Discovery of endianness and instruction size characteristics in binary programs from unknown instruction set architectures

Abstract

We approach the problem of streamlining reverse engineering (RE) of binary programs from unknown instruction set architectures (ISA). We focus on two fundamental ISA prerequisites to beginning the RE process: identification of endianness and whether the instruction width is a fixed or variable. For ISAs with a fixed instruction width, we also present methods for estimating the width. In addition to advancing research in software RE, our work can also be seen as a first step in hardware reverse engineering, because endianness and instruction format inherently describe properties of the underlying ISA.

We detail our efforts at feature engineering and perform experiments using a variety of machine learning models on two datasets of architectures using leave-one-group-out-cross-validation to simulate conditions where the tested ISA is unknown and unseen during model training. We use bigram-based features for endianness detection and the autocorrelation function, commonly used in signal processing applications, for differentiation between fixed- and variable-width instruction sizes. Initial results are promising, with endianness detection at 99.4%, fixed- versus variable-width instruction size at 86.0%, and detection of fixed instruction sizes at 88.0%.