Probabilistic Disassembly - GitHub Pages · Data and Code Coexistence: Probabilistic Disassembly...

25
Probabilistic Disassembly Kenneth Adam Miller*, Yonghwi Kwon†, Yi Sun*, Zhuo Zhang*, Xiangyu Zhang*, Zhiqiang Lin‡ * Department of Computer Science, Purdue University, West Lafayette, USA †Department of Computer Science, University of Virginia, Charlottesville, USA ‡Department of Computer Science and Engineering, Ohio State University, Columbus, USA (Artifact Reusable)

Transcript of Probabilistic Disassembly - GitHub Pages · Data and Code Coexistence: Probabilistic Disassembly...

Page 1: Probabilistic Disassembly - GitHub Pages · Data and Code Coexistence: Probabilistic Disassembly 0xBBF72 0xBBF76 0xBBF7A 0xBBF7E 0xBBF82 0xBBF84 0xBBF8A 0xBBF8E 0xBBF90 0xBBF97...

Probabilistic Disassembly

Kenneth Adam Miller*, Yonghwi Kwon†, Yi Sun*, Zhuo Zhang*, Xiangyu Zhang*, Zhiqiang Lin‡

* Department of Computer Science, Purdue University, West Lafayette, USA

†Department of Computer Science, University of Virginia, Charlottesville, USA

‡Department of Computer Science and Engineering, Ohio State University, Columbus, USA

(Artifact Reusable)

Page 2: Probabilistic Disassembly - GitHub Pages · Data and Code Coexistence: Probabilistic Disassembly 0xBBF72 0xBBF76 0xBBF7A 0xBBF7E 0xBBF82 0xBBF84 0xBBF8A 0xBBF8E 0xBBF90 0xBBF97...

What is Disassembler?

Source code CompilerBinary

Program

Various semantics lost:(1) Variable names(2) Data structures (e.g., variable boundaries)(3) Function names (i.e., indirect call targets)(4) ...

irreversible transformation

Page 3: Probabilistic Disassembly - GitHub Pages · Data and Code Coexistence: Probabilistic Disassembly 0xBBF72 0xBBF76 0xBBF7A 0xBBF7E 0xBBF82 0xBBF84 0xBBF8A 0xBBF8E 0xBBF90 0xBBF97...

What is Disassembler?

Binary Program DisassemblerHuman

Readable Assembly Code

Recover lost semantics with ...

Page 4: Probabilistic Disassembly - GitHub Pages · Data and Code Coexistence: Probabilistic Disassembly 0xBBF72 0xBBF76 0xBBF7A 0xBBF7E 0xBBF82 0xBBF84 0xBBF8A 0xBBF8E 0xBBF90 0xBBF97...

Uses of Disassembly

• Reverse-Engineering (e.g., of legacy applications)

• Malware Analysis

• Binary Rewriting for• Optimization

• Security – Software Hardening, Hot Patches, De-bloating (Attack Surface reduction)

• Instrumentation and Debugging

• ...

Page 5: Probabilistic Disassembly - GitHub Pages · Data and Code Coexistence: Probabilistic Disassembly 0xBBF72 0xBBF76 0xBBF7A 0xBBF7E 0xBBF82 0xBBF84 0xBBF8A 0xBBF8E 0xBBF90 0xBBF97...

Fundamental Problem in Disassembly

Especially problematic in recovering indirect control flow by

function pointers, virtual tables, switch-case, etc.,

and making it difficult to know where the code begins

When we recover the lost semantics,

uncertainty is inevitable.

Page 6: Probabilistic Disassembly - GitHub Pages · Data and Code Coexistence: Probabilistic Disassembly 0xBBF72 0xBBF76 0xBBF7A 0xBBF7E 0xBBF82 0xBBF84 0xBBF8A 0xBBF8E 0xBBF90 0xBBF97...

Fundamental Problem in Disassembly

In Von-Neumann Architecture, code and data coexist within the same memory space,

and they could be interleaving

Page 7: Probabilistic Disassembly - GitHub Pages · Data and Code Coexistence: Probabilistic Disassembly 0xBBF72 0xBBF76 0xBBF7A 0xBBF7E 0xBBF82 0xBBF84 0xBBF8A 0xBBF8E 0xBBF90 0xBBF97...

