Disassembly as Weighted Interval Scheduling with Learned Weights

Disassembly is the first step of a variety of binary analysis and transformation techniques, such as reverse engineering, or binary rewriting. Recent disassembly approaches consist of three phases: an exploration phase, that overapproximates the binary's code; an analysis phase, that assigns we...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Veröffentlicht in:Proceedings - IEEE Symposium on Security and Privacy S. 3033 - 3050
Hauptverfasser: Flores-Montoya, Antonio, Lim, Junghee, Seitz, Adam, Sood, Akshay, Raff, Edward, Holt, James
Format: Tagungsbericht
Sprache:Englisch
Veröffentlicht: IEEE 12.05.2025
Schlagworte:
Accuracy
Benchmark testing
binary analysis
Binary codes
disassembly
Heuristic algorithms
Inference algorithms
learning
Measurement
Privacy
Reverse engineering
Scheduling
Security
ISSN:2375-1207
Online-Zugang:Volltext
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
Beschreibung
Zusammenfassung:Disassembly is the first step of a variety of binary analysis and transformation techniques, such as reverse engineering, or binary rewriting. Recent disassembly approaches consist of three phases: an exploration phase, that overapproximates the binary's code; an analysis phase, that assigns weights to candidate instructions or basic blocks; and a conflict resolution phase, that downselects the final set of instructions. We present a disassembly algorithm that generalizes this pattern for a wide range of architectures, namely x86, x64, arm32, and aarch64. Our algorithm presents a novel conflict resolution method that reduces disassembly to weighted interval scheduling. Additionally, we present a weight assignment algorithm that allows us to learn optimal weights for the various disassembly heuristics in the analysis phase. Learned weights outperform manually tuned weights in most cases while reducing the number of necessary heuristics by 40% (by setting their weights to zero). Our implementation, built on top of Ddisasm, outperforms state-of-the-art disassemblers in several metrics and achieves the largest proportion of perfectly disassembled binaries by a wide margin in all evaluated datasets.
ISSN:2375-1207
DOI:10.1109/SP61157.2025.00192