Abstract
A control flow graph (CFG) is a type of directed graph that shows the execution paths of the programs. It is a mathematical structure that is actively used in software testing. It can be constructed from the source or the executable of the program. Construction of the CFG from the executable is called CFG reconstruction. CFG reconstruction is used in many areas of computer science, like reverse engineering, security analysis, and worst-case execution time analysis. CFG reconstruction can be performed using a static, dynamic, or hybrid approach. This paper introduces a new CFG reconstruction tool named Turna that uses a hybrid approach. Turna works on programs that are compiled for RISC-V architecture. One of the main phases of CFG reconstruction is basic block detection. Therefore, together with Turna, a new rule set and an algorithm for basic block detection from RISC-V executables are also introduced. The CFG reconstruction process and the outputs of Turna are shared and discussed.
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1007%2Fs00607-023-01172-y/MediaObjects/607_2023_1172_Fig1_HTML.png)
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1007%2Fs00607-023-01172-y/MediaObjects/607_2023_1172_Fig2_HTML.png)
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1007%2Fs00607-023-01172-y/MediaObjects/607_2023_1172_Fig3_HTML.png)
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1007%2Fs00607-023-01172-y/MediaObjects/607_2023_1172_Fig4_HTML.png)
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1007%2Fs00607-023-01172-y/MediaObjects/607_2023_1172_Fig5_HTML.png)
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1007%2Fs00607-023-01172-y/MediaObjects/607_2023_1172_Fig6_HTML.png)
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1007%2Fs00607-023-01172-y/MediaObjects/607_2023_1172_Fig7_HTML.png)
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1007%2Fs00607-023-01172-y/MediaObjects/607_2023_1172_Fig8_HTML.png)
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1007%2Fs00607-023-01172-y/MediaObjects/607_2023_1172_Fig9_HTML.png)
Similar content being viewed by others
References
Paul A, Jeff O (2016) Introduction to software testing, 2nd edn. Cambridge University Press, Cambridge. https://doi.org/10.1017/9781316771273
Davis RI, Cucu-Grosjean L (2019) A survey of probabilistic timing analysis techniques for real-time systems. Leibniz Trans Embed Syst (LITES) 6(1):3–1360. https://doi.org/10.4230/LITES-v006-i001-a003
Cazorla FJ, Kosmidis L, Mezzetti E, Hernandez C, Abella J, Vardanega T (2019) Probabilistic worst-case timing analysis: taxonomy and comprehensive survey. ACM Comput Surv 52(1):14–11435. https://doi.org/10.1145/3301283
Wilhelm R, Mitra T, Mueller F, Puaut I, Puschner P, Staschulat J, Stenström P, Engblom J, Ermedahl A, Holsti N, Thesing S, Whalley D, Bernat G, Ferdinand C, Heckmann R (2008) The worst-case execution-time problem-overview of methods and survey of tools. ACM Trans Embed Comput Syst 7(3):1–53. https://doi.org/10.1145/1347375.1347389
Patterson DA, Hennessy JL (2007) Computer organization and design: the hardware software interface, 3rd edn. Morgan Kaufmann, Massachusetts
Waterman A, Asanovi K (eds) (2019) The RISC-V instruction set manual, volume I: unprivileged ISA, document version 20190608-Base-Ratified. RISC-V Foundation, California
Waterman A, Asanovi K (eds) (2019) The RISC-V instruction set manual volume II: privileged architecture document version 20190608-Priv-MSU-Ratified. RISC-V Foundation, California
RISC-V Foundation (2022) RISC-V foundation instruction set architecture (ISA). https://riscv.org. Accessed 29 July 2022
Binkert N, Sardashti S, Sen R, Sewell K, Shoaib M, Vaish N, Hill MD, Wood DA, Beckmann B, Black G, Reinhardt SK, Saidi A, Basu A, Hestness J, Hower DR, Krishna T (2011) The gem5 simulator. ACM SIGARCH Comput Archit News 39(2):1. https://doi.org/10.1145/2024716.2024718
gem5: gem5 homepage (2022). http://gem5.org. Accessed 29 July 2022
Sakarya University (2022) Sakarya University real-time systems research laboratory. https://rtsrlab.sakarya.edu.tr. Accessed 29 July 2022
Sakarya University (2022) Turna—GitHub repository. https://github.com/veyselharun/Turna. Accessed 29 July 2022
Kinder J (2010) Static analysis of x86 executables. PhD thesis, Technische Universität Darmstadt
Schwartz EJ, Lee J, Woo M, Brumley D (2013) Native x86 decompilation using semantics-preserving structural analysis and iterative control-flow structuring. In: 22nd USENIX security symposium (USENIX Security 13). USENIX Association, Washington, D.C, pp 353–368
Panchenko M, Auler R, Nel, B, Ottoni, G (2019) BOLT: a practical binary optimizer for data centers and beyond. In: 2019 IEEE/ACM international symposium on code generation and optimization (CGO). IEEE, Washington, DC, USA, pp 2–14. https://doi.org/10.1109/CGO.2019.8661201
Zhou R, Jones TM (2019) Janus: statically-driven and profile-guided automatic dynamic binary parallelisation. In: 2019 IEEE/ACM international symposium on code generation and optimization (CGO). IEEE, Washington, DC, USA, pp 15–25. https://doi.org/10.1109/CGO.2019.8661196