Fundamental Problem in Disassembly

In Von-Neumann Architecture, code and data coexist within the same memory space,

and they could be interleaving

Code (Instructions)

Binary Program

Code (Instructions)

Data

Page 8: Probabilistic Disassembly - GitHub Pages · Data and Code Coexistence: Probabilistic Disassembly 0xBBF72 0xBBF76 0xBBF7A 0xBBF7E 0xBBF82 0xBBF84 0xBBF8A 0xBBF8E 0xBBF90 0xBBF97...

Data and Code Coexistence: Linear Sweep

0xBBF720xBBF760xBBF7A0xBBF7E0xBBF820xBBF840xBBF8A0xBBF8E0xBBF90

0xBBF97...

0xBBFA20xBBFA6

0xBBFAC0xBBFB0

66 66 66 66 66 2E 0F 1F 84 00 00 00 00 00 90 0F 1F 84 00 00 00 00 00 00 00 00 00 00 00 0048 8B 05 71 B9 19 00 41 56...48 8D 50 1048 05 90 00 00 0048 89 47 1048 89 17

ADDRESS RAW BYTE

DB 66 66 66 66DB 66 2E 0F 1FDB 84 00 00 00DB 00 00 90 0FDB 1F 84 00 00 DB 00 00 00 00DB 00 00 00 00DB 00 00 mov 0x19B978(rip), rax

push r14...lea 16(rax), rdxadd 144, rax

mov rax, 16(rdi)mov rdx, (rdi)

ASSEMBLY (Ground-truth)

nop cs:(rax,rax)...............add al, (rax)add al, (rax)add cl, -117(rax)add 1685873, eax

push r14...lea 16(rax), rdxadd 144, rax

mov rax, 16(rdi)mov rdx, (rdi)

Linear Sweep

0xBBF720xBBF760xBBF7A0xBBF7C0xBBF820xBBF8A0xBBF8B0xBBF8D0xBBF8F0xBBF92

0xBBF97...

0xBBFA20xBBFA6

0xBBFAC0xBBFB0

66 66 66 66 66 2E 0F 1F 84 00 00 00 00 00 90 0F ...00 00 0000 00 00 48 8B 05 71 B9 19 00 41 56...48 8D 50 1048 05 90 00 00 0048 89 47 1048 89 17

ADDRESS RAW BYTE

Page 9: Probabilistic Disassembly - GitHub Pages · Data and Code Coexistence: Probabilistic Disassembly 0xBBF72 0xBBF76 0xBBF7A 0xBBF7E 0xBBF82 0xBBF84 0xBBF8A 0xBBF8E 0xBBF90 0xBBF97...

Data and Code Coexistence: Superset Disassembly

0xBBF720xBBF760xBBF7A0xBBF7E0xBBF820xBBF840xBBF8A0xBBF8E0xBBF90

0xBBF97...

0xBBFA20xBBFA6

0xBBFAC0xBBFB0

66 66 66 66 66 2E 0F 1F 84 00 00 00 00 00 90 0F 1F 84 00 00 00 00 00 00 00 00 00 00 00 0048 8B 05 71 B9 19 00 41 56...48 8D 50 1048 05 90 00 00 0048 89 47 1048 89 17

ADDRESS RAW BYTE

DB 66 66 66 66DB 66 2E 0F 1FDB 84 00 00 00DB 00 00 90 0FDB 1F 84 00 00 DB 00 00 00 00DB 00 00 00 00DB 00 00 mov 0x19B978(rip), rax

push r14...lea 16(rax), rdxadd 144, rax

mov rax, 16(rdi)mov rdx, (rdi)

ASSEMBLY (Ground-truth)

nop cs:(rax,rax)nop cs:(rax+...)nop cs:(rax+...)...add al, (rax)add al, (rax)add al, (rax)add cl, -117(rax)mov 0x19B978(rip), rax

mov 0x19b978(rip), eaxadd 0x1685873, eax...push r14push rsi...mov rdx, (rdi)mov edx, (rdi)...

Superset Disassembly

0xBBF720xBBF730xBBF74

...0xBBF8C0xBBF8D0xBBF8E0xBBF8F0xBBF90

0xBBF910xBFF92

...0xBBF970xBBF98

...0xBBFB00xBBFB1

...

