网络与信息安全学报 ›› 2020, Vol. 6 ›› Issue (4): 95-103.doi: 10.11959/j.issn.2096-109x.2020047

• 学术论文 • 上一篇    

PPC和MIPS指令集下二进制代码中函数参数个数的识别方法

尹小康,刘鎏,刘龙,刘胜利()   

  1. 数学工程与先进计算国家重点实验室,河南 郑州 450001
  • 修回日期:2019-10-13 出版日期:2020-08-01 发布日期:2020-08-13
  • 作者简介:尹小康(1994- ),男,河南周口人,数学工程与先进计算国家重点实验室博士生,主要研究方向为网络空间安全和逆向工程|刘鎏(1998- ),女,安徽合肥人,主要研究方向为网络空间安全|刘龙(1983- ),男,河南尉氏人,数学工程与先进计算国家重点实验室副教授,主要研究方向为网络空间安全和机器学习|刘胜利(1973- ),男,河南周口人,博士,数学工程与先进计算国家重点实验室教授,主要研究方向为网络空间安全
  • 基金资助:
    国家重点研发计划基金(2016YFB0801505);科技委基础加强项目(2019-JCJQ-ZD-113)

Function argument number identification in stripped binary under PPC and MIPS instruction set

Xiaokang YIN,Liu LIU,Long LIU,Shengli LIU()   

  1. State Key Laboratory of Mathematical Engineering and Advanced Computing,Zhengzhou 450001,China
  • Revised:2019-10-13 Online:2020-08-01 Published:2020-08-13
  • Supported by:
    The National Key R&D Program of China(2016YFB0801505);Science & Technology Commission Foundation Strengthening Project(2019-JCJQ-ZD-113)

摘要:

函数参数个数的识别有助于函数原型的恢复,是进行数据流分析以及其他安全分析的基础。为了提高对函数参数个数识别的准确率,提出一种依据函数调用关系的投票机制来确定函数参数个数的算法——Findargs。Findargs从PPC和MIPS指令集的函数调用特点出发,利用函数调用关系和参数传递分析,识别函数参数的个数,为函数原型的恢复提供帮助。为了评估Findargs的识别效果,选取大型的二进制文件进行了测试,并与radare2进行了对比。实验结果表明,Findargs具有更高的准确率。对于PPC指令集,其准确率达到90.3%;对于MIPS指令集,其准确率为86%。

关键词: 静态分析, 函数调用分析, 参数个数识别, 投票机制

Abstract:

The identification of the number of function argument contributes to the recovery of the function prototype and is the basis for data flow analysis and other security analysis.In order to improve the accuracy of the recognition of the number of function parameters,an algorithm (Findargs) which determines the number of parameters of the function according to the voting mechanism of the function call relationship was proposed.Findargs starts from the function call characteristics of PPC and MIPS instruction set,and uses function call relationship combined with argument pass analysis to identify the number of function arguments,which can help to recover function prototype.In order to evaluate the recognition effect of Findargs,a large binary file was selected and tested it with radare2.The experiments results show that Findargs has higher accuracy,and the accuracy rate for PPC instruction set reaches 90.3%.For MIPS instruction set,the accuracy rate is 86%.

Key words: static analysis, function call resolve, argument number identification, voting mechanism

中图分类号: 

No Suggested Reading articles found!