Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/softsec-kaist/meandiff

Testing Intermediate Representations for Binary Analysis (ASE '17)
https://github.com/softsec-kaist/meandiff

binary-analysis differential-testing fsharp semantic-bugs symbolic-execution

Last synced: about 1 month ago
JSON representation

Testing Intermediate Representations for Binary Analysis (ASE '17)

Awesome Lists containing this project

README

        

# MeanDiff

If you want to see the details about the system, go to
[here](https://softsec-kaist.github.io/MeanDiff/).

## Table of Contents

* [Installation](#installation)
* [Usage](#usage)
* [Testing additional lifters](#testing-additional-lifters)
* [UIR](#uir)
* [Abstract Syntax](#abstract-syntax)
* [Semantics](#semantics)
* [Writing translator for UIR](#writing-translator-to-uir)
* [Adding translator to MeanDiff](#adding-translator-to-meandiff)
* [Citing MeanDiff](#citing-meandiff)
* [License](#license)
* [Acknowledgement](#acknowledgement)

## Installation

As MeanDiff has several external dependencies due to lifters and external
libraries, the whole build system is containerized with docker.

All docker images (for each lifter, etc.) are based to the `BaseImage` (T.B.D
Link), which used `ubuntu:16.10`.

### Building

Start by building submodules. This could take some time as the docker images
needs to be downloaded and built.

make init
make lifters
make external

Now, MeanDiff can be built either
* A. Inside the docker container
* B. In your native environment

For option B., you can find dependencies in the respective `Dockerfile`s.

The resulting binaries are found in the `build` directory.

#### A.
To build and setup docker environment:

./build_image.sh
./build_src.sh

#### B.
If you want to run MeanDiff outside docker, just type `make`.

## Usage

T.B.D.

To log into the docker container for MeanDiff, taged `build_meandiff`:

docker run -v $(pwd):/src -ti build_meandiff:latest

## Testing additional lifters

### UIR

UIR stands for `Unified Intermediate Representation`. UIR is used for unifying
every BBIR into a single form. UIR is a simple, but Turing-complete language. It
is also designed to be explicit and self-contained.

#### Abstract Syntax

```
::= BE | LE

::= NEG | NOT

::= ADD | SUB | UMUL | SMUL | UDIV | SDIV | UMOD | SMOD | SHL | USHR
| SSHR | AND | OR | XOR | CONCAT

::= EQ | NEQ | ULT | SLT | ULE | SLE

::= LOW | HIGH | ZERO | SIGN

::= | | []: |
| |
| -> : | If | Undefined

::= Start | :=
| [] := | | If
| End | Unrecognized

::= :: | []

::= | |
```

#### Semantics

Here, only non-trivial semantics of UIR are shown.

Primitive types: ``, ``, ``, ``

``:
- `[]:`: Load a value of size `` from ``.
- ` -> :`: Enlarge or shorten `` of size `` by
referencing ``.
- `If `: If-Then-Else expression. `` and
`` should have same type.

``:
- `Start `: Indicate information aboutn an instruction
and system. The target instruction is placed at `` with length
``, and has the endianness of ``.
- `[] := `: Store `` into the memory pointed by ``.
- `End `: Indicates the end of control-flow of IR statements. ``
represents the address of next instruction.

### Writing translator for UIR

There are some rules for a translator from your IR to our UIR.
- Register names must be in lower cases
- For each expression and statement, we have a simple type system. See
`src/MeanDiff/Type.fs`
- The first item in `` should be `Start`
- `End` must be placed at the end of the instruction semantics.

### Adding translator to MeanDiff

In order to add your translator to MeanDiff, you need to manually modify
`src/MeanDiff/Report.fs` appropriately.

## Citing MeanDiff

To cite our paper:

```
@INPROCEEDINGS{kim:ase2017,
author = {Soomin Kim, Markus Faerevaag, Minkyu Jung, SeungIl Jung, DongYeop Oh, JongHyup Lee, and Sang Kil Cha},
title = {Testing Intermediate Representations for Binary Analysis},
booktitle = {Proceedings of the 32nd IEEE/ACM International Conference on Automated Software Engineering},
year = {2017},
pages = {353--364}
}
```

## License

This project is licensed under the [MIT License](LICENSE.md).

## Acknowledgement

The work was supported by Institute for Information & communications Technology Promotion (IITP) grant funded by the Korea government (MSIT).