WO2015168192A1 - Matching program sections through feature extraction - Google Patents

Matching program sections through feature extraction Download PDF

Info

Publication number
WO2015168192A1
WO2015168192A1 PCT/US2015/028106 US2015028106W WO2015168192A1 WO 2015168192 A1 WO2015168192 A1 WO 2015168192A1 US 2015028106 W US2015028106 W US 2015028106W WO 2015168192 A1 WO2015168192 A1 WO 2015168192A1
Authority
WO
WIPO (PCT)
Prior art keywords
equivalent
block
blocks
processor
program
Prior art date
Application number
PCT/US2015/028106
Other languages
French (fr)
Inventor
Ali Rahbar
Elias BACHAALANY
Ali Pezeshk
Original Assignee
Microsoft Technology Licensing, Llc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Microsoft Technology Licensing, Llc filed Critical Microsoft Technology Licensing, Llc
Publication of WO2015168192A1 publication Critical patent/WO2015168192A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/40Transformation of program code
    • G06F8/41Compilation
    • G06F8/44Encoding
    • G06F8/443Optimisation
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/40Transformation of program code
    • G06F8/41Compilation
    • G06F8/44Encoding
    • G06F8/443Optimisation
    • G06F8/4434Reducing the memory space required by the program code
    • G06F8/4436Exlining; Procedural abstraction
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/40Transformation of program code
    • G06F8/53Decompilation; Disassembly

Abstract

Various techniques for matching program sections are described herein. In one example, a method includes organizing a program into blocks based on control flow. The method also includes calculating a plurality of features for each block. The method further includes comparing the calculated features for each block with other blocks and creating a list of equivalent blocks. The method also further includes constructing a list of equivalent program sections utilizing the list of equivalent blocks.

