Recon 2024

Path of from raw bytes to CodeQL on decompiled code
06-28, 13:00–14:00 (US/Eastern), Grand Salon

This is an hands-on talk about what you can do with the decompiler, a FLOSS decompiler based on LLVM and QEMU.

We will guide the audience step-by-step through how to go from the raw bytes of a file (think, a firmware) to decompiled C code.

Then we'll dig into intermediate representation, based on LLVM IR, and show what tools can be used on it (e.g., KLEE for symbolic execution).

Finally, we'll show how you can use standard tools such as CodeQL and clang-static-analyzer to find bugs in the decompiled C code emitted by, which is always syntactically valid.

Everything that will be shown will be 100% reproducible by the audience in real-time using

Talk outline:

  • From zero to decompiled C code (interactive demo on terminal)
    • Create a 7-bytes long raw binary
    • How to load it into
    • How to produce disassembly
    • Adding prototypes to functions
    • How to produce decompiled code
  • Why you won't need to do any of the above: importing from ELF, DWARF, PE/COFF, PDB, Mach-O, and .idb.
  • Code analysis
    • Describe our internal IR, hint at analysis tools (e.g., KLEE)
    • Find bugs on a simple binary using CodeQL
    • Find bugs on a simple binary using clang-static-analyzer
  • Status: what you can expect to work
  • Final recap: goals and future directions

One day while playing a CTF I thought "hey, this decompiler could be done better".

I like C++, LLVM, binaries, Free Software and privacy.

During my dark academia years I presented at USENIX, DEF CON and several other compilers/computer security conferences.

I'm the co-founder of Labs, the company developing the decompiler.
My activities include overseeing the overall design and maintaining the first half of the decompilation pipeline.

After my MSc in Mathematics I thought it was cool to do something with immediate consequences in the real world and started working in embedded systems.
I got hooked on low level programming, and worked for a few years on automated bug-detection for High-Level Synthesis compilers for FPGAs, during my PhD at Politecnico di Milano.
While trying to decide what to do with my life, I spent a short time at ARM in the Research-Security group, working on fuzzing and static program analysis.
I finally decided to try myself and join Labs as co-founder, to help build the decompiler. So far it's been a great journey!