当前位置: X-MOL 学术Softw. Pract. Exp. › 论文详情
Our official English website, www.x-mol.net, welcomes your feedback! (Note: you will need to create a separate account there.)
Practical dynamic reconstruction of control flow graphs
Software: Practice and Experience ( IF 3.5 ) Pub Date : 2020-10-11 , DOI: 10.1002/spe.2907
Andrei Rimsa 1 , José Nelson Amaral 2 , Fernando M. Q. Pereira 3
Affiliation  

The automatic recovery of a program's high‐level representation from its binary version is a well‐studied problem in programming languages. However, most of the solutions to this problem are based on purely static approaches: techniques such as dataflow analyses or type inference are used to convert the bytes that constitute the executable code back into a control flow graph (CFG). This article departs from such a modus operandi to show that a dynamic analysis can be effective and useful, both as a standalone technique, and as a way to enhance the precision of static approaches. The experimental results provide evidence that completeness, that is, the ability to conclude that the entire CFG has been discovered, is achievable on many functions that are part of industry‐strong benchmarks. Experiments also indicate that dynamic information greatly enhances the ability of DynInst, a state‐of‐the‐art binary reconstructor, to deal with code stripped of debugging information. These results were obtained with CFGgrind, a new implementation of a dynamic code reconstructor, built on top of Valgrind. When applied to cBench, CFGgrind is 9% faster than callgrind, Valgrind's tool used to track targets of function calls; and 7% faster in Spec Cpu2017. CFGgrind recovers the complete CFG of 40% of all the procedures invoked during the standard execution of programs in Spec Cpu2017, and 37% in cBench. When combined with CFGgrind, DynInst finds 15% more CFGs for cBench, and 7% more CFGs for Spec Cpu2017. Finally, CFGgrind is more than 7 times faster than DCFG, a CFG reconstructor from Intel, and 1.30 times faster than bfTrace, a CFG reconstructor used in research. CFGgrind is also more precise than these two tools, handling operating system signals, shared code in functions, and unaligned instructions; besides supporting multithreaded programs, exact profiling and incremental refinements.

中文翻译:

控制流图的实用动态重构

从二进制版本自动恢复程序的高级表示是编程语言中一个经过充分研究的问题。但是,该问题的大多数解决方案都基于纯静态方法:使用数据流分析或类型推断等技术将构成可执行代码的字节转换回控制流图 (CFG)。本文偏离了这种做法,以表明动态分析既可以作为一种独立的技术,又可以作为提高静态方法精度的一种方式,既有效又有用。实验结果提供了证据,证明完整性,即推断整个 CFG 已被发现的能力,可以在作为行业强大基准的许多功能上实现。实验还表明,动态信息极大地增强了 DynInst(一种最先进的二进制重构器)处理去除调试信息的代码的能力。这些结果是通过 CFGgrind 获得的,CFGgrind 是一种动态代码重构器的新实现,建立在 Valgrind 之上。应用于 cBench 时,CFGgrind 比 callgrind(Valgrind 用于跟踪函数调用目标的工具)快 9%;在 Spec Cpu2017 中速度提高了 7%。CFGgrind 恢复了 Spec Cpu2017 中标准执行程序期间调用的所有程序的 40% 和 cBench 中 37% 的完整 CFG。当与 CFGgrind 结合使用时,DynInst 发现 cBench 的 CFG 增加了 15%,而 Spec Cpu2017 的 CFG 增加了 7%。最后,CFGgrind 比 DCFG(来自 Intel 的 CFG 重构器)快 7 倍以上,比 bfTrace 快 1.30 倍,研究中使用的 CFG 重建器。CFGgrind 也比这两个工具更精确,处理操作系统信号、函数中的共享代码和未对齐的指令;除了支持多线程程序,精确分析和增量改进。
更新日期:2020-10-11
down
wechat
bug