Summary of "BOLT as a binary analysis tool" round table at EuroLLVM (original) (raw)

April 18, 2024, 12:46pm 1

The topic of this round table is on the idea to extend BOLT to also become a binary analysis tool, next to being an optimization tool. A rationale for this was provided in a recent RFC, and in the opening keynote of EuroLLVM.

This summary does not try to record everything what was said, but summarizes what the note taker (@kbeyls) thought were highlights to share.

• We thought that the biweekly Maksim Panchenko office hours on Wednesdays were a good place to continue the conversation that is started at this round table.
• For current BOLT maintainers, it seems interesting to support an additional use case (binary analysis) as it helps missing features in BOLT to get implemented faster.
• The binary analysis aspect proposed does not interfere with optimizations. In other words, the optimization use case shouldn’t see negative consequences from also supporting the the binary analysis use case.
• Using BOLT as a binary scanner seems useful for people building distributions, for example to check if protections are enabled, or to use as a software provenance checking tool.
• A few people said they have needed an ad-hoc binary analysis tool at times.
  They typically then use llvm-objdump to produce a disassembly and then write a full-custom python script to parse that disassembly and implement the analysis.
  Even if we’d only upstream the basic framework to be able to invoke BOLT as a binary analysis tool, without any binary analyses upstreamed, it would already be very helpful for this use case. People who need to write an ad-hoc binary analysis can then make use of BOLT rather than having to reimplement everything from scratch in a custom python script.
• We’d probably need to extend the MCPlusBuilder interface to have more typical queries on MCInsts that are needed during binary analysis.
• BOLT is already being used in at least 1 or 2 commercial security products as a binary analysis framework.
• One current limitation of BOLT as a binary analysis tool is that it currently supports relatively few instruction sets and binary file formats.
• More people at the table share that they have a use case where they want a scanner that can pinpoint where a security mitigation is not in place.
• BOLT is probably not the right tool to analyze binaries that were maliciously modified.