icon-carat-right menu search cmu-wordmark

Semantic Fidelity of Decompilers

Presentation
This presentation was given at the 2022 Malware Technical Exchange Meeting. The authors describe a technique for determining which individual functions have been decompiled correctly by a modern decompiler, which is useful for malware analysis.
Publisher

Software Engineering Institute

Abstract

Although modern decompilers are very useful for malware analysis, they typically cannot correctly decompile every binary function. "Correctly decompile a function” means that the decompiled form is semantically equivalent to the original machine-code version of the function (with the caveat that we ignore the possibility of things such as a function returning information in CPU status flags, timing side channels, etc.). In this presentation, the authors describe a technique for automatically determining which individual functions have been decompiled correctly.