Description

MATCHING PROGRAM SECTIONS THROUGH FEATURE EXTRACTION
BACKGROUND
[0001] When reverse engineering software, an analyst may often only have binary code to work with. The binary code is made up of a multitude of zeroes and ones that can be directly executed by a processor but are difficult for a person to read and understand. In some cases, the binary code can be translated into a different form to make reading the software easier. The resulting code lacks the constants and programmer comments that may have existed in the original high-level programming language that was compiled into binary code.
[0002] An inlined function is a function upon which the compiler has performed inline expansion. Inline expansion takes the complete body of the function that has been inlined and inserts the body of the function into every place that a function is called rather than generating code to call the function. Therefore, inlined functions may produce binary code that is voluminous and difficult to analyze. Compilers are not obligated to respect inlining of functions in every instance. A programmer can nonetheless forcefully inline functions in order to thwart reverse engineering attempts.
SUMMARY
[0003] The following presents a simplified summary of the innovation in order to provide a basic understanding of some aspects described herein. This summary is not an extensive overview of the claimed subject matter. It is intended to neither identify key elements of the claimed subject matter nor delineate the scope of the claimed subject matter. Its sole purpose is to present some concepts of the claimed subject matter in a simplified form as a prelude to the more detailed description that is presented later.
[0004] The claimed subject matter provides a method for matching program sections. The method includes organizing a program into blocks based on control flow. The method can include transforming a program to an intermediate language representation and organizing the intermediate language representation into blocks based on control flow. The method also includes calculating a plurality of features for each block. The method further includes comparing the calculated features for each block with other blocks and creating a list of equivalent blocks. The method can include receiving a manual adjustment to the set of features that is to be used for equivalence checks and the detected equivalences. The method can also include creating a graph with the blocks as nodes and with edges determined from control flow. The method can further include identifying equivalent subgraphs in the graph, wherein the equivalent blocks are used to identify the equivalent subgraphs, starting with a pair of equivalent blocks as head nodes. The method also can include determining whether the equivalent subgraphs are functions that have been inlined or are to be interpreted as an inlined function. The method can include constructing a list of equivalent program sections utilizing the list of equivalent blocks. The plurality of features calculated for each block can include a feature derived from a mapping of each instruction in the block to an instruction type and chaining the instruction types as they appear in the block. The plurality of features calculated for each block can further include a feature derived from a mapping of each instruction in the block to an instruction type, combining the instruction types that appear in the block such that the combination result is order agnostic. The plurality of features calculated for each block can also include a feature derived from the frequency of the different instruction types in the block, allowing for partial/fuzzy matching of two blocks. The plurality of features calculated for each block can further include a feature derived from symbolic execution of the block. The plurality of features calculated for each block can also include a feature derived from translating the block into another intermediate representation, and passing it through an optimizer. The method can further include transforming a program into an alternate program based on the detected equivalent program sections. The method can include loading a program based on the graph and equivalent subgraphs into a user interface and visualizing the code and equivalent subgraphs. The method can also include accepting a user input to alter one or more decisions around subgraph equivalence and visualizing an updated code and updated equivalent subgraphs.
[0005] One embodiment of the claimed subject matter related to one or more computer-readable storage media that match program sections. The one or more computer-readable storage media have a plurality of instructions that, when executed by a processor, cause the processor to transform a program to an intermediate language representation and organize the intermediate language representation into blocks based on control flow. The instructions also cause the processor to calculate a plurality of features for each block. The instructions further cause the processor to compare the calculated features for each block in the program and create a list of equivalent blocks. The instructions can also cause the processor to receive a manual adjustment to the set of features that is to be used for equivalence checks and the detected equivalences. The instructions can also cause the processor to create a graph with the blocks as nodes and with edges determined from control flow. The instructions can also further cause the processor to identify equivalent subgraphs in the graph, wherein the equivalent blocks are used to identify the equivalent subgraphs, starting with a pair of equivalent blocks as head nodes. The instructions can also cause the processor to determine whether the equivalent subgraphs are functions that have been inlined or are to be interpreted as an inlined function. The instructions can also further cause the processor to construct a list of equivalent program sections utilizing the list of equivalent blocks. The instructions can further cause the processor to calculate a feature derived from a mapping of each instruction in the block to an instruction type and chaining the instruction types as they appear in the block. The instructions can also cause the processor to calculate a feature derived from a mapping of each instruction in the block to an instruction type, combining the instruction types that appear in the block such that the combination result is order agnostic. The instructions can further cause the processor to calculate a feature derived from the frequency of the different instruction types in the block, allowing for partial/fuzzy matching of two blocks. The instructions can also cause the processor to calculate a feature derived from symbolic execution of the block. The instructions can also cause the processor to calculate a feature derived from translating the block into another intermediate representation, and passing it through an optimizer. The instructions can also cause the processor to transform a program into an alternate program based on the detected equivalent program sections. The instructions can also further cause the processor to load a program based on the graph and equivalent subgraphs into a user interface and visualize the code and equivalent subgraphs. The instructions can also cause the processor to accept a user input to alter one or more decisions around subgraph equivalence and visualize an updated code and updated equivalent subgraphs.
