Constructing Precise Control Flow Graphs from Binaries

Third-party software is often distributed only in binary form. For software engineering or security considerations, it is important to be able to analyze binaries. One fundamental obstacle to perform binary analysis is the lack of precise control flow information. Existing techniques to construct control flow of binaries are either static or dynamic. Traditional static techniques usually disassemble a program’s binary image statically and build the control flow graph (CFG) from the assembly-level representation of the program. They are limited in precision because of difficulty in statically resolving indirect branches. Dynamic techniques, on the other hand, suffer from poor coverage and scalability. Hybrid techniques based on combined dynamic and symbolic path exploration can be used to improve code coverage, but still suffer from poor coverage and scalability because they rely on expensive constraint solving to generate alternative inputs to explore different control flow paths. This paper presents the first practical technique that constructs precise control flow graphs from binaries. Our technique rests on the key observation that the possible targets of most indirect branches are independent of intermediate program states, and thus by systematically forcing a program’s execution to explore both branches of each conditional, we can discover the program’s precise control flow. Specifically, we run the program under analysis in a controlled virtual environment. At each conditional branch, we save the address of the path not taken, and force the execution to explore that path later. In essence, we leverage both dynamic execution to compute the targets of indirect branches (as in traditional dynamic CFG construction) and efficient (since it is forced) systematic exploration specifically targeting the problem of control flow construction from binaries. We also introduce effective optimizations and heuristics to make our dynamic forced execution scalable and practical. We have implemented our technique in a practical tool FXE for x86 binaries and performed detailed evaluation of its precision, generality, and performance. Our results show that FXE constructs highly precise CFGs and scales to real-world programs, significantly outperforming state-of-the-art alternatives.