Function Dectection

Called directly by the $call$ instruction.
Indirect all is hard to dectect.

Object-Oriented Code

We only discuss about C code in this course

Structuring Data

Automatic data struction detection in stripped binaries is a notoriouly difficult problem
Some codes can be compiled into similar instructions

Decompilation

Guessing function signatures and local variables
Recovering control flows and function calls

Intermediate Representation

  • Abstration
  • Goal: translate Machine code to IR code

Binary Analysis Properties

Interprocedural and intraprocedural
Flow sensitivity
Context sensitivity

Intraprocedural

Code within a single function at a time

  • Maybe incomplete

Interprocedural

Consider entire program as a whole

  • Might take long so results no longer matter.

Flow Sensitivity

Take the order of the instructions into account.
Either flow-sensitive or flow-insensitive.

  • flow-sensitive more conplex.

Context Sensitivity

Take the order of the function invocation into account.

Loop Detection

Implemented using $jump$ instructions.
Most execution time is spent in loops.
Buffer overflow tends in occur in loops.

Compilers use dominance trees to determine natural loops.

Reaching Definition Analysis

Reachable data definitions from this point.
CFG level.
Which can reach at the start. Which can still be alive after.

Program Slicing

Find irrelevant slices and remove them.