[0006] Another embodiment of the claimed subject matter relates to a system for matching program sections includes a processor to execute processor executable code and a storage device that stores processor executable code. The processor executable code, when executed by the processor, causes the processor to organize a program into blocks based on control flow. The code further causes the processor to calculate a plurality of features for each block. The code also causes the processor to compare the calculated features for each block with other blocks and create a list of equivalent blocks. The code can also cause the processor to transform a program to an intermediate language representation and organize the intermediate language representation into blocks based on control flow. The code can also cause the processor to receive a manual adjustment to the set of features that is to be used for equivalence checks and the detected equivalences. The code can also cause the processor to create a graph with the blocks as nodes and edges determined from control flow. The code can further cause the processor to identify equivalent subgraphs in the graph, wherein the equivalent blocks are used to identify the equivalent subgraphs, starting with a pair of equivalent blocks as head nodes. The code can also cause the processor to determine whether the equivalent subgraphs are functions that have been inlined or are to be interpreted as an inlined function. The code can also further cause the processor to construct a list of equivalent program sections utilizing the list of equivalent blocks. The code can also cause the processor to calculate a feature derived from a mapping of each instruction in the block to an instruction type and chaining the instruction types as they appear in the block. The code can also cause the processor to calculate a feature derived from a mapping of each instruction in the block to an instruction type, combining the instruction types that appear in the block such that the combination result is order agnostic. The code can further cause the processor to calculate a feature derived from the frequency of the different instruction types in the block, allowing for partial/fuzzy matching of two blocks. The code can also cause the processor to calculate a feature derived from symbolic execution of the block. The code can further cause the processor to calculate a feature derived from translating the block into another intermediate representation, and passing it through an optimizer. The code can also cause the processor to transform a program into an alternate program based on the detected equivalent program sections. The code can also further cause the processor to load a program based on the graph and equivalent subgraphs into a user interface and visualize the code and equivalent subgraphs. The code can cause the processor to accept a user input to alter one or more decisions around subgraph equivalence and visualize an updated code and updated equivalent subgraphs.
[0007] The following description and the annexed drawings set forth in detail certain illustrative aspects of the claimed subject matter. These aspects are indicative, however, of a few of the various ways in which the principles of the innovation may be employed and the claimed subject matter is intended to include all such aspects and their equivalents. Other advantages and novel features of the claimed subject matter will become apparent from the following detailed description of the innovation when considered in conjunction with the drawings.
BRIEF DESCRIPTION OF THE DRAWINGS
[0008] Fig. 1 is a block diagram of an example of a computing system that matches program sections;
[00Θ9] Fig. 2 is a high-level process flow diagram of an example method for matching program sections;
[Θ01Θ] Fig. 3 is a detailed process flow diagram of an example method for matching program sections;
[0011 Fig. 4A is an example graph for displaying equivalent blocks;
[0012] Fig. 4B is an example graph for displaying equivalent subgraphs; and
[0013] Fig. 5 is a block diagram showing a tangible, computer-readable storage media that can be used to match program sections.
DETAILED DESCRIPTION
[0014] As a preliminary matter, some of the Figures describe concepts in the context of one or more structural components, variously referred to as functionality, modules, features, elements, or the like. The various components shown in the Figures can be implemented in any manner, such as software, hardware, firmware, or combinations thereof. In some embodiments, various components reflect the use of corresponding components in an actual implementation. In other embodiments, any single component illustrated in the Figures may be implemented by a number of actual components. The depiction of any two or more separate components in the Figures may reflect different functions performed by a single actual component. Fig. 1, discussed below, provides details regarding one system that may be used to implement the functions shown in the Figures.
[0015] Other Figures describe the concepts in flowchart form. In this form, certain operations are described as constituting distinct blocks performed in a certain order. Such implementations are exemplary and non-limiting. Certain blocks described herein can be grouped together and performed in a single operation, certain blocks can be broken apart into multiple component blocks, and certain blocks can be performed in an order that differs from that which is illustrated herein, including a parallel manner of performing the blocks. The blocks shown in the flowcharts can be implemented by software, hardware, firmware, manual processing, or the like. As used herein, hardware may include computer systems, discrete logic components, such as application specific integrated circuits (ASICs), or the like. [0016] As to terminology, the phrase "configured to" encompasses any way that any kind of functionality can be constructed to perform an identified operation. The functionality can be configured to perform an operation using, for instance, software, hardware, firmware, or the like. The term, "logic" encompasses any functionality for performing a task. For instance, each operation illustrated in the flowcharts corresponds to logic for performing that operation. An operation can be performed using, software, hardware, firmware, or the like. The terms, "component," "system," and the like may refer to computer-related entities, hardware, and software in execution, firmware, or combination thereof. A component may be a process running on a processor, an object, an executable, a program, a function, a subroutine, a computer, or a combination of software and hardware. The term, "processor," may refer to a hardware component, such as a processing unit of a computer system.
[0017] Furthermore, the claimed subject matter may be implemented as a method, apparatus, or article of manufacture using standard programming and engineering techniques to produce software, firmware, hardware, or any combination thereof to control a computing device to implement the disclosed subject matter. The term, "article of manufacture," as used herein is intended to encompass a computer program accessible from any computer-readable storage device or media. Computer-readable storage media can include, but are not limited to, magnetic storage devices, e.g., hard disk, floppy disk, magnetic strips, optical disk, compact disk (CD), digital versatile disk (DVD), smart cards, flash memory devices, among others. In contrast, computer-readable media, i.e., not storage media, may include communication media such as transmission media for wireless signals and the like.
[0018] According to embodiments described herein, a program is organized into blocks. A program can be organized into instruction sequences. As used herein, an instruction sequence includes but is not limited to a sequence of processor specific instructions, assembly instructions or intermediate language instructions. In some embodiments, the control flow is used to break instruction sequences into blocks. A block, as used herein, is an instruction sequence ending with an instruction that can modify the flow of execution. In some embodiments, the blocks are represented as nodes on a set of graphs with edges determined from the control flow.
[00.19] Fig. 1 is a block diagram of an example of a computing system that matches program sections. The computing system 100 may be, for example, laptop computer, desktop computer, or tablet computer, among others. The computing system 100 may include a processor 102 that is adapted to execute stored instructions, as well as a memory device 104 that stores instructions that are executable by the processor 102. The processor 102 can be a single core processor, a multi-core processor, a computing cluster, or any number of other configurations. The memory device 104 can include random access memory, read-only memory, flash memory, or any other suitable memory systems. The instructions that are executed by the processor 102 may be used to match program sections. In some embodiments, the instructions may be used to identify equivalent blocks within a program. For example, the instructions may be used to detect inlined functions in the binary code representing a program.
0Θ20] The processor 102 may be connected through a system bus 106 (e.g., PCI®, PCI-Express®, etc.) to an input/output (I/O) device interface 108 adapted to connect the computing system 100 to one or more I/O devices 110. The I/O devices 110 may include, for example, a keyboard, a gesture recognition input device, a voice recognition device, and a pointing device, wherein the pointing device may include a touchpad or a touchscreen, among others. The I/O devices 110 may be built-in components of the computing system 100, or may be devices that are externally connected to the computing system 100.
