Abstract
This paper presents an algorithm for off-line partial evaluation of machine code. The algorithm follows the classical two-phase approach of binding-time analysis (BTA) followed by specialization. However, machine-code partial evaluation presents a number of new challenges, and it was necessary to devise new techniques for use in each phase. - Our BTA algorithm makes use of an instruction-rewriting method that ``decouples'' multiple updates performed by a single instruction. This method counters the cascading imprecision that would otherwise occur with a more naive approach to BTA. - Our specializer specializes an explicit representation of the semantics of an instruction, and emits residual code via machine-code synthesis. Moreover, to create code that allows the stack and heap to be at different positions at run-time than at specialization-time, the specializer represents specialization-time addresses using symbolic constants, and uses a symbolic state for specialization. Our experiments show that our algorithm can be used to specialize binaries with respect to commonly used inputs to produce faster binaries, as well as to extract an executable component from a bloated binary.
- M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti. Control-flow integrity. In CCS, 2005. Google Scholar
Digital Library
- L. O. Andersen. Binding-time analysis and the taming of C pointers. In PEPM, 1993. Google Scholar
Digital Library
- L. O. Andersen. Program Analysis and Specialization for the C Programming Language. PhD thesis, Univ. of Copenhagen, 1994.Google Scholar
- M. Aung, S. Horwitz, R. Joiner, and T. Reps. Specialization slicing. TOPLAS, 36(2), 2014. Google Scholar
Digital Library
- J. Auslander, M. Philipose, C. Chambers, S. Eggers, and B. Bershad. Fast, effective dynamic compilation. In PLDI, 1996. Google Scholar
Digital Library
- G. Balakrishnan and T. Reps. WYSINWYX: What You See Is Not What You eXecute. TOPLAS, 32(6), 2010. Google Scholar
Digital Library
- G. Balakrishnan, R. Gruian, T. Reps, and T. Teitelbaum. Codesurfer/x86 – A platform for analyzing x86 executables, (tool demonstration paper). In CC, 2005. Google Scholar
Digital Library
- S. Bansal and A. Aiken. Automatic generation of peephole superoptimizers. In ASPLOS, 2006. Google Scholar
Digital Library
- D. Binkley. Precise executable interprocedural slices. LOPLAS, 2: 31–45, 1993. Google Scholar
Digital Library
- D. Brumley, I. Jager, T. Avgerinos, and E. Schwartz. BAP: A Binary Analysis Platform. In CAV, 2011. Google Scholar
Digital Library
- C. Consel and F. No¨el. A general approach for run-time specialization and its application to C. In POPL, 1996. Google Scholar
Digital Library
- C. Consel, L. Hornof, F. No¨el, J. Noyé, and N. Volanschi. A uniform approach for compile-time and run-time specialization. Dagstuhl Seminar on Partial Evaluation, pages 54–72, 1996. Google Scholar
Digital Library
- K. Coogan, G. Lu, and S. Debray. Deobfuscation of virtualizationobfuscated software: A semantics-based approach. In CCS, 2011. Google Scholar
Digital Library
- M. Das, T. Reps, and P. van Hentenryck. Semantic foundations of binding-time analysis for imperative programs. In PEPM, 1995. Google Scholar
Digital Library
- K. ElWazeer, K. Anand, A. Kotha, M. Smithson, and R. Barua. Scalable variable and data type detection in a binary rewriter. In PLDI, 2013. Google Scholar
Digital Library
- D. Engler, W. Hsieh, and F. Kaashoek. ’C: A language for highlevel, efficient, and machine-independent dynamic code generation. In POPL, 1996. Google Scholar
Digital Library
- U. Erlingsson and F. Schneider. SASI enforcement of security policies: A retrospective. In Workshop on New Security Paradigms, 1999. Google Scholar
Digital Library
- J. Ferrante, K. Ottenstein, and J. Warren. The program dependence graph and its use in optimization. TOPLAS, 9(3), 1987. Google Scholar
Digital Library
- Y. Futamura, K. Nogi, and A. Takano. Essence of generalized partial computation. Theor. Comp. Sci., 90(1), 1991. Google Scholar
Digital Library
- J. Hatcliff. An introduction to online and offline partial evaluation using a simple flowchart language. In Partial Evaluation - Practice and Theory, DIKU 1998 International Summer School, Copenhagen, Denmark, 1998. Google Scholar
Digital Library
- S. Horwitz, T. Reps, and D. Binkley. Interprocedural slicing using dependence graphs. TOPLAS, 12(1), 1990. Google Scholar
Digital Library
- N. Jones, C. Gomard, and P. Sestoft. Partial Evaluation and Automatic Program Generation. Prentice-Hall, Inc., 1993. Google Scholar
Digital Library
