Detail publikace

Advanced Static Analysis for Decompilation Using Scattered Context Grammars

Originální název

Advanced Static Analysis for Decompilation Using Scattered Context Grammars

Anglický název

Advanced Static Analysis for Decompilation Using Scattered Context Grammars

Jazyk

en

Originální abstrakt

Reverse program compilation (i.e. decompilation) is a process heavily exploited in reverse engineering. The task of decompilation is to transform a platform-specific executable into a high-level language representation, which is usually the C language. Such a process can be used for source code reconstruction, compiler testing, malware analysis, etc. In present, there are several existing decompilers that are able to decompile simple applications. However, we can see a drop-off in terms of the quality of the generated code when the decompiled code is highly optimized (e.g. usage of instruction idioms) or obfuscated (e.g. dead code insertion, register renaming). Optimized or obfuscated applications are usually generated by highly optimizing compilers or metamorphic engines (used by malware authors). In this paper, we present several innovative decompilation methods based on scattered context grammars. These methods are able to effectively decompile optimized or obfuscated code. For demonstration, we used these methods for enhancement of the static analysis phase of an existing decompiler. Experimental results of our solution are presented at the end of the paper.

Anglický abstrakt

Reverse program compilation (i.e. decompilation) is a process heavily exploited in reverse engineering. The task of decompilation is to transform a platform-specific executable into a high-level language representation, which is usually the C language. Such a process can be used for source code reconstruction, compiler testing, malware analysis, etc. In present, there are several existing decompilers that are able to decompile simple applications. However, we can see a drop-off in terms of the quality of the generated code when the decompiled code is highly optimized (e.g. usage of instruction idioms) or obfuscated (e.g. dead code insertion, register renaming). Optimized or obfuscated applications are usually generated by highly optimizing compilers or metamorphic engines (used by malware authors). In this paper, we present several innovative decompilation methods based on scattered context grammars. These methods are able to effectively decompile optimized or obfuscated code. For demonstration, we used these methods for enhancement of the static analysis phase of an existing decompiler. Experimental results of our solution are presented at the end of the paper.

BibTex


@inproceedings{BUT76457,
  author="Lukáš {Ďurfina} and Jakub {Křoustek} and Petr {Zemek} and Dušan {Kolář} and Tomáš {Hruška} and Karel {Masařík} and Alexandr {Meduna}",
  title="Advanced Static Analysis for Decompilation Using Scattered Context Grammars",
  annote="Reverse program compilation (i.e. decompilation) is a process heavily exploited
in reverse engineering. The task of decompilation is to transform
a platform-specific executable into a high-level language representation, which
is usually the C language. Such a process can be used for source code
reconstruction, compiler testing, malware analysis, etc. In present, there are
several existing decompilers that are able to decompile simple applications.
However, we can see a drop-off in terms of the quality of the generated code when
the decompiled code is highly optimized (e.g. usage of instruction idioms) or
obfuscated (e.g. dead code insertion, register renaming). Optimized or obfuscated
applications are usually generated by highly optimizing compilers or metamorphic
engines (used by malware authors). In this paper, we present several innovative
decompilation methods based on scattered context grammars. These methods are able
to effectively decompile optimized or obfuscated code. For demonstration, we used
these methods for enhancement of the static analysis phase of an existing
decompiler. Experimental results of our solution are presented at the end of the
paper.",
  address="World Scientific and Engineering Academy",
  booktitle="Proceedings of the Applied Computing Conference 2011 (ACC'11)",
  chapter="76457",
  edition="NEUVEDEN",
  howpublished="print",
  institution="World Scientific and Engineering Academy",
  year="2011",
  month="november",
  pages="164--169",
  publisher="World Scientific and Engineering Academy",
  type="conference paper"
}