Abstract

Reverse-engineering program binaries often relies on the recovery of high-level data abstractions. In particular, recovering variables and their type is challenging as most such information is lost during compilation. Although past proposals seem to have addressed this problem, their approaches are either not scalable and suffer from coverage issues (e.g., dynamic analysis), or yield insufficient precision by staying too conservative (e.g., static analysis). Furthermore, most recent works lift assembly to Intermediate Representation (IR), which standardizes low-level operations, and may lose some useful semantics for type inference. In this thesis, we propose BinType, a static analysis-based, scalable, precise and conservative tool that works directly on x86 assembly to automatically reveal type information of variables and function arguments. BinType is 45% more precise than TIE (NDSS’11) on a dataset 3.5 times larger, and orders of magnitude faster than its underlying algorithm. We also show that our tool makes a significant impact on the accuracy of a recent tool on binary to source matching.