0

I have got a control flow graph of a trace of a C program(executed in a VM) which is highly complicated.I want to know what information can i extract if i have a CFG of a program trace apart from control dependencies ! Thank you

archies50
  • 103
  • 2
  • 9
  • 1
    What else do you want to know? Besides, like, how the control flows...? – Kristopher Micinski Sep 21 '12 at 20:50
  • yeah just brief me up , like what data or what can we predict about the behaviour of the programm by it.Can we make out the pattern or the way the interpreter is behaving by looking at it.?or what is the difference between their executions if the binary executed is compiled in different architectures. – archies50 Sep 21 '12 at 21:49

1 Answers1

1

There a distinction to be made here:

  • A control flow graph is an approximation to the program's control. A control flow graph can tell you, for any run of the program, where might control flow. It is entirely feasible that the program may never execute a certain edge of the graph:

    i := 23;
x := some_complicated_function_returning_zero();
if (x < i) {
   print "Hello, world!";
}  else {
   print "Bad!";
}

in that program, the else branch will never be executed, however program analysis tools will generally report that there is a control flow edge to both sides of the branch. This is because program analysis is approximate.

  • A trace of the program is a traversal of edges in the program's control flow graph. A good set of tests will generally have tests which cover many of the possible control flow paths (or at least, those that are feasible, up to the imprecision in the control flow graph's construction), but beyond that, test cases which cover a wide range of the values that things like variables take within those execution paths.

A trace will let you see, how did the program execute for a single run, while a control flow graph will allow you to say "what are the possible ways that my program could execute."

Real programs are large, and therefore a control flow graph of an entire program will be extremely large, however, a trace will be considerably smaller, because of the fact that you don't have the exponential branching effect...

Kristopher Micinski
  • 7,572
  • 3
  • 29
  • 34
  • now lets say...i have binaries of the same program compiled in different architectures ! by gettng the control flow graph can i get to know about the interpreter behaviour or something common about the behaviour of the program.!! – archies50 Sep 21 '12 at 22:12
  • perhaps? It depends, but it mostly depends on the interpeter, if it's interpreted code then you're looking not just at the control flow of the code written, but how the interpreter executes the code – Kristopher Micinski Sep 21 '12 at 22:13
  • yeah thats what.! i am exactly looking at how the interpreter is executing the code.! now lets say it contains obfuscated code !what else can i infer from that ! Can i make out the pattern the interpreter is executing the binaries?or something else – archies50 Sep 21 '12 at 22:16
  • if it's obfuscated code, looking at the control flow will help... surely... it sure sounds like you're trying to reverse engineer someone's app... – Kristopher Micinski Sep 21 '12 at 22:17
  • I want to make out something concrete about the interpreter ! and something concrete about the behaviour about the program !how is it possible? i am not working on app.! i just have some obfuscated binaries ! – archies50 Sep 21 '12 at 22:20
  • You can't really tell anything if you don't also have a little bit of information about the code, only identify where things like loops might be, for example, by seeing that control comes back to the same point in the graph over and over. – Kristopher Micinski Sep 21 '12 at 22:22
  • I know its a c program code(a simple calculator) does that help.? – archies50 Sep 21 '12 at 22:23