基于源代码分析的逆向建模

逆向建模通过对源代码进行分析,提取出代码中的对象信息、结构信息、流程信息等,生成对象间的关系描述、结构描述、系统流程描述等设计模型描述。逆向建模过程中对源代码的分析处理与编译过程的前端处理相似,只是处理的复杂程度与产生的目标结果不同,因此可以采用编译技术对源代码进行处理。通过逆向建模可以弥补软件设计中缺少或缺失的模型设计文档,帮助代码阅读者更好地理解程序,帮助软件的测试和优化。介绍了对C/C++源代码进行逆向建模的实现。     

基于特征值的模板化库函数识别

逆编译是编译的逆过程,目的是将可执行的二进制机器代码变换为功能等价的高级语言代码,它在监控恶意代码,挖掘软件漏洞的工作中起着重要的作用。而在面向对象语言的逆编译过程中,模板化库函数识别的难度和复杂性非常大。通过分析现有的C++库函数识别方法,针对库函数模板识别中特征值冲突的关键问题,提出一种改进的特征值构造方法,它能够更完整的保存库函数信息,降低特征值冲突出现的概率,并通过识别部分C++标准模板库函数验证了该算法。     

一种IA-64下的反软件流水算法

软件流水是一种循环程序的优化技术,它可以有效地提高指令级并行性。由于处理机的实现方法各不相同,在一种处理机上经过软件流水优化后的循环代码很难在其它处理机中移植和使用。反软件流水是软件流水的逆向操作,它可以消除循环代码中的软件流水特性,以便于代码在不同平台上的移植。基于IA-64体系结构,分析了软件流水的代码特点,提出了反流水算法,用于将ICC编译器编译后的可执行二进制代码消除软件流水特性,转换成语义等价的C代码。     

二进制代码中函数混淆调用的识别

函数调用相关信息识别是二进制代码静态分析的基础,也是恶意代码分析的重要线索。二进制代码混淆技术通过对函数调用指令call、参数传递过程和调用返回过程的混淆来隐藏代码中函数的信息。这大大增加了程序逆向分析的难度,此技术被广泛应用在变形和多态病毒中,使其逃脱杀毒软件的查杀。论文给出了一种静态分析方法,引入了抽象栈图的概念,给出了其构造算法,利用它能够有效识别出代码中对函数调用的混淆。     

基于IDA-Pro的软件逆向分析方法

二进制程序转换作为软件逆向分析的主要手段发挥着积极作用。该文给出一种程序转换方法,应用软件二进制程序经IDA Pro反汇编得汇编语言程序,依据下推自动机原理设计汇编文法识别该汇编文件、制定相应的转换规则和优化措施将汇编语言转换成中间语言。转换所得中间语言可读性较强,具有通用性且易于理解。该方法达到了较高的自动化程度,缩小了目标程序的代码量,其应用可有效地减少软件分析和调试人员在追踪代码时所需的时间和工作量。给出应用上述方法进行程序转换的实例。     

反编译器中针对不同编译器的过程识别技术

过程识别技术及相关参数的提取是二进制翻译中过程调用恢复的基础.为较好实现对过程的识别,首先设计了针对GCC编译的ELF(executable and linkable format)文件的过程识别技术,取得了良好的效果.不过随着研究的深入,要求对C编译器和ICC(Intel C compiler)编译器同时具有良好的支持,但在测试中发现这种识别技术在处理ICC编译的ELF程序指令流时存在的一些问题,为此提出了改进算法,这个算法已经在IA-64-Alpha反编译中实现,从而使系统对C编译器和ICC编译器编译的ELF文件都能进行正确的过程识别和参数提取.     