66 66 .. 0066 66 .. 1F66 66 .. 84...00 0000 00 00 0000 48 8B48 8B 05 71 B9 19 00 8B 05 .. 0005 71 .. 00...41 5656...48 89 47 1048 89 17...

ADDRESS RAW BYTE

Page 10: Probabilistic Disassembly - GitHub Pages · Data and Code Coexistence: Probabilistic Disassembly 0xBBF72 0xBBF76 0xBBF7A 0xBBF7E 0xBBF82 0xBBF84 0xBBF8A 0xBBF8E 0xBBF90 0xBBF97...

Data and Code Coexistence: Superset Disassembly

0xBBF720xBBF760xBBF7A0xBBF7E0xBBF820xBBF840xBBF8A0xBBF8E0xBBF90

0xBBF97...

0xBBFA20xBBFA6

0xBBFAC0xBBFB0

66 66 66 66 66 2E 0F 1F 84 00 00 00 00 00 90 0F 1F 84 00 00 00 00 00 00 00 00 00 00 00 0048 8B 05 71 B9 19 00 41 56...48 8D 50 1048 05 90 00 00 0048 89 47 1048 89 17

ADDRESS RAW BYTE

DB 66 66 66 66DB 66 2E 0F 1FDB 84 00 00 00DB 00 00 90 0FDB 1F 84 00 00 DB 00 00 00 00DB 00 00 00 00DB 00 00 mov 0x19B978(rip), rax

push r14...lea 16(rax), rdxadd 144, rax

mov rax, 16(rdi)mov rdx, (rdi)

ASSEMBLY (Ground-truth)

nop cs:(rax,rax)nop cs:(rax+...)nop cs:(rax+...)...add al, (rax)add al, (rax)add al, (rax)add cl, -117(rax)mov 0x19B978(rip), rax

mov 0x19b978(rip), eaxadd 0x1685873, eax...push r14push rsi...mov rdx, (rdi)mov edx, (rdi)...

Superset Disassembly

0xBBF720xBBF730xBBF74

...0xBBF8C0xBBF8D0xBBF8E0xBBF8F0xBBF90

0xBBF910xBFF92

...0xBBF970xBBF98

...0xBBFB00xBBFB1

...

66 66 .. 0066 66 .. 1F66 66 .. 84...00 0000 00 00 0000 48 8B48 8B 05 71 B9 19 00 8B 05 .. 0005 71 .. 00...41 5656...48 89 47 1048 89 17...

ADDRESS RAW BYTE

No False Negatives!

Page 11: Probabilistic Disassembly - GitHub Pages · Data and Code Coexistence: Probabilistic Disassembly 0xBBF72 0xBBF76 0xBBF7A 0xBBF7E 0xBBF82 0xBBF84 0xBBF8A 0xBBF8E 0xBBF90 0xBBF97...

Data and Code Coexistence: Superset Disassembly

0xBBF720xBBF760xBBF7A0xBBF7E0xBBF820xBBF840xBBF8A0xBBF8E0xBBF90

0xBBF97...

0xBBFA20xBBFA6

0xBBFAC0xBBFB0

66 66 66 66 66 2E 0F 1F 84 00 00 00 00 00 90 0F 1F 84 00 00 00 00 00 00 00 00 00 00 00 0048 8B 05 71 B9 19 00 41 56...48 8D 50 1048 05 90 00 00 0048 89 47 1048 89 17

ADDRESS RAW BYTE

DB 66 66 66 66DB 66 2E 0F 1FDB 84 00 00 00DB 00 00 90 0FDB 1F 84 00 00 DB 00 00 00 00DB 00 00 00 00DB 00 00 mov 0x19B978(rip), rax

push r14...lea 16(rax), rdxadd 144, rax

mov rax, 16(rdi)mov rdx, (rdi)

ASSEMBLY (Ground-truth)

nop cs:(rax,rax)nop cs:(rax+...)nop cs:(rax+...)...add al, (rax)add al, (rax)add al, (rax)add cl, -117(rax)mov 0x19B978(rip), rax

mov 0x19b978(rip), eaxadd 0x1685873, eax...push r14push rsi...mov rdx, (rdi)mov edx, (rdi)...

