Extract strings from DWARF debug information (.debug_info, .debug_str, .debug_line)

[unclesp1d3r]

Overview

Extract meaningful strings and metadata from DWARF debug sections present in non-stripped binaries. DWARF debug information contains high-confidence, developer-chosen identifiers that provide significant value for binary analysis even when traditional symbols are unavailable.

Background: What is DWARF?

DWARF (Debugging With Attributed Record Formats) is a standardized debugging data format used by compilers to embed source-level information into binaries. It's the dominant debug format for ELF (Linux/Unix) and Mach-O (macOS) binaries compiled with -g flags.

Key DWARF Sections

• .debug_info: Core debugging data containing DIEs (Debug Information Entries) with function/variable names, types, and source locations
• .debug_str: String table containing all text references from .debug_info
• .debug_line: Line number program mapping machine instructions to source file paths and line numbers
• .debug_abbrev: Abbreviation declarations describing DIE structure (needed for parsing .debug_info)
• .debug_types (DWARF 4), .debug_str_offsets (DWARF 5): Additional optimization sections

Value Proposition

High-Confidence Identifiers

DWARF data is structured and intentional—not arbitrary byte patterns. Extracting from DWARF provides:

• Function names: handle_authentication, decrypt_payload, validate_license
• Variable names: secret_key, api_endpoint, config_path
• Type information: struct UserCredentials, class DatabaseConnection
• Source file paths: /home/builder/project/src/crypto/aes.c, revealing project structure

Intelligence Value

• Build environment disclosure: Absolute paths expose developer machines, CI systems, directory structures
• Code organization: Source file names reveal architectural patterns and module boundaries
• Semantic context: Variable/function names provide intent rather than raw string literals
• Reverse engineering: Symbolic names dramatically accelerate understanding compiled code

Complementary to Existing Extraction

DWARF augments rather than replaces existing string extraction:

• Symbols: DWARF works when .symtab is stripped but debug sections remain
• Section data: DWARF names often don't appear in .rodata (they're in .debug_str)
• Imports/exports: DWARF reveals internal implementation details, not just API boundaries

Proposed Implementation

1. Add gimli Dependency

[dependencies]
gimli = "0.29"
object = "0.36"  # Provides DWARF section reader interface

Rationale: gimli is the de-facto Rust DWARF parser, maintained by the Rust debugging tools team and used by addr2line, cargo, and debuggers.

2. Extend Existing Types

In src/types.rs:

• StringSource::DebugInfo already exists ✅
• Add new Tag variants:

  pub enum Tag {
      // ... existing tags
      DwarfSymbol,      // Function/variable name from DW_AT_name
      DwarfFilePath,    // Source file path from DW_AT_comp_dir / DW_AT_decl_file
      DwarfType,        // Type name from DW_TAG_structure_type, DW_TAG_class_type
  }

3. Create DWARF Extraction Module

New file: src/extraction/dwarf.rs

use gimli::{Dwarf, EndianSlice, RunTimeEndian};
use object::{Object, ObjectSection};

pub struct DwarfExtractor {
    skip_dwarf: bool,
    max_section_size: Option<usize>,
}

impl DwarfExtractor {
    pub fn extract(&self, data: &[u8], format: BinaryFormat) -> Result<Vec<FoundString>> {
        // 1. Load DWARF sections using object crate
        // 2. Parse with gimli::Dwarf
        // 3. Iterate compilation units
        // 4. Extract DW_AT_name, DW_AT_comp_dir, DW_AT_decl_file
        // 5. Return FoundString with high scores (90+)
    }
}

4. Integration Points

In src/container/elf.rs:

• Classify DWARF sections correctly (already done: SectionType::Debug for .debug_* ✅)
• Ensure DWARF sections are included in ContainerInfo

In src/extraction/mod.rs:

• Import and instantiate DwarfExtractor
• Call after section-based extraction
• Coordinate with deduplication logic

5. CLI Integration

In src/main.rs (when CLI is implemented):

#[derive(Parser)]
struct Args {
    // ... existing args
    
    /// Skip DWARF debug section extraction (faster for large binaries)
    #[arg(long)]
    skip_dwarf: bool,
    
    /// Maximum DWARF section size to process (in MB)
    #[arg(long, default_value = "100")]
    max_dwarf_size: usize,
}

Technical Considerations

Performance

• DWARF parsing is CPU-intensive: A single .debug_info section can be 50-200MB in optimized Rust binaries with full debug info
• Mitigation strategies:
  • --skip-dwarf flag for performance-critical scenarios
  • Size limits (--max-dwarf-size) to skip enormous sections
  • Lazy parsing: only process compilation units, skip full type graphs
  • Skip .debug_types initially (less string content, high complexity)

Binary Size Realities

• Stripped binaries (strip --strip-debug): No DWARF sections → graceful no-op
• Partially stripped (strip --strip-unneeded): May retain DWARF → full extraction
• Debug builds: Massive DWARF sections (10-100x code size) → sampling or limits needed

Scoring Strategy

Assign high scores since DWARF strings are definitionally meaningful:

• Function/variable names (DW_AT_name): Score 95
• Source file paths (DW_AT_comp_dir, DW_AT_decl_file): Score 90
• Type names (DW_TAG_structure_type): Score 92

These should rank above most .rodata strings but below critical items like hardcoded URLs/keys.

Deduplication

• Problem: A string like parse_config may appear in:

  1. .debug_str (DWARF)
  2. .symtab (symbol table)
  3. .dynstr (dynamic symbols)
  4. .rodata (error messages mentioning the function)

• Solution: Deduplication by (text, encoding) tuple in final output, preserving highest score and all relevant tags.

