2

Are there any tools that can build the control flow graph for an entire Linux kernel binary? For example, consider Linux kernel compiled for x86 architecture (vmlinux file). Is it possible to determine all execution paths (disregarding indirect branches or other control flows that need runtime information) using static analysis only? Are there any tools suitable for this?

Dragonight
  • 1,033
  • 2
  • 10
  • 20
  • It would be great if such a thing could exist but given how messy much smaller automated control flow graphs get, it would probably be impossible to use for code comprehension anyway. – Sridhar Sarnobat Oct 01 '19 at 16:37
  • Actually, Doxygen might be as good as any of the tools mentioned here (even though I personally didn't find it that useful). – Sridhar Sarnobat Oct 01 '19 at 16:39

4 Answers4

1

There are two tools(CodeViz and Egypt) that can generate call graph during the compiling.

I don't think it will help you a lot to learn the Linux kernel. Many execution paths depend on Macros and runtime conditions, so the call graph generated by the static analyzer is not very practical. You still need to use printk and dmesg to figure out what happened in some functions. Instead of using these tools, printk is more useful.

Naveen
  • 7,944
  • 12
  • 78
  • 165
haolee
  • 892
  • 9
  • 19
  • I'm actually looking to generate cfg from the kernel binary, not from the compilation. But thanks for the answer. – Dragonight Feb 02 '18 at 06:01
1

Our DMS Software Reengineering Toolkit with its C Front End can do this.

DMS provides generic parsing, control flow graph and call graph construction; the C front end provide C-specific parsing details and the logic for constructing C-specific flowgraphs include indirect-gotos as well as a points-to analysis that has beem used on code systems of some 16 million lines, so it should handle the Linux kernal. The flow graphs are produced one-per-compilation unit; the call graph is for a set of linked compilation units. All this information is available as DMS data structures, and/or exportable as XML if you insist and can stomach gigabytes of output.

You can see examples of Control flow, Data Flow, and Call graphs.

Ira Baxter
  • 93,541
  • 22
  • 172
  • 341
  • Does the downvoter know that this tool cannot do the task? It'd be nice if he told us how he knows that. – Ira Baxter Feb 04 '18 at 04:58
  • 1. The question was about binary analysis, not building cfg from c files. 2. The answer is not geared for the question, but rather it just provides functionalities of a commercial tool (which sounds unrelated) – Dragonight Feb 08 '18 at 20:09
  • Its easier to build the CFG from the sources, than it is from the binaries. In the binaries you may have some data that you cannot determine is code or is data. In the source code, you can't be confused by this. In the source code, you have a chance at determining formulas for paths and for invalid paths which you can eliminate from the CFG; you have much less chance of doing this from the binary. So, right, this doesn't do it from the binary, it does it from a source that is likely to get you a better answer. – Ira Baxter Feb 09 '18 at 02:49
1

You can try CppDepend, it provides a powerful dependency graph with many features. However you have to analyze the source code and not the binaries.

James from CppDepend Team
  • 1,365
  • 8
  • 9
0

GrammaTech CodeSonar can perform static analysis on binary code (https://www.grammatech.com/products/binary-analysis) and it allows you to visualize and navigate the control-flow graph. This is a commercial tool though.

markhermeling
  • 96
  • 4