静态二进制翻译中回调函数逆向恢复技术研究

回调函数的逆向恢复是静态二进制翻译的一个难点。针对使用C后端的静态二进制翻译框架,提出并实现回调函数逆向恢复方法,该方法结合代码间隙分析,在后端C代码生成过程中插入映射源回调函数地址到目标机函数地址的代码。相对于使用解释器的方法,该方法具有实现简洁,在目标机上运行速度更快的优点。     

IA-64过程调用的逆向恢复技术

本文给出了对于IA-64体系结构可执行程序逆向恢复中过程识别和抽象的技术实现方法。采用自动机理论与模板匹配相结合的方法解决IA-64体系结构模板中不确定指令的识别问题。实现了基于数据流分析对过程调用的参数和返回值进行恢复的算法。有效地完成了过程调用的二进制代码向与硬件无关中间语言代码转换的恢复工作。     

基于源代码静态分析的C++0x泛型概念抽取

使用泛型概念对领域知识进行抽象是泛型程序设计方法的基础.在新的C++0x标准中泛型概念将成为一个新的语言设施,这将为设计可复用、可扩展的泛型软件提供坚实的基础.为了更好地利用C++0x的新特性,有必要识别C++遗产代码中的泛型概念,并通过重构得到符合C++0x标准的代码.文中提出了一种基于代码静态分析的泛型概念自动识别方法,通过对泛型程序中类型参数的使用分析,从遗产代码中提取有效表达式约束和关联类型约束,进而推导出泛型概念.将该方法应用于C++标准模板库STL,可以识别出STL算法中绝大部分潜在的泛型概念,表明该方法有助于识别遗产代码中的泛型概念.     

一种C++程序的分层切片方法

该文介绍了一种C++程序的分层切片方法。通过构造系统程序层依赖图、类层依赖图、方法层依赖图和语句层依赖图,对C++程序进行分层切片,有效地表示了C++中的单重继承、多重继承、多态和动态绑定,该方法比其它C++切片技术更清晰地描述了C++程序中类之间的各种关系和消息传递机制。     

Recovering UML class models from C++: A detailed explanation

An approach to recovering design-level UML class models from C++ source code to support program comprehension is presented. A set of mappings are given that focus on accurately identifying such elements as relationship types, multiplicities, and aggregation semantics. These mappings are based on domain knowledge of the C++ language and common programming conventions and idioms. Additionally, formal concept analysis is used to detect design-level attributes of UML classes. An application implementing these mappings is used to reverse engineer a moderately sized, open-source application and the resultant class model is compared against those produced by other UML reverse engineering tools. This comparison shows that the presented mapping rules effectively produce meaningful and semantically accurate UML models.     

A Domain-Specific Language for Generating Dataflow Analyzers

Dataflow analysis is a well-understood and very powerful technique for analyzing programs as part of the compilation process. Virtually all compilers use some sort of dataflow analysis as part of their optimization phase. However, despite being well-understood theoretically, such analyses are often difficult to code, making it difficult to quickly experiment with variants.To address this, we developed a domain-specific language, Analyzer Generator (AG), that synthesizes dataflow analysis phases for Microsoft's Phoenix compiler framework. AG hides the fussy details needed to make analyses modular, yet generates code that is as efficient as the hand-coded equivalent. One key construct we introduce allows IR object classes to be extended without recompiling.Experimental results on three analyses show that AG code can be one-tenth the size of the equivalent handwritten C++ code with no loss of performance. It is our hope that AG will make developing new dataflow analyses much easier.     

Analysis of entities in C and C++ programs and relations between them for program understanding

A tool for the static analysis of programs that can detect entities in C and C++ programs, their metrics, and relations between them is considered. The program entities are files, functions, classes, methods, etc., and relations are calls, inheritance, read/write operations of global variables, file inclusion, and aggregation. Methods for the development of such a tool based on the open compiler infrastructure LLVM [1], including the necessary modifications in the Clang compiler [2], and the developed analyzer are described. Results of the tool testing on the Android code are presented.     

Signatures: A language extension for improving type abstraction and subtype polymorphism in C++

C++ uses inheritance as a substitute for subtype polymorphism. We give examples where this makes the type system too inflexible. We then describe a conservative language extension that allows a programmer to define an abstract type hierarchy independent of any implementation hierarchies, to retroactively abstract over an implementation, and to decouple subtyping from inheritance. This extension gives the user more of the flexibility of dynamic typing while retaining the efficiency and security of static typing. With default implementations and views flexible mechanisms are provided for implementing an abstract type by different concrete class types. We first show how the language extension can be implemented in a preprocessor to a C++ compiler, and then detail and analyse the efficiency of an implementation we directly incorporated in the GNU C++ compiler.     