[0021] The processor 102 may also be linked through the system bus 106 to a display device interface 112 adapted to connect the computing system 100 to a display device 114. The display device 114 may include a display screen that is a built-in component of the computing system 100. The display device 114 may also include a computer monitor, television, or projector, among others, that is externally connected to the computing system 100. A network interface card (NIC) 116 may also be adapted to connect the computing system 100 through the system bus 106 to a network (not depicted).
[0022] The storage 118 can include a hard drive, an optical drive, a USB flash drive, an array of drives, or any combinations thereof. The storage 118 may include a transformation module 120, a detection module 122, and an organizer module 124. In some embodiments, the transformation module 120 can transform a program to an intermediate language representation. For example, assembly code can be produced based on provided binary code. For example, the binary code may be x86, x64 or ARM® binaries. As discussed above, the transformed program typically lacks comments and may be voluminous. [0023] In embodiments, the transformation module 120 organizes the program into blocks based on control flow.
[0024] In embodiments, the detection module 122 calculates a plurality of features for each block. The features can be derived from a variety of characteristics of each block. In some examples, the features can include tracking exact sequences of code operations. In some embodiments, the detection module 122 can derive a feature from a mapping of each instruction in the block to an instruction type and chaining the instruction types as they appear in the block. By chaining the instruction types as they appear in the block, the detection module 122 can preserve the order of the instructions in the block. In some embodiments, the detection module can derive a feature from a mapping of each instruction in the block to an instruction type, combining the instruction types that appear in the block such that the combination result is order agnostic. In some embodiments, the detection module 122 can derive a feature from the frequency of the different instruction types in the block, allowing for partial/fuzzy matching of two blocks. In some embodiments, the detection module 122 can derive a feature from symbolic execution of the block. For example, an initial set of symbolic values for processor registers and an initial memory state can be used as an initial system state before running a symbolic execution engine on the block. In some embodiments, the detection module 122 can derive a feature by translating the block into another intermediate representation, and passing it through an optimizer.
[0025] In some embodiments, the detection module 122 can compare features for each block in the program and create a list of equivalent blocks. In some examples, the equivalent blocks can be blocks that have one or more matching features.
[0026] In some embodiments, the organizer module 124 may create a graph with the blocks as nodes and with edges determined from code flow. A graph, node, and edge, as used herein, refer to the mathematical definition of graph, node and edge.
[0027] In some embodiments, the detection module 122 can identify equivalent subgraphs in the graph. In some examples, equivalent blocks can be used to identify equivalent subgraphs. In some examples, detection of equivalent subgraphs can start with a comparison of a pair of equivalent blocks as head nodes. A subgraph, as used herein, refers to the mathematical definition of a subgraph.
[0028] In some embodiments, the organizer module 124 can receive a manual adjustment to the set of features that should be used for equivalence checks and the detected equivalences. In some examples, a user may have indicated that two or more blocks should be treated as equivalent. For example, the organizer module 124 may receive a manual adjustment that two subgraphs should be considered equivalent.
[0029] In some embodiments, the detection module 122 can determine whether the equivalent subgraphs are functions that have been inlined or are to be otherwise be interpreted as inlined functions. In some embodiments, two matched subgraphs can then be inspected to see if they are well-formed functions. A well-formed function, as used herein, includes a function that has one entry point and, one or more exit points, and no jumps from outside the function to the middle of the function.
[0030] In some embodiments, the detection module 122 can then construct a list of equivalent program sections utilizing the list of equivalent blocks. For example, program sections can be matched if all their constituting blocks are equivalent.
[0031 ] In some embodiments, the organizer module 124 can transform the program into an alternate program based on the detected equivalent program sections. An alternate program, as used herein, can include, but is not limited to, rewriting the binary to remove occurrences of equivalent program sections. In some examples, the organizer module 124 can rewrite the program to replace each occurrence of a detected inlined function with a call to a new function created from the instructions that comprised the inlined function.
[0032] In some embodiments, the organizer module 124 can load the program based on the graph and equivalent subgraphs into a user interface (UI) and visualize the code and equivalent subgraphs. When the detection module 122 runs and detects similar subgraphs as discussed above, the results are passed to the organizer module 124 for visualization, etc. The results can represent inlined functions or repeated program sections. In some examples, the organizer module 124 can allow the user to visually cycle and navigate between similar subgraphs. For example, various mechanisms to hide or display code, or hide or display similar subgraphs can be available for the user.
[0033] In some embodiments, the organizer module 124 can accept user input to alter one or more decisions around subgraph equivalence. The result of user's manual decision is subsequently used to improve the analysis as described below, used in binary rewriting as described above, or in creating a visualization and/or UI. In some embodiments, the organizer module 124 can visualize the updated code and updated equivalent subgraphs.
[0034] It is to be understood that the block diagram of Fig. 1 is not intended to indicate that the computing system 100 is to include all of the components shown in Fig. 1. Rather, the computing system 100 can include fewer or additional components not illustrated in Fig. 1 (e.g., additional applications, additional modules, additional memory devices, additional network interfaces, etc.). Furthermore, any of the functionalities of the transformation module 120, the detection module 122, and the organizer module 124 can be partially, or entirely, implemented in hardware and/or in the processor 102. For example, the functionality can be implemented with an application specific integrated circuit, in logic implemented in the processor 102, or in any other device. For example, and without limitation, illustrative types of hardware logic components that can be used include Field-programmable Gate Arrays (FPGAs), Application-specific Integrated Circuits (ASICs), Application- specific Standard Products (ASSPs), System-on-a-chip systems (SOCs), and Complex Programmable Logic Devices (CPLDs), etc.
[0035] Fig. 2 is a high-level process flow diagram of an example method for matching program sections. The method 200 can be implemented with any suitable computing device, such as the computing system 100 of Fig. 1.
[0036] At block 202, the transformation module 120 organizes a program into blocks based on control flow. In some examples, a block can include any suitable number of instructions or lines of assembly code which follow a transfer of flow of execution. For example, a block can start after a jump instruction which changes the flow of execution by modifying an instruction pointer value. In some embodiments, the transformation module 120 can transform a program to an intermediate language representation and organize the intermediate language representation into blocks based on control flow as discussed in greater length in Fig. 3 below.
[0037] At block 204, the detection module 122 calculates a plurality of features for each block. For example, the features can be derived from a variety of characteristics of the blocks as described in greater detail in Fig. 3 below.
[0038] At block 206, the detection module 122 compares the plurality of features for each block in the program and create a list of equivalent blocks. For example, the equivalent blocks can be blocks that have one or more matching features.
