Compiler Baojian Hua Front End source code abstract syntax tree lexical analyzer parser tokens IR semantic analyzer.
Recitation 2: Assembly & gdb Andrew Faulring 15213 Section A 16 September 2002.

Recitation 2: Assembly & gdb Andrew Faulring Section A 16 September 2002.
Machine-Level Programming 3 Control Flow Topics Control Flow Switch Statements Jump Tables.

Machine-Level Programming 3 Control Flow Topics Control Flow Switch Statements Jump Tables.
Y86 Processor State Program Registers

Y86 Processor State Program Registers
1 Carnegie Mellon Stacks 15-213: Introduction to Computer Systems Recitation 5: September 24, 2012 Joon-Sup Han Section F.

1 Carnegie Mellon Stacks : Introduction to Computer Systems Recitation 5: September 24, 2012 Joon-Sup Han Section F.
University of Washington Today More on procedures, stack etc. Lab 2 due today!  We hope it was fun! What is a stack?  And how about a stack frame? 1.

University of Washington Today More on procedures, stack etc. Lab 2 due today!  We hope it was fun! What is a stack?  And how about a stack frame? 1.
Analysis Of Stripped Binary Code Laune Harris University of Wisconsin – Madison

Analysis Of Stripped Binary Code Laune Harris University of Wisconsin – Madison
Andrew Bernat, Bill Williams Paradyn / Dyninst Week Madison, Wisconsin April 29-May 1, 2013 New Features in Dyninst 8.0 8.1.1 8.1.

Andrew Bernat, Bill Williams Paradyn / Dyninst Week Madison, Wisconsin April 29-May 1, 2013 New Features in Dyninst
Paradyn Project Petascale Tools Workshop Madison, Wisconsin Aug 4-Aug 7, 2014 Binary Code is Not Easy Xiaozhu Meng, Emily Gember-Jacobson, and Bill Williams.

Paradyn Project Petascale Tools Workshop Madison, Wisconsin Aug 4-Aug 7, 2014 Binary Code is Not Easy Xiaozhu Meng, Emily Gember-Jacobson, and Bill Williams.

Similar presentations

Ads by Google