Superset Disassembly

0xBBF720xBBF730xBBF74

...0xBBF8C0xBBF8D0xBBF8E0xBBF8F0xBBF90

0xBBF910xBFF92

...0xBBF970xBBF98

...0xBBFB00xBBFB1

...

66 66 .. 0066 66 .. 1F66 66 .. 84...00 0000 00 00 0000 48 8B48 8B 05 71 B9 19 00 8B 05 .. 0005 71 .. 00...41 5656...48 89 47 1048 89 17...

ADDRESS RAW BYTE

Many False Positives

Page 12: Probabilistic Disassembly - GitHub Pages · Data and Code Coexistence: Probabilistic Disassembly 0xBBF72 0xBBF76 0xBBF7A 0xBBF7E 0xBBF82 0xBBF84 0xBBF8A 0xBBF8E 0xBBF90 0xBBF97...

Data and Code Coexistence: Probabilistic Disassembly

0xBBF720xBBF760xBBF7A0xBBF7E0xBBF820xBBF840xBBF8A0xBBF8E0xBBF90

0xBBF97...

0xBBFA20xBBFA6

0xBBFAC0xBBFB0

66 66 66 66 66 2E 0F 1F 84 00 00 00 00 00 90 0F 1F 84 00 00 00 00 00 00 00 00 00 00 00 0048 8B 05 71 B9 19 00 41 56...48 8D 50 1048 05 90 00 00 0048 89 47 1048 89 17

ADDRESS RAW BYTE

DB 66 66 66 66DB 66 2E 0F 1FDB 84 00 00 00DB 00 00 90 0FDB 1F 84 00 00 DB 00 00 00 00DB 00 00 00 00DB 00 00 mov 0x19B978(rip), rax

push r14...lea 16(rax), rdxadd 144, rax

mov rax, 16(rdi)mov rdx, (rdi)

ASSEMBLY (Ground-truth)

nop cs:(rax,rax)nop cs:(rax+...)nop cs:(rax+...)...add al, (rax)add al, (rax)add al, (rax)add cl, -117(rax)mov 0x19B978(rip), rax

mov 0x19b978(rip), eaxadd 0x1685873, eax...push r14push rsi...mov rdx, (rdi)mov edx, (rdi)...

Superset Disassembly

0xBBF720xBBF730xBBF74

...0xBBF8C0xBBF8D0xBBF8E0xBBF8F0xBBF90

0xBBF910xBFF92

...0xBBF970xBBF98

...0xBBFB00xBBFB1

...

66 66 .. 0066 66 .. 1F66 66 .. 84...00 0000 00 00 0000 48 8B48 8B 05 71 B9 19 00 8B 05 .. 0005 71 .. 00...41 5656...48 89 47 1048 89 17...

ADDRESS RAW BYTE

Page 13: Probabilistic Disassembly - GitHub Pages · Data and Code Coexistence: Probabilistic Disassembly 0xBBF72 0xBBF76 0xBBF7A 0xBBF7E 0xBBF82 0xBBF84 0xBBF8A 0xBBF8E 0xBBF90 0xBBF97...

Data and Code Coexistence: Probabilistic Disassembly

nop cs:(rax,rax)nop cs:(rax+...)nop cs:(rax+...)...add al, (rax)add al, (rax)add al, (rax)add cl, -117(rax)mov 0x19B978(rip), rax

mov 0x19b978(rip), eaxadd 0x1685873, eax...push r14push rsi...mov rdx, (rdi)mov edx, (rdi)...

Superset Disassembly

0xBBF720xBBF730xBBF74

...0xBBF8C0xBBF8D0xBBF8E0xBBF8F0xBBF90

0xBBF910xBFF92

...0xBBF970xBBF98

...0xBBFB00xBBFB1

...

66 66 .. 0066 66 .. 1F66 66 .. 84...00 0000 00 00 0000 48 8B48 8B 05 71 B9 19 00 8B 05 .. 0005 71 .. 00...41 5656...48 89 47 1048 89 17...

ADDRESS RAW BYTE

0.040.040.04...0.6950.040.6950.040.695

0.040.04...0.940.06...1.0 (approx.)0.0 (approx.)...

