Survey of program analysis research with a focus on machine code
Switch branches/tags
Nothing to show
Latest commit aa298f8 Mar 18, 2017 @REMath REMath Merge pull request #7 from bartblaze/patch-1
Update x64dbg link

Mechanization of Exploits

Binary Analysis

  • Moflow BAP-based tools to do post-crash graph backtaint slicing, post-crash forward symbolic emulation to look for more exploitable conditions, whitebox fuzzing based in SAGE
  • Dagger is a decompilation framework based on LLVM

Analysis of Communication Protocols

  • Netzob is an open source tool for reverse engineering, traffic generation and fuzzing of communication protocols. It allows to infer the message format and the state machine of a protocol through passive and active processes. The model can afterward be used to simulate realistic and controllable trafic. -
  • Communication protocols determine how network components interact with each other. Therefore, the ability to derive a specification of a protocol can be useful in various contexts, such as to support deeper black-box testing or effective defense mechanisms. Unfortunately, it is often hard to obtain the specification because systems implement closed (i.e., undocumented) protocols, or because a time consuming translation has to be performed, from the textual description of the protocol to a format readable by the tools. To address these issues, we developed ReverX, a Java application that generates automata for the language and protocol state machine from network traces. Since our solution only resorts to interaction samples of the protocol, it is well-suited to uncover the message formats and protocol states of closed protocols and also to automate most of the process of specifying open protocols. -

Intermediate Representations

  • An Intermediate Representation for Integrating Reverse Engineering Analyses (1998)
  • REIL: A platform-independent intermediate representation of disassembled code for static code analys
  • Relational Reverse Engineering Intermediate Language
  • VinE Project Documentation
  • BIL
  • LLVM
  • TSL: A System for Generating Abstract Interpreters and its Application to Machine-Code Analysis
  • Combining Several Analyses into One OR What is a Good Intermediate Language for the Analysis of Executables?
  • Jakstab uses an IR described in chapter two
  • Wire – A Formal Intermediate Language for Binary Analysis
  • RockSalt: Better, Faster, Stronger SFI for the x86

Alias / Value Analysis

  • Alias Analysis for Assembly
  • Probabilistic Alias Analysis for ARM Executable Code
  • WYSINWYX: What You See Is Not What You Execute
  • Static Analysis of x86 Executables by Johannes Kinder
  • BDDStab: BDD-based Value Analysis of Binaries
  • Static Analysis of x86 Assembly: Certification and Robustness Analysis

Control Flow Recovery

  • Alias / Value Analysis
  • Alternating Control Flow Reconstruction
  • Refinement-based CFG Reconstruction from Unstructured Programs by Sebastien Bardin, Philippe Herrmann, and Franck Vedrine
  • Control flow reconstruction from PowerPC binaries
  • Interprocedural Analysis of Low-Level Code

Binary Rewriting

  • Control Flow Integrity
  • Metamorphic Software for Buffer Overflow Mitigation
  • Advanced Metamorphic Techniques in Computer Viruses
  • Metamorphism in practice or "How I made MetaPHOR and what I've learnt"
  • Automated reverse engineering: Mistfall engine
  • Writing disassembler
  • Benny's Metamorphic Engine for Win32
  • "Do polymorphism" tutorial
  • Introductory Primer To Polymorphism in Theory and Practice
  • Recompiling the metamorphism
  • Theme: Metamorphism
  • Some ideas about metamorphism
  • Meta-Level Languages in Viruses
  • Metamorphism (part 1)
  • Metamorphism
  • The Viral Darwinism of W32.Evol
  • The Molecular Virology of Lexotan32: Metamorphism Illustrated
  • The Design Space of Metamorphic Malware
  • Diablo

Abstract Interpretation

Logical solvers

Probabilistic Logic


  • Using Datalog for fast and easy program analysis
  • Implementing Dataflow Analyses for Pegasus in Datalog
  • Relational Representation of the LLVM Intermediate Language
  • An Efficient Engine for Fixed Points with Constraints
  • On Abstraction Refinement for Program Analyses in Datalog
  • Strictly Declarative Specification of Sophisticated Points-to Analyses
  • Pregelix: Big(ger) Graph Analytics on A Dataflow Engine

String Solvers


Ground Truth


Hidden Computation




Virtual Machines


Model Checkers

Reasoning About Finite-state and Pushdown Automata


Interactive Theorem Provers

Control Flow Integrity

  • A Retargettable CFI implementation in LLVM. Authors: Joseph Battaglia and Oulin Yao
  • BinCFI: Control Flow Integrity for COTS Binaries

C Code / C++ Code (Need to split these at some point)

Quantitative Analysis

Assisted Exploit Engineering

Return-oriented Programming

Random Testing (Fuzzing)

Dynamic Analysis is an interpretation of the static semantics

To be categorized

Disassemblers & Debuggers

x86 only




Type and Data Structure Recovering

Miscellaneous Tools

Binary Manipulation Frameworks




Anti-Debugging / Anti-Reversing