Summary of "BOLT as a binary analysis tool" round table at EuroLLVM

LLVM Project
1

The topic of this round table is on the idea to extend BOLT to also become a binary analysis tool, next to being an optimization tool. A rationale for this was provided in a recent RFC, and in the opening keynote of EuroLLVM.

This summary does not try to record everything what was said, but summarizes what the note taker (@kbeyls) thought were highlights to share.

  • We thought that the biweekly Maksim Panchenko office hours on Wednesdays were a good place to continue the conversation that is started at this round table.

  • For current BOLT maintainers, it seems interesting to support an additional use case (binary analysis) as it helps missing features in BOLT to get implemented faster.

  • The binary analysis aspect proposed does not interfere with optimizations. In other words, the optimization use case shouldn’t see negative consequences from also supporting the the binary analysis use case.

  • Using BOLT as a binary scanner seems useful for people building distributions, for example to check if protections are enabled, or to use as a software provenance checking tool.

  • A few people said they have needed an ad-hoc binary analysis tool at times.
    They typically then use llvm-objdump to produce a disassembly and then write a full-custom python script to parse that disassembly and implement the analysis.

    Even if we’d only upstream the basic framework to be able to invoke BOLT as a binary analysis tool, without any binary analyses upstreamed, it would already be very helpful for this use case. People who need to write an ad-hoc binary analysis can then make use of BOLT rather than having to reimplement everything from scratch in a custom python script.

  • We’d probably need to extend the MCPlusBuilder interface to have more typical queries on MCInsts that are needed during binary analysis.

  • BOLT is already being used in at least 1 or 2 commercial security products as a binary analysis framework.

  • One current limitation of BOLT as a binary analysis tool is that it currently supports relatively few instruction sets and binary file formats.

  • More people at the table share that they have a use case where they want a scanner that can pinpoint where a security mitigation is not in place.

  • BOLT is probably not the right tool to analyze binaries that were maliciously modified.

1 Like