Probabilistic Disassembly

Page 14: Probabilistic Disassembly - GitHub Pages · Data and Code Coexistence: Probabilistic Disassembly 0xBBF72 0xBBF76 0xBBF7A 0xBBF7E 0xBBF82 0xBBF84 0xBBF8A 0xBBF8E 0xBBF90 0xBBF97...

Data and Code Coexistence: Probabilistic Disassembly

nop cs:(rax,rax)nop cs:(rax+...)nop cs:(rax+...)...add al, (rax)add al, (rax)add al, (rax)add cl, -117(rax)mov 0x19B978(rip), rax

mov 0x19b978(rip), eaxadd 0x1685873, eax...push r14push rsi...mov rdx, (rdi)mov edx, (rdi)...

Superset Disassembly

0xBBF720xBBF730xBBF74

...0xBBF8C0xBBF8D0xBBF8E0xBBF8F0xBBF90

0xBBF910xBFF92

...0xBBF970xBBF98

...0xBBFB00xBBFB1

...

66 66 .. 0066 66 .. 1F66 66 .. 84...00 0000 00 00 0000 48 8B48 8B 05 71 B9 19 00 8B 05 .. 0005 71 .. 00...41 5656...48 89 47 1048 89 17...

ADDRESS RAW BYTE

0.040.040.04...0.6950.040.6950.040.695

0.040.04...0.940.06...1.0 (approx.)0.0 (approx.)...

Probabilistic Disassembly

Page 15: Probabilistic Disassembly - GitHub Pages · Data and Code Coexistence: Probabilistic Disassembly 0xBBF72 0xBBF76 0xBBF7A 0xBBF7E 0xBBF82 0xBBF84 0xBBF8A 0xBBF8E 0xBBF90 0xBBF97...

Data and Code Coexistence: Probabilistic Disassembly

nop cs:(rax,rax)nop cs:(rax+...)nop cs:(rax+...)...add al, (rax)add al, (rax)add al, (rax)add cl, -117(rax)mov 0x19B978(rip), rax

mov 0x19b978(rip), eaxadd 0x1685873, eax...push r14push rsi...mov rdx, (rdi)mov edx, (rdi)...

Superset Disassembly

0xBBF720xBBF730xBBF74

...0xBBF8C0xBBF8D0xBBF8E0xBBF8F0xBBF90

0xBBF910xBFF92

...0xBBF970xBBF98

...0xBBFB00xBBFB1

...

66 66 .. 0066 66 .. 1F66 66 .. 84...00 0000 00 00 0000 48 8B48 8B 05 71 B9 19 00 8B 05 .. 0005 71 .. 00...41 5656...48 89 47 1048 89 17...

ADDRESS RAW BYTE

0.040.040.04...0.6950.040.6950.040.695

0.040.04...0.940.06...1.0 (approx.)0.0 (approx.)...

Probabilistic Disassembly

Page 16: Probabilistic Disassembly - GitHub Pages · Data and Code Coexistence: Probabilistic Disassembly 0xBBF72 0xBBF76 0xBBF7A 0xBBF7E 0xBBF82 0xBBF84 0xBBF8A 0xBBF8E 0xBBF90 0xBBF97...

State-of-the-art: Where we are

Existing disassemblers have

various limitations

Disassembler False Negatives False Positives

Linear sweep Some Substantial

Traversal Substantial None

Superset None Bloated

Shingled Graph Some Some

BAP ByteWeight Some Some

Probabilistic Disassembly None* Some*

*With probabilistic guarantees

Desirable

Undesirable

Page 17: Probabilistic Disassembly - GitHub Pages · Data and Code Coexistence: Probabilistic Disassembly 0xBBF72 0xBBF76 0xBBF7A 0xBBF7E 0xBBF82 0xBBF84 0xBBF8A 0xBBF8E 0xBBF90 0xBBF97...

Key Ideas: Hints of true instructions

Hint 1: Control flow convergence

jmp labelA...jmp labelA......labelA:

jmp labelA...jmp labelB...labelA:...labelB:

Unlikely happen in disassembled code from data (e.g., random) bytes

Hint 2: Control flow crossing

Page 18: Probabilistic Disassembly - GitHub Pages · Data and Code Coexistence: Probabilistic Disassembly 0xBBF72 0xBBF76 0xBBF7A 0xBBF7E 0xBBF82 0xBBF84 0xBBF8A 0xBBF8E 0xBBF90 0xBBF97...