Kästner D, Pister M, Wegener S, Ferdinand C (2019) TimeWeaver: a tool for hybrid worst-case execution time analysis. In: Altmeyer S (ed) 19th International workshop on worst-case execution time analysis (WCET 2019). OpenAccess Series in Informatics (OASIcs), vol 72. Schloss Dagstuhl–Leibniz-Zentrum fuer Informatik, Dagstuhl, Germany, pp 1–1111. https://doi.org/10.4230/OASIcs.WCET.2019.1
Meng X, Miller BP (2016) Binary code is not easy. In: Proceedings of the 25th international symposium on software testing and analysis. ACM, Saarbrücken Germany, pp 24–35. https://doi.org/10.1145/2931037.2931047
**g J, Lie-Hui J, Tie-Ming L, Zhen-Yu W, Rui-Min W (2013) A precision-tunable CFG reconstruction algorithm. In: Proceedings 2013 international conference on mechatronic sciences, electric engineering and computer (MEC). IEEE, Shengyang, China, pp 2095–2099. https://doi.org/10.1109/MEC.2013.6885396
Yin W, Jiang L, Yin Q, Zhou L, Li J (2009) A control flow graph reconstruction method from binaries based on XML. In: 2009 International forum on computer science-technology and applications. IEEE, Chongqing, China, pp 226–229. https://doi.org/10.1109/IFCSTA.2009.176
Dariz L, Ruggeri M, Selvatici M (2015) A static microcode analysis tool for programmable load drivers. In: 2015 IEEE 15th international working conference on source code analysis and manipulation (SCAM). IEEE, Bremen, pp 265–270. https://doi.org/10.1109/SCAM.2015.7335424
Bermudo N, Krall A, Horspool N (2005) Control flow graph reconstruction for assembly language programs with delayed instructions. In: Fifth IEEE international workshop on source code analysis and manipulation (SCAM’05). IEEE, Budapest, Hungary, pp 107–118. https://doi.org/10.1109/SCAM.2005.6
Yount C, Patil H, Islam MS (2015) Graph-matching-based simulation-region selection for multiple binaries. In: 2015 IEEE international symposium on performance analysis of systems and software (ISPASS). IEEE, Philadelphia, PA, USA, pp 52–61. https://doi.org/10.1109/ISPASS.2015.7095784
Gruber F, Selva M, Sampaio D, Guillon C, Moynault A, Pouchet L-N, Rastello F (2019) Data-flow/dependence profiling for structured transformations. In: Proceedings of the 24th symposium on principles and practice of parallel programming. ACM, Washington District of Columbia, pp 173–185. https://doi.org/10.1145/3293883.3295737
Xu L, Sun F, Su Z (2009) Constructing precise control flow graphs from binaries. Technical report, University of California, Davis, CA
Rimsa A, Nelson Amaral J, Pereira FMQ (2021) Practical dynamic reconstruction of control flow graphs. Softw Pract Exp 51(2):353–384. https://doi.org/10.1002/spe.2907
Hu Y, Zhang Y, Li J, Wang H, Li B, Gu D (2018) BinMatch: a semantics-based hybrid approach on binary code clone analysis. In: 2018 IEEE international conference on software maintenance and evolution (ICSME). IEEE, Madrid, pp 104–114. https://doi.org/10.1109/ICSME.2018.00019
Wright D (2017) WCET analysis of object code with zero instrumentation. https://www.rapitasystems.com/blog/wcet-analysis-object-code-zero-instrumentation. Accessed 29 July 2022
NetworkX (2023) NetworkX home page. https://networkx.org. Accessed 08 Jan 2023
Graphviz (2023) Graphviz home page. https://graphviz.org. Accessed 08 Jan 2023
Ellson J, Gansner ER, Koutsofios E, North SC, Woodhull G (2004) Graphviz and dynagraph—static and dynamic graph drawing tools. In: Jünger M, Mutzel P (eds) Graph drawing software. Springer, Berlin, Heidelberg, pp 127–148. https://doi.org/10.1007/978-3-642-18638-7_6
Wohlin C, Runeson P, Höst M, Ohlsson MC, Regnell B, Wesslén A (2012) Experimentation in software engineering computer science. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-29044-2
Gustafsson J, Betts A, Ermedahl A, Lisper B (2010) The Mälardalen WCET benchmarks: past, present and future. In: Lisper B (ed) 10th International workshop on worst-case execution time analysis (WCET 2010), vol 15. Schloss Dagstuhl-Leibniz-Zentrum fuer Informatik, Dagstuhl, Germany, pp 136–146. https://doi.org/10.4230/OASIcs.WCET.2010.136
Mälardalen Real-Time Research Center (2013) The Mälardalen WCET Benchmarks homepage. http://www.mrtc.mdh.se/projects/wcet/benchmarks.html. Accessed 27 July 2022
Funding
The author did not receive support from any organization for the submitted work.
Author information
Authors and Affiliations
Contributions
Not applicable.
Corresponding author
Ethics declarations
Conflict of interest
The author declare he has no financial interest.
Ethics approval
Not applicable.
Consent to participate
Not applicable.
Consent for publication
Not applicable.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Sahin, V.H. Turna: a control flow graph reconstruction tool for RISC-V architecture. Computing 105, 1821–1845 (2023). https://doi.org/10.1007/s00607-023-01172-y
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00607-023-01172-y