Constant Parameterized Binary Function Identification

Description

Static binary analysis is a broad area which is constantly seeking new methods to reliably recognize and identify functions in unknown disassembled binaries. This thesis presents a new compiler-independent way of identifying functions in stripped binary code. It uses a form of abstract interpretation to extract constant parameters from the code. The extracted values are compared to constants of a given ground truth or another stripped binary. If a function has a sufficiently large number of constant parameters from different calls, it can be identified by it. Given such a function, it is furthermore possible to match the individual caller functions and derive even more function identifications from it. This proposed identification method was mainly tested on an OpenSSL application which was compiled for various platform to prove compiler-independency. In these tests, the presented identification method reached a precision of 90% in average when function inlining was deactivated. With activated function inlining an average precision of 76% was achieved. The results still indicate that the first identification step of this method is unaffected by compiler function inlining and for the constant parametrized functions a precision of 96% in average could be achieved.