DOI: 10.1145/3797130 ISSN: 2994-970X

Semantics-Guided Control-Flow Reconstruction for Firmware Binaries via Static Analysis

Fengjuan Gao, Qingjie Zhu, Yi Zhang, Yu Wang, Xuandong Li, Ke Wang

Control-flow reconstruction is a fundamental yet challenging problem in firmware analysis, particularly for stripped or raw-format binaries that lack symbolic metadata. Existing methods typically rely on syntax heuristics or format-specific patterns, which are often inadequate for real-world firmware that includes indirect jumps, manually crafted assembly, and limited metadata.

We present a semantics-guided static analysis framework for accurate control-flow reconstruction in stripped ELF and raw-format firmware binaries. Our approach consists of two complementary components: (i) an intra-procedural control-flow reconstruction method that incrementally recovers direct branches, indirect jumps, and call-return flows via fixpoint-guided value-flow analysis; and (ii) an inter-procedural analysis that resolves indirect calls through cross-function value tracking and loop-structure matching. By decoupling control-flow reasoning from instruction semantics and function abstraction, our framework robustly handles tightly intertwined control-flow patterns and mitigates the impact of misanalysis.

We implement our approach in Scarf (S emantics-guided C ontrol-flow A nalysis for R aw and F irmware binaries ) and evaluate it on over 300 real-world firmware binaries in both ELF and raw formats. Compared with state-of-the-art reverse engineering tools, Scarf consistently achieves higher precision in control-flow recovery and demonstrates clear advantages on raw firmware, especially in resolving indirect jumps, call–return flows, and indirect calls. These results demonstrate that semantics-guided analysis provides a robust and scalable foundation for control flow reconstruction in metadata-deficient firmware.

More from our Archive