PossibleValueSet API Implementation Detail

[jjang3]

Hello everyone,

I recently came across this great blog and wanted to ask a question regarding it.

The core question I wanted to ask is: Are there any references that I can refer to learn the implementation detail of the PossibleValueSet API?

Based on my knowledge, in order to perform such analysis using source code, typically compiler techniques such as reaching definitions are used to overapproximate the possible value sets that a variable could have at a certain point in a program.

However, because Binary Ninja is based on using the limited information from a binary, the analysis must be a lot more complex than a simple reaching definitions analysis. Therefore, I was hoping if I could get a deeper look at how such analysis is performed to know more and think out what may need to be done to improve it.

I would appreciate any kind of insights, thank you!

[psifertex]

Thanks for posting, this is something we'd like to take some more time to answer in detail. Unfortunately a full explanation would take a lot of work at this point so in the meantime we'll just direct people to this talk we gave which described our initial implementation:
https://vimeo.com/215511922#t=21m47s

While it's describing it in the context of jump table analysis, the Possible Value Set API is the specific implementation being used to resolve jump tables so the discussion there holds for any of our PVS analysis.

Hopefully we'll get some time later to re-visit this with a more in-depth discussion of the many approaches such as analyzing indirect dependence, algebraic combinations, etc, but this is the best source for now.