BAP: in-depth binary code analysis

addr 0x0 @asm ”add %eax, %ebx”
t:u32 = R EBX:u32
R_EBX:u32 = R_EBX:u32 + R_EAX:u32
R_CF:bool = R_EBX:u32 < t:u32
addr 0x2 @asm ”shl %cl, %ebx”
t1:u32 = R_EBX:u32 >> 0x20:u32 − (R_ECX:u32 & 0x1f:u32 )
R_CF:bool =
   ((R_ECX:u32 & 0x1f:u32) = 0:u32) & R_CF:bool |
   ̃((R_ECX:u32 & 0x1f:u32) = 0:u32) & low:bool (t1:u32)
addr 0x4 @asm ”jc 0x000000000000000a”
cjmp R_CF:bool, 0xa:u32, ”nocjmp0” #branchto 0xa if R_CF = true
label nocjmp0

                   BIL representation

Developers who deal with assembly irregularly often face the challenge of getting a clear picture on what’s happening behind the scene. Binary Analysis Platform (BAP) is a framework to analyze binary code by unfolding every operation that takes place when an instruction executes. BAP is developed in the Carnegie Mellon University.

BAP does this by translating binary code into an easy to understand language named BIL (BAP Intermediate Language). This language breaks down every instruction to the lowest level including the flags which get modified. This helps in understanding the behaviour and possible side effects of the instruction. The most regular usage of BAP is to analyze the generated BIL code. BAP also supports many popular analyses and built-in program representations.

BIL has a few language constructs, making it easy to analyze. BAP supports representations like Control Flow Graph (CFG) and Static Single Assignment (SSA) forms. It also includes a suite of common compiler optimizations and analyses. BAP is implemented in OCaml. In case you are not familiar with it, BIL can be exported into formats like protobuf, XML, and JSON or even LLVM bytecode.

Some of the areas being worked on at the time of writing are:

  • Scalable formal verification techniques
  • Automatic reverse engineering
  • Vulnerability-Based Signature Generation
  • Automatic Exploit Generation
  • Crypto verification
  • Malware analysis
  • Vulnerability detection in COTS software

BAP can be downloaded in source code form from its home page (link below). To install, extract the archive, cd into the extracted bap directory and run:

$ ./autogen.sh
$ ./configure
$ make
$ sudo make install

BAP is under heavy development. If you’ld like to contribute, join the project!

On GitHub: BAP

Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s