I-Corps: Source Recovery from Binaries Using SecondWrite

I-Corps：使用 SecondWrite 从二进制文件中进行源恢复

• 批准号: 1265331
• 负责人: Rajeev Barua
• 金额: $ 5万
• 依托单位: University of Maryland, College Park
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2012
• 资助国家: 美国
• 起止时间: 2012-10-01 至 2013-06-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1265331&HistoricalAwards=false
• 关键词: Corps; Source; Recovery; Binaries; Using

This I-Corps team plans to further develop a software tool that takes x86 binary programs as input (including stripped binaries), and produces equivalent source-code programs in C. The binary can be compiled from any language. The output C code is not the same as the original source code, but is functionally equivalent. The output C code is fully functional: it can be modified, recompiled, and run as needed. Alternately, the software can output a rewritten binary, or the intermediate representation (IR) of the open-source LLVM compiler, allowing further analysis and transformation of binary code with existing or new LLVM passes. The software developed by the team is able to perform deep binary analysis where the output code is high-level, containing symbols, functions, arguments, return values, types (including aggregate types), and there are high-level control flow constructs, and an abstract stack. Alias analysis and type recovery schemes have been developed that work synergistically to do effective alias analysis on binary code, and recover types including aggregate types like structures and arrays. The team has also developed technologies to rewrite stripped binaries (i.e., those without relocation and symbolic information).With further development this software tool may be a valuable tool for the recovery of source code from legacy binaries. Both in government and industry, legacy code is run every day, but its source code is often hard to track or lost, given that the original code vendor may have gone through corporate mergers, reorganization or liquidations. Re-developing code from scratch can be costly and difficult to replicate as the full scope of the original functionality is often unknown. In these cases, this software tool may be able to provide source code that can be understood, maintained, updated and recompiled with newer compliers and for newer versions of the x86 instruction set. Additionally, this tool may have applications in forensics to examine and understand the behavior of vulnerable or un-trusted code prior to or after a security breach. This goes beyond existing security tools in dynamic binary rewriters or binary analysis tools, which used automated security tools that are useful, but cannot help with the human understanding of un-trusted or vulnerable code.

这个I-Corps团队计划进一步开发一种软件工具，它将x86二进制程序作为输入（包括剥离的二进制程序），并在c语言中生成等效的源代码程序。二进制程序可以从任何语言编译。输出的C代码与原始源代码不同，但在功能上是等效的。输出的C代码功能齐全：可以根据需要修改、重新编译和运行。或者，软件可以输出重写的二进制，或者开源LLVM编译器的中间表示（IR），允许使用现有或新的LLVM通道进一步分析和转换二进制代码。该团队开发的软件能够执行深度二进制分析，其中输出代码是高级的，包含符号、函数、参数、返回值、类型（包括聚合类型），并且有高级控制流构造和抽象堆栈。别名分析和类型恢复方案已经开发出来，它们协同工作，对二进制代码进行有效的别名分析，并恢复类型，包括结构和数组等聚合类型。该团队还开发了重写剥离二进制文件（即没有重定位和符号信息的二进制文件）的技术。随着进一步的开发，这个软件工具可能会成为从遗留二进制文件中恢复源代码的有价值的工具。在政府和工业中，遗留代码每天都在运行，但其源代码通常很难跟踪或丢失，因为原始代码供应商可能已经经历了公司合并、重组或清算。从头开始重新开发代码的成本很高，而且很难复制，因为原始功能的全部范围通常是未知的。在这些情况下，该软件工具可能能够提供可以使用较新的编译器和较新版本的x86指令集理解、维护、更新和重新编译的源代码。此外，该工具可能在取证中有应用程序，用于检查和理解易受攻击或不受信任的代码在发生安全漏洞之前或之后的行为。这超越了动态二进制重写器或二进制分析工具中的现有安全工具，这些工具使用了有用的自动化安全工具，但无法帮助人类理解不受信任或易受攻击的代码。