EFACT: an External Function Auto-Completion Tool to Strengthen Static Binary Lifting

TL;DR

EFACT is a lightweight tool that significantly improves the recovery of external function prototypes, especially mangled C++ functions, enhancing static binary lifting accuracy and supporting cross-ISA translation.

Contribution

EFACT introduces a novel algorithm for better mangled external function prototype recovery and integrates as a plugin to improve static binary rewriting frameworks.

Findings

Outperforms RetDec and McSema in mangled EXF recovery by over 96%.

Increases correct translation of benchmarks by 36.7% and 93.6% in cross-ISA scenarios.

Addresses challenges in static binary translation for C++ and cross-ISA support.

Abstract

Static binary lifting is essential in binary rewriting frameworks. Existing tools overlook the impact of External Function Completion (EXFC) in static binary lifting. EXFC recovers the prototypes of External Functions (EXFs, functions defined in standard shared libraries) using only the function symbols available. Incorrect EXFC can misinterpret the source binary, or cause memory overflows in static binary translation, which eventually results in program crashes. Notably, existing tools struggle to recover the prototypes of mangled EXFs originating from binaries compiled from C++. Moreover, they require time-consuming manual processing to support new libraries. This paper presents EFACT, an External Function Auto-Completion Tool for static binary lifting. Our EXF recovery algorithm better recovers the prototypes of mangled EXFs, particularly addressing the template specialization mechanism in C++. EFACT is designed as a lightweight plugin to strengthen other static binary rewriting frameworks in EXFC. Our evaluation shows that EFACT outperforms RetDec and McSema in mangled EXF recovery by 96.4% and 97.3% on SPEC CPU 2017. Furthermore, we delve deeper into static binary translation and address several cross-ISA EXFC problems. When integrated with McSema, EFACT correctly translates 36.7% more benchmarks from x86-64 to x86-64 and 93.6% more from x86-64 to AArch64 than McSema alone on EEMBC.