Asm

Q & A

  • Can assembly language being compiled to LLVM IR so that it can be analysed?

Assembly to LLVM IR

llvm-mctoll

remill

libqemu

llvm-qemu

  • Mc Toll

    • Reference 1 reference ↩

  • Remill

    • Reference 1 To add new instructions to Remill: https://github.com/lifting-bits/remill/blob/master/docs/ADD_AN_INSTRUCTION.md SEM: semantic of an instruction. ISEL: An instruction ‘selection’. XED: Implementation lift instruction to basic block: https://github.com/lifting-bits/remill/blob/master/remill/BC/Lifter.h function lift: https://github.com/lifting-bits/remill/tree/master/tools/lift/Lift.cpp Remill ↩

  • McSema

    • Thesis: https://is.muni.cz/th/pxe1j/thesis.pdf McSema use [Remill] to lift x86/amd64/aarch64 instructions to LLVM bitcode; the only option that separates control flow recovery from translation, permitting the use of custom control flow recovery front-ends; based on LLVM 3.5 (in 2014-2016), LLVM 3.8 (in 2017), Modules: mcsema-disass disassembles binaries; only use IDA Pro as disassembly engine; mcsema-lift converts the disassembly into LLVM bitcode; Add new instructions use mcsema-lift --list-supported to see supported instructions.

  • S2e

    • S2E Built upon KLEE symbolic execution engine and the QEMU virtual machine. Good: works at any level of the stack: applications, libraries, kernel drivers, and device firmware. generates test cases to prove the existence of vul; Supports Windows & Linux: exe tracing, code coverage, profiling. Explore thousands of paths automatically. Modular/Extensible: use its multi-path analysis (symbolic execution). use as single-path instrumentation platform. can be used without overhead of VM: S2E emulates KVM interfaces.

  • Revgen

    • Paper: Enabling sophisticated analyses of ×86 binaries with RevGen 1. Document: Revgen 1 Disassemble the binary using IDA Pro; Recover the control flow graph (CFG) using McSema; Translate each basic block in the CFG into a chunk of LLVM bitcode by using QEMU’s translator; Stitch together translated basic block into LLVM functions. Note: use old version of McSema (from 2016. not the lastest McSema2); binary is statically linked; calling conventions not parsed for dynamic calls; only on x86?

Created Nov 7, 2019 // Last Updated Nov 24, 2019

If you could revise
the fundmental principles of
computer system design
to improve security...

... what would you change?