An In-Depth Analysis of Disassembly on Full-Scale x86/x64 Binaries
Dennis Andriesse, Xi Chen, and Victor van der Veen, Vrije Universiteit Amsterdam; Asia Slowinska, Lastline, Inc.; Herbert Bos, Vrije Universiteit Amsterdam
It is well-known that static disassembly is an unsolved problem, but how much of a problem is it in real software— for instance, for binary protection schemes? This work studies the accuracy of nine state-of-the-art disassemblers on 981 real-world compiler-generated binaries with a wide variety of properties. In contrast, prior work focuses on isolated corner cases; we show that this has led to a widespread and overly pessimistic view on the prevalence of complex constructs like inline data and overlapping code, leading reviewers and researchers to underestimate the potential of binary-based research. On the other hand, some constructs, such as function boundaries, are much harder to recover accurately than is reflected in the literature, which rarely discusses much needed error handling for these primitives. We study 30 papers recently published in six major security venues, and reveal a mismatch between expectations in the literature, and the actual capabilities of modern disassemblers. Our findings help improve future research by eliminating this mismatch.
Open Access Media
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.
author = {Dennis Andriesse and Xi Chen and Victor van der Veen and Asia Slowinska and Herbert Bos},
title = {An {In-Depth} Analysis of Disassembly on {Full-Scale} x86/x64 Binaries},
booktitle = {25th USENIX Security Symposium (USENIX Security 16)},
year = {2016},
isbn = {978-1-931971-32-4},
address = {Austin, TX},
pages = {583--600},
url = {https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/andriesse},
publisher = {USENIX Association},
month = aug
}
connect with us