Key Ideas: Hints of true instructions

Hint 3: Register Def-use relation

00 0000 00 10 60 00

RAW BYTE

add al, (rax)add cl, (rax)adc ah, 0x0(rax)

ASSEMBLY

0x40040D0x40040F0x400411

ADDRESS

00 5F 5F67 6D6F6E

RAW BYTE

add bl, 0x5F(rdi)insl cl, (rax)outsl ds:(rsi),(dx)outsb ds:(rsi),(dx)

ASSEMBLY

0x4003700x4003730x4003750x400376

ADDRESS

(b) String (No def-use)

(c) Jump Table (Memory def-use)

48 89 C248 03 55 F88B 45 F489 02

RAW BYTE

mov rax, rdxadd -0x8(rbp), rdxmov -0xC(rbp), eaxmov eax, (rdx)

ASSEMBLY

0x4005CB0x4005CE0x4005D20x4005D5

ADDRESS

(a) True Instructions (Reg. def-use)

Page 19: Probabilistic Disassembly - GitHub Pages · Data and Code Coexistence: Probabilistic Disassembly 0xBBF72 0xBBF76 0xBBF7A 0xBBF7E 0xBBF82 0xBBF84 0xBBF8A 0xBBF8E 0xBBF90 0xBBF97...

Computing Probabilistic Constraints

Reasoning Rules: probabilistic inference rules

1. If an instruction starting at an address is valid, its successor along control flow must be a valid instruction.

2. If an instruction starting at an address is valid, its preceding instruction may be a valid instruction.

3. If an instruction starting at an address is valid, all the other addresses starting inside its body are invalid

𝐶1: 𝑥1.0

𝑥𝑠𝑢𝑐𝑐

𝐶2: 𝑥 ՜𝑝𝑥𝑝𝑟𝑒

Hints and Reasoning rules are encoded as probabilistic constraints. Each instruction’s probability is propagated to its control flow successor(s)

Page 20: Probabilistic Disassembly - GitHub Pages · Data and Code Coexistence: Probabilistic Disassembly 0xBBF72 0xBBF76 0xBBF7A 0xBBF7E 0xBBF82 0xBBF84 0xBBF8A 0xBBF8E 0xBBF90 0xBBF97...

Implementation and Evaluation

• Implementation• ELF binaries: based on BAP (by CMU)

• PE binaries: based on Capstone

• Released at

https://github.com/KennethAdamMiller/superset_disassembler

• Evaluation• 2048 ELF binaries

• SPEC2000 PE binaries

https://github.com/KennethAdamMiller/superset_disassembler
Page 21: Probabilistic Disassembly - GitHub Pages · Data and Code Coexistence: Probabilistic Disassembly 0xBBF72 0xBBF76 0xBBF7A 0xBBF7E 0xBBF82 0xBBF84 0xBBF8A 0xBBF8E 0xBBF90 0xBBF97...

ELF Results: Tradeoffs of Threshold

Page 22: Probabilistic Disassembly - GitHub Pages · Data and Code Coexistence: Probabilistic Disassembly 0xBBF72 0xBBF76 0xBBF7A 0xBBF7E 0xBBF82 0xBBF84 0xBBF8A 0xBBF8E 0xBBF90 0xBBF97...

False Positive wrt Binary Size

244 KB

Page 23: Probabilistic Disassembly - GitHub Pages · Data and Code Coexistence: Probabilistic Disassembly 0xBBF72 0xBBF76 0xBBF7A 0xBBF7E 0xBBF82 0xBBF84 0xBBF8A 0xBBF8E 0xBBF90 0xBBF97...

Superset Disassembly vs. Probabilistic Disassembly

Superset Disassembly + Binary Rewriter* vs. Probabilistic Disassembly + Binary Rewriter*

* The same binary rewriter. No added instructions

Page 24: Probabilistic Disassembly - GitHub Pages · Data and Code Coexistence: Probabilistic Disassembly 0xBBF72 0xBBF76 0xBBF7A 0xBBF7E 0xBBF82 0xBBF84 0xBBF8A 0xBBF8E 0xBBF90 0xBBF97...

