BinaryAnalysisPlatform
Variable Recovery
Dear all,
I am learning BAP and want to do some variable recovery tasks. But I am a little confused about the recovery algorithm used by BAP.
I found an old issue which mentioned TIE, and I know TIE leverage DVSA to recover variable.
But it seems that TIE is not public and equipped by BAP right now. So I am curious about whether current BAP uses DVSA algorithm, or other techniques?
Thanks a lot!
No, current BAP is not using DVSA and doesn't feature any variable recovery algorithm at all, but contributions are very welcome :) You can find VSA here. Unfortunately, I can't provide any information on the DVSA algorithm and the BAP mentioned in the paper is very different from the current version (it was some branch of BAP 0.8), while now we're working on BAP 2.1. There were two major releases and dozens of minor releases and more than 10 years of development, so modern BAP share nothing but name with BAP 0.8 (even BIL was different at that time).
CC @dbrumley @ethan42
Also, there is a more or less recent work on binary type recovery from @maurer, and you can read about it in his thesis. You can also find a few notes about TiE there.
@ZhangZhuoSJTU, besides, if you want to implement a variable recovery algorithm for BAP, I am happy to mentor you. Feel free to contact me (gitter, email, whatever you prefer)
There are some VSA implementations here:
Also related: https://github.com/draperlaboratory/cbat_tools/issues/7
My vsa stuff takes a more traditional approach to a-locs than CBAT's approach so I am looking for a way to handle variable recovery. My current pathway is likely to be the simplest approach using a simple stack delta ala IDA etc. Current progress available here (https://github.com/2over12/bap_ai/). That being said if somebody were to illuminate the DVSA algorithm a bit more I'd love to integrate it. As it stands from section 5.2 alone it is extremely unclear to me what the abstract domain looks like.
