search

Vector35 / binaryninja-api

Public API, examples, documentation and issues for Binary Ninja
https://binary.ninja/
MIT License
906 stars 207 forks source link

Bitwise dataflow #1512

Open whitequark opened 4 years ago

whitequark commented 4 years ago

Currently, binja allows referring to the various processor flags individually, but in the hardware, they are combined into one register. Although common ISAs like x86 do not provide rich operations on flags and commonly encountered code does not invoke them, on microcontrollers it is very common to have extensive operations on flags for two reasons:

  1. the flags register is often either directly addressable via a memory, or easily accessible via a dedicated instruction;
  2. some call/return constructs, in particular interrupts, implicitly push flags.

Because the flags aren't addressable as a whole, it is necessary to use a workaround, where the flags are either concatenated into one LLIL value, or individually set from one LLIL value. For example, this (written for 8086):

flags_bits = [
    ('c', 0),
    ('p', 2),
    ('a', 4),
    ('z', 6),
    ('s', 7),
    ('i', 9),
    ('d', 10),
    ('o', 11),
]

class PushF(Instruction):
    def lift(self, il, addr):
        flags = None
        for flag, flag_bit in flags_bits:
            bit = il.flag_bit(2, flag, flag_bit)
            if flags is None:
                flags = bit
            else:
                flags = il.or_expr(2, bit, flags)
        il.append(il.push(2, flags))

class PopF(Instruction):
    def lift(self, il, addr):
        flags = LLIL_TEMP(il.temp_reg_count)
        il.append(il.set_reg(2, flags, il.pop(2)))
        for flag, flag_bit in flags_bits:
            bit = il.test_bit(2, il.reg(2, flags), il.const(2, flag_bit))
            il.append(il.set_flag(flag, bit))

This workaround generates large and complicated expressions that obscure useful information and impede analysis. It is tedious to implement when there are many instructions accessing flags, and essentially unfeasible when the flags register is memory-mapped due to the volume of generated LLIL.

Please provide, at least, a way to combine flags into a single register. Ideally, it would be also possible to have flags sub-registers (similar to normal sub-registers), because many architectures split the flags register into unprivileged and privileged portions that are used separately; simply have large flag regsiters that may not fit into GPRs with the available addressing modes; or have multi-bit fields in the flags register denoting privilege level, interrupt level, etc.

plafosse commented 3 years ago

We can't do this as you suggest, but in the future we may implement bitwise dataflow to solve this type of problem. I'm going to change the title to reflect this.