[0039] The process flow diagram of Fig. 2 is not intended to indicate that the operations of the method 200 are to be executed in any particular order, or that all of the operations of the method 200 are to be included in every case. Further, any number of additional operations can be included within the method 200, depending on the specific application. [0040] Fig. 3 is a detailed process flow diagram of an example method for matching program sections. The method 300 can be implemented with any suitable computing device, such as the computing system 100 of Fig. 1.
[0041] At block 302, the transformation module 120 transforms a program into an intermediate language representation. In some examples, the intermediate language may be a form of assembly language. For example, binary code can be translated into assembly code. In some examples, a high level language (such as C++) source code can be translated into an intermediate language with a compiler.
[0042] At block 304, the transformation module 120 organizes the intermediate language representation into blocks based on control flow. For example, an assembly language representation may be divided into blocks based upon the control flow of the code.
[0043] At block 306, the organizer module 124 can create a graph with the blocks as nodes and with edges determined from control flow.
[0044] At block 308, the detection module 122 calculates a plurality of features for each block. The features can be derived from a variety of characteristics of the blocks. For example, a feature can be derived from a mapping of each instruction in the block to an instruction type, then chaining the instruction types and thus preserving their order. A number can be assigned to each instruction type. For example, a MOV EAX, EBX is a move between registers and has the same type as a MOV ECX, EDX instruction. In some examples, the detection module 122 can concatenate the instruction type of each instruction in the block and then calculate a digest on the result. In some examples, the detection module 122 can take operand types into account for the mapping of instructions to the instruction types. In some examples, operand types are not taken into account, resulting in a looser matching feature. For example, a register addressing mode instruction can be matched with an indirect addressing mode instruction if the operand type is not taken into account.
[0045] In some embodiments, the features can include a feature derived from a mapping of each instruction in the block to an instruction type and combining the instruction types that appear in the block such that the combination result is order agnostic. For example, detection module 122 can associate a unique prime number with each instruction type. The result of the mapping for each instruction in the block is multiplied to produce a number from which a digest can be calculated. The use of unique prime numbers for each instruction type results in a unique number for each composition of instruction types.
[0046] In some embodiments, the detection module 122 can derive a feature from the frequency of different instruction types present in the blocks. For example, the detection module 122 can count the number of times that each instruction type occurs in a block. This feature can allow for a partial or "fuzzy" matching of two blocks.
[0047] Still referring to block 308, in some embodiments, the detection module 122 can derive a feature from the symbolic execution of the blocks. For example, the detection module 122 can use an initial set of symbolic values for processor registers and an initial memory state as an initial system state before running a symbolic execution engine on the block. The detection module 122 can use the resulting system state post symbolic execution of the block to calculate a digest that the detection module 122 can then use to check equivalence of two blocks.
[0048] In some embodiments, the detection module 122 derives a feature from translating the block into another intermediate representation, and passing it through an optimizer. In some examples, the detection module 122 can translate blocks into an intermediate representation. This intermediate language code is passed through an optimizer. The optimization results in a normalized form for the block which can then be fed into any of the previous feature extraction methods.
[0049] At block 310, the detection module 122 compares the calculated features for each block in the program and creates a list of equivalent blocks. In some examples, the equivalent blocks can be blocks that have one or more matching features.
[ 0050] At block 312, the organizer module 124 can receive a manual adjustment to the set of features that is to be used for equivalence checks and the detected equivalences. In some examples, a user can have indicated that two or more equivalent subgraphs should be considered equivalent. The detection module 122, can then use this information for matching program sections.
[0051] At block 314, the detection module 122 can identify equivalent subgraphs in the graph. In some examples, the detection module 122 can use equivalent blocks to identify equivalent subgraphs. In some examples, the detection module 122 can start the equivalence comparison with a pair of equivalent blocks as head nodes. For example, breadth- first graph traversal can be used to match two subgraphs. The breadth- first graph traversal can start from an initial equivalent block as a head node of each subgraph. The child nodes of the head nodes can then be compared. In some examples, if the detection module 122 does not find a match at a certain level, then it can use a looser feature to ensure a longer path is not missed due to compiler optimizations. For example, a compiler can have used reordering or equivalence to slightly change instances of the same inlined function as they are compiled. A feature that is loose can be used to disregard these slight changes to the code in matching two subgraphs as discussed below.
[0052] At block 316, the detection module 122 can determine whether the equivalent subgraphs are functions that have been inlined or are to be interpreted as inlined functions. In some embodiments, the detection module 122 can then inspect two matched subgraphs to see if they are well-formed functions. In some examples, the subgraphs may not be well- formed functions and detection module 122 can therefore match them as equivalent program sections. In some examples, the detection module 122 can detect the matched subgraphs as representing well- formed functions that have been inlined. In some examples, the detection module 122 can detect functions within functions. For example, a large function can be composed of many smaller functions. In some examples, the matching can be done at the level of the smaller functions. In some other examples, the matching can be done at the level of the large function.
0Θ53] At block 318, the detection module 122 constructs a list of equivalent program sections utilizing the list of equivalent blocks. In some examples, the equivalent programs sections may be inlined functions.
[0Θ54] At block 320, the organizer module 124 can transform the program into an alternate program based on the detected equivalent program sections. In some examples, the organizer module 124 can rewrite the detected inlined functions in the program in the form of one function with function calls replacing every other instance of the inlined function. In some examples, the organizer module 124 can rewrite the binary code. The binary code can then be disassembled into a program that has a much clearer view due to the elimination of most of the inlining. For example, in case of a binary input, where some function calls have been inlined, each instance of an inlined function is detected by the method described. The organizer module 124 can then replace each instance of an inlined function in the binary input with a call to a new function created from the blocks that comprised the inlined function instance. The organizer module 124 can then also produce a new binary in which the inlined functions have been replaced with calls. As a result, analysis, reverse-engineering or decompilation of this binary which is equivalent in functionality to the original may be easier.
