Abstract
We present an approach to lift position-independent x86-64 binaries to symbolized NASM. Symbolization is a decompilation step that enables binary patching: functions can be modified, and instructions can be interspersed. Moreover, it is the first abstraction step in a larger decompilation chain. The produced NASM is recompilable, and we extensively test the recompiled binaries to see if they exhibit the same behavior as the original ones. In addition to testing, the produced NASM is accompanied with a certificate, constructed in such a way that if all theorems in the certificate hold, symbolization has occurred correctly. The original and recompiled binary are lifted again with a third-party decompiler (Ghidra). These representations, as well as the certificate, are loaded into the Isabelle/HOL theorem prover, where proof scripts ensure that correctness can be proven automatically. We have applied symbolization to various stripped binaries from various sources, from various compilers, and ranging over various optimization levels. We show how symbolization enables binary-level patching, by tackling challenges originating from industry.
| Original language | English |
|---|---|
| Title of host publication | CCS '24 |
| Subtitle of host publication | Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security |
| Place of Publication | New York |
| Publisher | Association for Computing Machinery |
| Pages | 2786-2798 |
| ISBN (Electronic) | 9798400706363 |
| DOIs | |
| Publication status | Published - 9 Dec 2024 |