Java Native Interface idioms for C++ class hierarchies

The Java^TM Native Interface (JNI) provides a set of mechanisms for implementing Java methods in C or C++. JNI is useful for reusing C and C++ code repositories within Java frameworks. JNI is also useful for real‐time systems, where compiled C/C++ code executes performance‐critical tasks, while Java code executes system control and feature tasks. Available JNI literature concentrates on creating Java proxy classes that allow Java clients to interact with C++ classes. Current JNI literature does not discuss Java proxies for entire C++ inheritance hierarchies; that is the topic of this paper. Our experience in reusing C++ class hierarchies within a Java framework has uncovered a set of useful techniques for constructing Java proxy class hierarchies that mirror their C++ counterparts. This report gives both high level design guidelines and specific programming idioms for constructing Java class hierarchies that serve as proxies for C++ counterparts. We begin by discussing opportunities for reuse within a proxy class hierarchy, as well as problems caused by differences between the Java and C++ approaches to inheritance. The two most significant differences are due to C++ support for invocation of a member function based on the static type of its class, and C++ support for multiple implementation inheritance. Two example C++ class hierarchies provide the basis for a set of sections that present the design guidelines and that codify the programming idioms. This work could serve as the basis for an automatic generator of Java proxy class hierarchies. Copyright © 2000 John Wiley & Sons, Ltd.     

Quantifying and evaluating the space overhead for alternative C++ memory layouts

This paper develops a formalism that precisely characterizes when class tables are required for C++ memory layouts. A memory layout is a particular choice of data structures for implementing run‐time support for object‐oriented languages. We use this formalism to quantify and evaluate, on a set of benchmarks, the space overhead for a set of C++ memory layouts. In particular, this paper studies the space overhead due to three language features: virtual dispatch, virtual inheritance, and dynamic typing. To date, there has been no scientific quantification or evaluation of C++ memory layouts. Our approach can help C++ implementors. This work has already influenced the memory layout design choices in IBM's Visual Age C++ V5 compiler. Applying our approach to a set of five benchmarks, we demonstrate that the impact of object‐oriented space overhead can vary dramatically between applications (ranging from 0.42% to 99.79% for our benchmarks). In particular, applications whose object space is dominated by instances of classes that heavily use object‐oriented language features will be significantly impacted by the choice of a memory layout. Copyright © 2003 John Wiley & Sons, Ltd.     

Capsules: a shared memory access mechanism for Concurrent C/C++

Concurrent C/C++ is a superset of C and C++ that provides parallel programming facilities based on message passing. Upon porting Concurrent C/C++to a shared memory multiprocessor, the authors believed it would be appropriate to supplement Concurrent C/C++ with explicit facilities for synchronizing accesses to shared data structures. The capsule, which is a shared memory access mechanism designed especially for Concurrent C/C++ to match the C++data abstraction facility called the class, is discussed. Capsules are like monitors but they have significant advantages. Capsules satisfy T. Bloom's (1979) criteria for expressiveness of synchronization conditions, support inheritance, allow operations to execute in parallel, and permit them to time out. The design of capsules is reviewed. The author evaluates existing shared memory mechanisms, describes capsules, gives examples of capsules, compares capsules with monitors, and discusses how capsules are implemented by the Concurrent C compiler     

Making C++ objects persistent: The hidden pointers

C++ objects of types that have virtual functions or virtual base classes contain volatile (‘memory’) pointers. We call such pointers ‘hidden pointers’ because they were not specified by the user. If such C++ objects are made persistent, then these pointers become invalid across program invocations. We encountered this problem in our implementation of O++, which is a database language based on C++. O++ extends C++ with the ability to create and access persistent objects. In this paper, we describe the hidden pointers problem in detail and present several solutions to it. Our solutions are elegant in that they do not require modifying the C++ compiler or the semantics of C++. We also discuss another problem that arises because C++ allows base class pointers to point to derived class objects. C++ has emerged as the de facto standard language for software development, and database systems based on C++ have attracted much attention. We hope that the details and techniques presented will be useful to database researchers and to implementors of object-oriented database systems based on C++.