[0055] At block 322, the organizer module 124 can load the program based on the graph and equivalent subgraphs into a user interface (UI) and visualize the code and equivalent subgraphs. When the detection module 122 detects similar sub-graphs as discussed above, the detection module 122 can store the results in a file for later consumption by a visual tool. The results can represent inlined functions or a set of related nodes that stem from repeated code in the original program. In some examples, the organizer module 124 can display the results with various visualization capabilities. For example, the organizer module 124 can present the option of naming all the equivalent sub-graphs. In some examples, the organizer module 124 can initially assign default dummy names to the found sub-graphs. In some examples, the organizer module 124 can present an option of assigning distinguished colors for all identified sub-graph attributes. The organizer module 124 can then color all related sub-graphs (with the same attributes) with a shade of the same color. For example, the detection module 122 can identify the following three different sub-graphs: {SubgraphlA, SubgraphlB} (i.e. two instances of Subgraph 1), {Subgraph2A}, {Subgraph3A, Subgraph3B, Subgraph3C} . The organizer module 124 can assign each subgraph a unique color as follows: Subgraph 1 -> RED, Subgraph2 -> GREEN, Subgraph3 -> BLUE. For each block set in each sub-graph, the organizer module 124 can assign a different shade of the assigned color as follows: SubGraphl -> RED -> SubgraphlA: Red/shadel, SubgraphlB: Red/shade2, SubGraph2 -> GREEN -> Green/shadel, SubGraph3 -> BLUE -> Subgraph3A: Blue/shadel, Subgraph3B: Blue/shade2, Subgraph3C: Blue/shade3. Thus, related subgraphs can share a similar color while still being distinguishable by their different shades.
[0056] In some examples, the organizer module 124 can present an option to visually cycle and navigate between similar subgraphs. For example, the organizer module 124 can provide various mechanisms to hide or display code, or hide or display similar subgraphs. In some examples, the organizer module 124 can present an option to collapse a matched subgraph to a single node. For example, when an inlined function instance is collapsed this way, the user can just see the name of the inlined function on one node instead of the whole subgraph comprising the inlined function.
[0067] At block 324, the organizer module 124 can accept user input to alter one or more decisions around subgraph equivalence. For example, a user input may be that two or more subgraphs are to be treated as equivalent subgraphs or are not to be treated as equivalent subgraphs. In some embodiments, the organizer module 124 can also visualize an updated code and updated equivalent subgraphs. In some examples, a user may decide that one or more equivalent subgraphs are not inlined functions and can indicate this through the user interface. The organizer module 124 can then visualize the updated code and equivalent subgraphs.
[0058] The process flow diagram of Fig. 3 is not intended to indicate that the operations of the method 300 are to be executed in any particular order, or that all of the operations of the method 300 are to be included in every case. For example block 320, may follow block 318, and block 324 may follow any of blocks 316-322. Further, any number of additional operations can be included within the method 300, depending on the specific application.
[0Θ59] Fig. 4A is an example graph for displaying equivalent blocks. The example graph of Fig. 4A is generally be referred to by the reference number 400A. Head node 402 is connected by edges represented as arrows to child nodes 404 and 406. A subgraph within the graph 400A can include nodes 404, 408, 410, and 412. Another subgraph can include nodes 406, 414, 416, and 418.
[0060] In Fig. 4A, the flow of execution of blocks in a given program is displayed as a series of nodes depicted by circles that are graphic representations of the blocks. Head nodes 402 is connected to child nodes, 404, 406 by edges represented by arrows. The arrows of Figs. 4A indicate the possible flow of execution. In some embodiments, the equivalent subgraphs can be collapsed at their head nodes. For example, the child nodes for detected instances of an equivalent subgraph can be hidden as in the example of Fig. 4B.
[0061 ] Fig. 4B is an example graph for displaying equivalent subgraphs. The example graph of Fig. 4B is generally referred to by reference number 400B.
[0062] In Fig. 4B, nodes 422 and 424 represent the collapsed forms of equivalent subgraphs {404, 410, 408, 412}, and {406, 416, 414, 418} in Fig. 4A, respectively. In some examples, a collapsed node can indicate a particular subgraph has been detected to be an instance of an inlined function. The subgraph can be replaced by a symbol that is shared by other detected instances of the same inlined function. In some examples, a collapsed node can be expanded to reveal the subgraph that the collapsed node represents. In some examples, collapsed nodes that are similar can be given a similar symbol. In the example of 400B, the symbol used to replace the subgraphs of nodes 404, 408, 410, and 412 is a star 422. Another star 424 replaces the subgraph originally composed of nodes 406, 414, 416 and 418. In some examples, different colors can be used place of symbols. In some embodiments, by selecting the collapsed node, the subgraph that has been collapsed can reappear in its original full form. For example, the star of 422 may be selected and the original subgraph with head node 404 of 400A can appear. By hiding the subgraphs of inlined functions, a user may analyze a complex graph more easily.
0Θ63] Fig. 5 is a block diagram showing a tangible, computer-readable storage medium that can be used to match program sections. The tangible, computer-readable storage media 500 may be accessed by a processor 502 over a computer bus 504. Furthermore, the tangible, computer-readable storage media 500 may include code to direct the processor 502 to perform the current method.
0Θ64] The various software components discussed herein may be stored on the tangible, computer-readable storage media 500, as indicated in Fig. 5. For example, the tangible computer-readable storage media 500 can include a transformation module 506, a detection module 508, and an organizer module 510. In some embodiments, the transformation module 506 organizes a program into blocks based on control flow. In some examples, the transformation module 506 can transform a program to an intermediate language representation. In some examples, the transformation module 506 can organize the intermediate language representation into blocks based on control flow. The detection module 508 can further calculate a plurality of features for each block. In some embodiments, the detection module 508 can compare the calculated features for each block in the program with other blocks in the program and create a list of equivalent blocks. The organizer module 510 can also transform a program to an intermediate language representation and organize the intermediate language representation into blocks based on control flow. The organizer module 510 can further receive a manual adjustment to a set of features that is to be used for equivalence checks and the detected equivalences. The organizer module 510 can also create a graph with the blocks as nodes and with edges determined from control flow. The detection module 508 can identify equivalent subgraphs starting with a pair of equivalent blocks as head nodes. The detection module 508 can use equivalent blocks to identify the equivalent subgraphs. In some embodiments, the detection module 508 can determine whether the equivalent subgraphs are functions that have been inlined or are to be interpreted as an inlined function. In some embodiments, the detection module 508 can construct a list of equivalent program sections utilizing the list of equivalent blocks. In some embodiments, the organizer module 510 can transform the program into an alternate program based on the detected equivalent program sections. In some embodiments, the organizer module 510 can also load the program based on the graph and equivalent subgraphs into a user interface and visualize the code and equivalent subgraphs. In some embodiments, the organizer module 510 can also accept a user input to alter one or more decisions around subgraph equivalence and visualize an updated code and updated equivalent subgraphs. In some examples, the user input can include any form of user gestures or use of an input device.
j ΘΘ65] It is to be understood that any number of additional software components not shown in Fig. 5 can be included within the tangible, computer-readable storage media 500, depending on the specific application. Although the subject matter has been described in language specific to structural features and/or methods, it is to be understood that the subject matter defined in the appended claims is not necessarily limited to the specific structural features or methods described above. Rather, the specific structural features and methods described above are disclosed as example forms of implementing the claims.