Related Work

• Linear Sweep Disassembly• SecondWrite (WCRE’13), D. Andriesse et al. (Security’15), …

• Traversal based Disassembly• IDA, BAP, N. E. Rosenblum et al. (AAAI’08), BYTEWEIGHT (Security’14), E. C. R. Shin et

al. (Usenix’15), D. Andriesse et al. (Security’15), R. Qiao et al (DSN’17), …

• Superset Disassembly (NDSS’18)• Probabilistic Inference in Program Analysis

• G. K. Baah et al. (ISSTA’08), Merlin (PLDI’09), Dimsum (NDSS’12), …

• Machine Learning for Binary Analysis• R. Wartell (PKDD’11), Shingled graph disassembly (PAKDD’14), …

• Dynamic Disassembly • D. Bruening et al. (CGO’03), H. Patil et al. (MICRO’04), BIRD, …

Page 25: Probabilistic Disassembly - GitHub Pages · Data and Code Coexistence: Probabilistic Disassembly 0xBBF72 0xBBF76 0xBBF7A 0xBBF7E 0xBBF82 0xBBF84 0xBBF8A 0xBBF8E 0xBBF90 0xBBF97...

Discussions and Questions

• Limitations:• Our benchmarks may not represent all possible real-world binaries

• We focus on compiler generated binaries. Hand-crafted binaries/obfuscated binaries are not tested.

• However, we believe semantic hints still exist in such code

• Source code available! https://github.com/KennethAdamMiller/superset_disassembler

https://github.com/KennethAdamMiller/superset_disassembler

L10 Disassembly

L10 Disassembly

disassembly exercise

disassembly exercise

Peaceful Coexistence Neutrality Intro Peaceful Coexistence

Peaceful Coexistence Neutrality Intro Peaceful Coexistence

Overview. Presentation Introduction Supported coexistence scenarios Upgrade and coexistence Exchange 2003 Upgrade and coexistence Exchange 2007.

Overview. Presentation Introduction Supported coexistence scenarios Upgrade and coexistence Exchange 2003 Upgrade and coexistence Exchange 2007.

SUB2000 Disassembly

SUB2000 Disassembly

Aggregation and coexistence Coexistence on a single resource - diverse studies on the aggregation theory of species coexistence. Andrew Davis Institute.

Aggregation and coexistence Coexistence on a single resource - diverse studies on the aggregation theory of species coexistence. Andrew Davis Institute.

Tool Disassembly

Tool Disassembly

Disassembly & Reassembly.pdf

Disassembly & Reassembly.pdf

Coexistence Test Plan

Coexistence Test Plan

g4 Disassembly

g4 Disassembly

The Coexistence Equation

The Coexistence Equation

PEGATRON Lucid Disassembly SOP. Agenda Lucid Disassembly SOP Front Case Disassembly System Disassembly Key Part Assembly.

PEGATRON Lucid Disassembly SOP. Agenda Lucid Disassembly SOP Front Case Disassembly System Disassembly Key Part Assembly.

CAREFUL COEXISTENCE

CAREFUL COEXISTENCE

System Disassembly

System Disassembly

Structuring Trademark Coexistence Agreementsmedia.straffordpub.com/products/structuring-trademark-coexistence... · Structuring Trademark Coexistence Agreements Evaluating and Negotiating

Structuring Trademark Coexistence Agreementsmedia.straffordpub.com/products/structuring-trademark-coexistence... · Structuring Trademark Coexistence Agreements Evaluating and Negotiating

VGN-FExx series Disassemble Instruction · Disassembly LCD ASSY 7 Disassembly Bottom 10 Disassembly Thermal VGA 10 Disassembly ASSY Thermal CPU 11 Disassembly CPU 11 Disassembly W-LAN

VGN-FExx series Disassemble Instruction · Disassembly LCD ASSY 7 Disassembly Bottom 10 Disassembly Thermal VGA 10 Disassembly ASSY Thermal CPU 11 Disassembly CPU 11 Disassembly W-LAN

Trademark Coexistence Agreements

Trademark Coexistence Agreements

Dolar 1995 Coexistence

Dolar 1995 Coexistence

DSRC Coexistence

DSRC Coexistence

Man & Wildlife Coexistence

Man & Wildlife Coexistence