- P. Kleinrubatscher, A. Kriegshaber, R. Zöchling, and R. Glück. Fortran program specialization. SIGPLAN Notices, 30(4), 1995. Google Scholar
Digital Library
- A. Klimov. A Java supercompiler and its application to verification of cache-coherence protocols. Perspectives of Systems Informatics, 5947:185–192, 2010. Google Scholar
Digital Library
- P. Lee and M. Leone. Optimizing ML with run-time code generation. In PLDI, 1996. Google Scholar
Digital Library
- J. Lim and T. Reps. TSL: A system for generating abstract interpreters and its application to machine-code analysis. TOPLAS, 35(4), 2013. Google Scholar
Digital Library
- J. Lim, A. Lal, and T. Reps. Symbolic analysis via semantic reinterpretation. Softw. Tools for Tech. Transfer, 13(1), 2011. Google Scholar
Digital Library
- H. Massalin. Superoptimizer: A look at the smallest program. In ASPLOS, 1987. Google Scholar
Digital Library
- T. Mogensen. Self-applicable online partial evaluation of the pure lambda calculus. In PEPM, 1995. Google Scholar
Digital Library
- R. Muth, S. Debray, S. Watterson, and K. D. Bosschere. Alto: A link-time optimizer for the compaq alpha. Softw. Pract. Exper., 31(1), 2001. Google Scholar
Digital Library
- F. No¨el, L. Hornof, C. Consel, and J. Lawall. Automatic, templatebased run-time specialization: Implementation and experimental study. In Computer Languages, 1998.Google Scholar
- T. Reps. Program analysis via graph reachability. Inf. and Softw. Tech., 40(11–12), 1998.Google Scholar
- T. Reps, S. Horwitz, M. Sagiv, and G. Rosay. Speeding up slicing. In FSE, 1994. Google Scholar
Digital Library
- T. Rompf, A. Sujeeth, K. Brown, H. Lee, H. Chafi, and K. Olukotun. Surgical precision JIT compilers. In PLDI, 2014. Google Scholar
Digital Library
- H. Sa¨ıdi. Logical foundation for static analysis: Application to binary static analysis for security. ACM SIGAda Ada Letters, 28(1), 2008. Google Scholar
Digital Library
- E. Schkufza, R. Sharma, and A. Aiken. Stochastic superoptimization. In ASPLOS, 2013. Google Scholar
Digital Library
- U. Schultz, J. Lawall, and C. Consel. Automatic program specialization for Java. TOPLAS, 25(4), 2003. Google Scholar
Digital Library
- A. Shali and W. Cook. Hybrid partial evaluation. In OOPSLA, 2011. Google Scholar
Digital Library
- M. Sharif, A. Lanzi, J. Giffin, and W. Lee. Automatic reverse engineering of malware emulators. In S&P, 2009. Google Scholar
Digital Library
- A. Slowinska, T. Stancescu, and H. Bos. Body armor for binaries: Preventing buffer overflows without recompilation. In ATC, 2012. Google Scholar
Digital Library
- D. Song, D. Brumley, H. Yin, J. Caballero, I. Jager, M. Kang, Z. Liang, J. Newsome, P. Poosankam, and P. Saxena. BitBlaze: A new approach to computer security via binary analysis. In Int. Conf. on Information Systems Security, 2008. Google Scholar
Digital Library
- V. Srinivasan and T. Reps. Partial evaluation of machince code. TR- 1821, University of Wisconsin–Madison Tech Report, Aug. 2015. URL http://www.cs.wisc.edu/wpis/papers/tr1821.Google Scholar
- pdf.Google Scholar
- V. Srinivasan and T. Reps. Synthesis of machince code from semantics. In PLDI, 2015. Google Scholar
Digital Library
- M. Weiser. Program slicing. TSE, SE-10(4), 1984. Google Scholar
Digital Library
- B. Yadegari, B. Johannesmeyer, B. Whitely, and S. Debray. A generic approach to automatic deobfuscation of executable code. In S&P, 2015.Google Scholar
Digital Library
Index Terms
Partial evaluation of machine code
Recommendations
Partial evaluation of machine code
OOPSLA 2015: Proceedings of the 2015 ACM SIGPLAN International Conference on Object-Oriented Programming, Systems, Languages, and ApplicationsThis paper presents an algorithm for off-line partial evaluation of machine code. The algorithm follows the classical two-phase approach of binding-time analysis (BTA) followed by specialization. However, machine-code partial evaluation presents a ...
An improved algorithm for slicing machine code
OOPSLA 2016: Proceedings of the 2016 ACM SIGPLAN International Conference on Object-Oriented Programming, Systems, Languages, and ApplicationsMachine-code slicing is an important primitive for building binary analysis and rewriting tools, such as taint trackers, fault localizers, and partial evaluators. However, it is not easy to create a machine-code slicer that exhibits a high level of ...
An improved algorithm for slicing machine code
OOPSLA '16Machine-code slicing is an important primitive for building binary analysis and rewriting tools, such as taint trackers, fault localizers, and partial evaluators. However, it is not easy to create a machine-code slicer that exhibits a high level of ...






Comments