Claims

1. A method for matching program sections, comprising:
organizing a program into blocks based on control flow;
calculating a plurality of features for each block;
comparing the plurality of features for each block with other blocks and creating a list of equivalent blocks;
constructing a list of equivalent program sections utilizing the list of equivalent blocks; and
transforming the program into an alternate program based on the list of equivalent program sections.
2. The method of claims 1, further comprising receiving a manual adjustment to a set of features that is to be used for equivalence checks and the detected equivalences.
3. The method of claims 1, further comprising creating a graph with the blocks as nodes and with edges determined from control flow.
4. The method of claim 3, further comprising identifying equivalent subgraphs in the graph, wherein the equivalent blocks are used to identify the equivalent subgraphs, starting with a pair of equivalent blocks as head nodes.
5. The method of claim 4, further comprising determining whether the equivalent subgraphs are functions that have been inlined or are to be interpreted as an inlined function.
6. The method of claims 1-5, wherein the plurality of features for each block comprises one or more of:
a feature derived from a mapping of each instruction in the block to an instruction type and chaining the instruction types as they appear in the block;
a feature derived from a mapping of each instruction in the block to an instruction type, combining the instruction types that appear in the block such that the combination result is order agnostic;
a feature derived from the frequency of the different instruction types in the block, allowing for partial/fuzzy matching of two blocks;
a feature derived from symbolic execution of the block; and
a feature derived from translating the block into another intermediate representation, and passing it through an optimizer.
7. The method of claim 4-5, further comprising loading a program based on the graph and equivalent subgraphs into a user interface and visualizing the code and equivalent subgraphs.
8. The method of claim 7, further comprising accepting a user input to alter one or more decisions around subgraph equivalence and visualizing an updated code and updated equivalent subgraphs.
9. A system for matching program sections, comprising:
a processor to execute processor executable code; and
a storage device that stores processor executable code, wherein the processor executable code, when executed by the processor, causes the processor to:
organize a program into blocks based on control flow;
calculate a plurality of features for each block;
compare the plurality of features for each block with other blocks and create a list of equivalent blocks;
construct a list of equivalent program sections utilizing the list of equivalent blocks; create a graph with the blocks as nodes and with edges determined from control flow;
identify equivalent subgraphs in the graph, wherein the equivalent blocks are used to identify the equivalent subgraphs, starting with a pair of equivalent blocks as head nodes;
determine whether the equivalent subgraphs are functions that have been inlined or are to be interpreted as an inlined function; and
transform the program into an alternate program.
10. The system of claim 9, wherein the plurality of features for each block comprises one or more of:
a feature derived from a mapping of each instruction in the block to an instruction type and chaining the instruction types as they appear in the block;
a feature derived from a mapping of each instruction in the block to an instruction type, combining the instruction types that appear in the block such that the combination result is order agnostic;
a feature derived from the frequency of the different instruction types in the block, allowing for partial/fuzzy matching of two blocks;
a feature derived from symbolic execution of the block; and a feature derived from translating the block into another intermediate representation, and passing it through an optimizer.
11. The system of claim 10, wherein the processor executable code, when executed by the processor, causes the processor to load a program based on the graph and equivalent subgraphs into a user interface and visualizing the code and equivalent subgraphs.
12. The system of claim 11, wherein the processor executable code, when executed by the processor, causes the processor to accept a user input to alter one or more decisions around subgraph equivalence and visualize an updated code and updated equivalent subgraphs.
13. One or more computer-readable storage media that match program sections, comprising a plurality of instructions that, when executed by a processor, cause the processor to:
transform a program to an intermediate language representation ;
organize the intermediate language representation into blocks based on control flow; calculate a plurality of features for each block;
compare the plurality of features for each block with other blocks and create a list of equivalent blocks;
construct a list of equivalent program sections utilizing the list of equivalent blocks; and
transform the program into an alternate program based on the list of equivalent blocks.
14. The one or more computer-readable storage media of claim 13, further comprising a plurality of instructions that, when executed by a processor, cause the processor to receive a manual adjustment to a set of features that is to be used for equivalence checks and the detected equivalences.
15. The one or more computer-readable storage media of claim 13, further comprising a plurality of instructions that, when executed by a processor, cause the processor to create a graph with the blocks as nodes and with edges determined from control flow.
PCT/US2015/028106 2014-05-02 2015-04-29 Matching program sections through feature extraction WO2015168192A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US14/268,248 US9378001B2 (en) 2014-05-02 2014-05-02 Matching program sections through feature extraction
US14/268,248 2014-05-02

Publications (1)

Publication Number Publication Date
WO2015168192A1 true WO2015168192A1 (en) 2015-11-05

Family

ID=53189182

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2015/028106 WO2015168192A1 (en) 2014-05-02 2015-04-29 Matching program sections through feature extraction

Country Status (2)

Country Link
US (1) US9378001B2 (en)
WO (1) WO2015168192A1 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10521591B2 (en) * 2016-12-01 2019-12-31 International Business Machines Corporation Detection of compiler injected security flaws
US11157252B2 (en) 2019-04-30 2021-10-26 International Business Machines Corporation Assessment of the benefit of post-inlining program transformation in inlining decisions

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050060697A1 (en) * 2003-09-17 2005-03-17 Nokia Corporation Method and a device for abstracting instruction sequences with tail merging

Family Cites Families (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0988591A1 (en) 1997-06-09 2000-03-29 Intertrust, Incorporated Obfuscation techniques for enhancing software security
US7430670B1 (en) * 1999-07-29 2008-09-30 Intertrust Technologies Corp. Software self-defense systems and methods
US7058941B1 (en) * 2000-11-14 2006-06-06 Microsoft Corporation Minimum delta generator for program binaries
US7360207B2 (en) 2001-12-13 2008-04-15 Hewlett-Packard Development Company, L.P. Method and system to analyze inlined functions
US7051322B2 (en) 2002-12-06 2006-05-23 @Stake, Inc. Software analysis framework
US7389500B2 (en) 2005-07-08 2008-06-17 Microsoft Corporation Selective pre-compilation of virtual code to enhance boot time emulator performance
US7882462B2 (en) * 2006-09-11 2011-02-01 The Mathworks, Inc. Hardware definition language generation for frame-based processing
US7854002B2 (en) * 2007-04-30 2010-12-14 Microsoft Corporation Pattern matching for spyware detection
US8166466B2 (en) * 2007-06-22 2012-04-24 Microsoft Corporation Function matching in binaries
US8856726B2 (en) * 2009-09-14 2014-10-07 The Mathworks, Inc. Verification of computer-executable code generated from a slice of a model
US8479188B2 (en) 2010-07-08 2013-07-02 Microsoft Corporation Binary code change vulnerability prioritization
US8561045B2 (en) * 2010-07-30 2013-10-15 Apple Inc. Constructing runtime state for inlined code
JP5583514B2 (en) 2010-08-11 2014-09-03 インターナショナル・ビジネス・マシーンズ・コーポレーション Compiling method for optimizing binary code, compiler system thereof, and computer program
US10229031B2 (en) 2011-07-15 2019-03-12 Microsoft Technology Licensing, Llc. Debugging inline functions in optimized code
US8997046B1 (en) * 2012-08-30 2015-03-31 Google Inc. Program analyzer for comparing programs
US10394533B2 (en) * 2013-09-30 2019-08-27 The Mathworks, Inc. Reusable component in a modeling environment
US9207919B2 (en) * 2014-01-17 2015-12-08 Nvidia Corporation System, method, and computer program product for bulk synchronous binary program translation and optimization

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050060697A1 (en) * 2003-09-17 2005-03-17 Nokia Corporation Method and a device for abstracting instruction sequences with tail merging

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
BJORN DE SUTTER ET AL: "Sifting out the Mud: Low Level C++ Code Reuse", PROCEEDINGS OF THE 17TH ACM SIGPLAN CONFERENCE ON OBJECT-ORIENTED PROGRAMMING, SYSTEMS, LANGUAGES, AND APPLICATIONS , OOPSLA '02, 1 November 2002 (2002-11-01), New York, New York, USA, pages 275 - 291, XP055196386, ISBN: 978-1-58-113471-1, DOI: 10.1145/582419.582445 *
DE SUTTER B ET AL: "Link-time binary rewriting techniques for program compaction", ACM TRANSACTIONS ON PROGRAMMING LANGUAGE AND SYSTEMS, ACM, NEW YORK, NY, vol. 27, no. 5, 1 September 2005 (2005-09-01), pages 882 - 945, XP002439517, ISSN: 0164-0925, DOI: 10.1145/1086642.1086645 *
DEBRAY S K ET AL: "COMPILER TECHNIQUES FOR CODE COMPACTION", ACM TRANSACTIONS ON PROGRAMMING LANGUAGE AND SYSTEMS, ACM, NEW YORK, NY, vol. 22, no. 2, 1 March 2000 (2000-03-01), pages 378 - 415, XP007900422, ISSN: 0164-0925, DOI: 10.1145/349214.349233 *
YINGYUN TONY LIN: "A Customizable SVG Graph Visualization Engine", CONFERENCE AND EXHIBITION (5TH ANNUAL CONFERENCE ON SCALABLE VECTOR GRAPHICS, SVG OPEN 2007 20070904 TO 20070907 TOKYO), 7 September 2007 (2007-09-07), XP055196482, Retrieved from the Internet <URL:http://www.svgopen.org/2007/papers/CustomizableSVGGraphVisualizationEngine/> [retrieved on 20150617] *

Also Published As

Publication number Publication date
US20150317138A1 (en) 2015-11-05
US9378001B2 (en) 2016-06-28

Similar Documents

Publication Publication Date Title
US9594553B2 (en) Identifying semantic differences between source code versions
US9619211B2 (en) Code suggestion in a software development tool
US8627290B2 (en) Test case pattern matching
US20130291113A1 (en) Process flow optimized directed graph traversal
EP2960799A1 (en) Defect localization in software integration tests
US20090138862A1 (en) Program parallelization supporting apparatus and program parallelization supporting method
EP2555109B1 (en) Search utility program for software developers
JP7096762B2 (en) Techniques for constructing generic programs using controls
US8495560B2 (en) Converting an activity diagram into code
JP7218793B2 (en) Control flow system, non-transitory readable medium, and method for enhancing program functionality
US9710355B2 (en) Selective loading of code elements for code analysis
JP6253521B2 (en) Program visualization device, program visualization method, and program visualization program
US10216501B2 (en) Generating code in statically typed programming languages for dynamically typed array-based language
US10423416B2 (en) Automatic creation of macro-services
JP6528465B2 (en) State parameterization in symbolic execution for software testing
WO2021253641A1 (en) Shading language translation method
US9378001B2 (en) Matching program sections through feature extraction
CN105204837B (en) Method and device for realizing logic programming
Kurbatova et al. Refactorinsight: Enhancing ide representation of changes in git with refactorings information
US20200012250A1 (en) Program editing device, program editing method, and computer readable medium
TWI437457B (en) Method for analyzing dependency of target object
US9703547B2 (en) Computing program equivalence based on a hierarchy of program semantics and related canonical representations
Luckow et al. Symbolic pathfinder v7
CN112889026A (en) User interface resource file optimization
Liu et al. Visual exploration of software evolution via topic modeling

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15723365

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15723365

Country of ref document: EP

Kind code of ref document: A1