Security & Privacy

• Build path disclosure: DWARF exposes absolute paths like /home/alice/secret-project/src/
  • This is intentional for binary analysis—users examining untrusted binaries want this intel
  • Document in output that DWARF reveals build environment details

Implementation Checklist

• Add gimli and object dependencies to Cargo.toml
• Create src/extraction/dwarf.rs module
• Add DwarfSymbol, DwarfFilePath, DwarfType tags to Tag enum
• Implement DwarfExtractor::extract() method
  • Load DWARF sections from ELF/Mach-O
  • Parse .debug_info compilation units
  • Extract DW_AT_name attributes → FoundString with Tag::DwarfSymbol
  • Extract DW_AT_comp_dir / DW_AT_decl_file → Tag::DwarfFilePath
  • Extract structure/class type names → Tag::DwarfType
• Add --skip-dwarf and --max-dwarf-size CLI flags
• Integrate into main extraction pipeline
• Add deduplication logic for DWARF + symbol table overlap
• Write unit tests with small DWARF samples
• Write integration tests:
  • Test with stripped binary (no DWARF)
  • Test with debug build (full DWARF)
  • Test with large DWARF section (size limits)
• Document DWARF extraction in README and --help

Testing Strategy

Unit Tests

• Mock DWARF sections with known DIEs
• Verify extraction of specific DW_AT_name values
• Test score assignment logic

Integration Tests

Create test fixtures:

1. tests/fixtures/hello_debug: Minimal C program compiled with -g
2. tests/fixtures/hello_stripped: Same binary with strip --strip-debug
3. tests/fixtures/rust_debug: Rust binary with full debug info (tests demangling + DWARF)

Expected behavior:

• hello_debug: Extract function names (main, printf), source path
• hello_stripped: Gracefully skip, no errors
• rust_debug: Extract Rust function names, handle DWARF 4/5 versions

References

• DWARF 5 Standard
• gimli crate documentation
• DWARF sections overview
• Practical Binary Analysis (Chapter 6: Symbolic Execution) - discusses DWARF usage in reverse engineering

Success Criteria

1. ✅ Extract all DW_AT_name attributes from .debug_info
2. ✅ Extract source file paths from line number programs
3. ✅ Handle DWARF versions 2-5 gracefully
4. ✅ --skip-dwarf flag works correctly
5. ✅ No crashes on malformed DWARF (handle gimli parse errors)
6. ✅ Deduplication prevents duplicate strings from DWARF + symtab
7. ✅ Documentation includes DWARF extraction examples

[traycerai]

Plan

Observations

The codebase features a modular architecture with established container parsing for ELF, PE, and Mach-O formats using the goblin crate. The types.rs module includes StringSource::DebugInfo and SectionType::Debug, facilitating DWARF integration. Extraction and classification modules are placeholders awaiting implementation. The ELF parser correctly identifies DWARF sections like .debug_info and .debug_str. CLI structure in main.rs supports extensible argument parsing. Documentation and test fixtures exist but lack DWARF-specific content. The project follows Rust best practices with Cargo dependencies and integration testing patterns.

Approach

Implement DWARF string extraction by adding gimli and object dependencies for parsing. Create a dwarf.rs module to load DWARF sections, traverse DIEs in compilation units, and extract high-value strings from DW_AT_name, DW_AT_comp_dir, and DW_AT_decl_file attributes. Extend the Tag enum with DwarfSymbol, DwarfFilePath, and DwarfType variants. Integrate into the extraction pipeline with configurable skipping via CLI flags. Assign scores of 90-95 to DWARF strings based on their structured nature. Add unit and integration tests using debug-compiled fixtures, and update documentation to cover the new feature.

Reasoning

Examined the repository structure and key files including Cargo.toml, types.rs, extraction mod, container parsers, main.rs, and documentation. Reviewed existing section classification logic in ELF parser to confirm DWARF section handling. Studied the proposed implementation in the ticket for gimli usage patterns, attribute extraction, and scoring strategy. Analyzed test fixtures and integration test patterns to plan appropriate testing coverage. Consulted gimli documentation examples for DIE traversal and string resolution techniques.

Proposed File Changes

📄 Cargo.toml ^(MODIFY) 🔗

Add the following dependencies to the [dependencies] section:

• gimli = "0.29" for DWARF parsing capabilities, including support for reading compilation units, traversing DIEs, and extracting attribute values.
• object = "0.36" to interface with binary sections, load DWARF data into buffers, and handle endianness detection as demonstrated in gimli examples.

These crates enable robust DWARF section processing without introducing optional features, keeping the core binary lightweight while providing essential debug information extraction.

📄 src/types.rs ^(MODIFY) 🔗

Extend the Tag enum with new variants to classify DWARF-extracted strings:

• DwarfSymbol for function and variable names derived from DW_AT_name attributes on DW_TAG_subprogram and DW_TAG_variable DIEs.
• DwarfFilePath for source file paths resolved from DW_AT_comp_dir and DW_AT_decl_file attributes, building on the existing FilePath tag for consistency.
• DwarfType for type names from DW_TAG_structure_type, DW_TAG_class_type, and similar DIEs representing structs, classes, and enums.

Use #[serde(rename = "dwarf-symbol")], #[serde(rename = "dwarf-file-path")], and #[serde(rename = "dwarf-type")] attributes to ensure proper JSON serialization. These tags enable filtering and identification of DWARF-sourced content in outputs, complementing existing tags like Symbol and FilePath.

📄 src/extraction/mod.rs ^(MODIFY) 🔗

References

• 📄 src/types.rs ^(MODIFY)

Introduce the extraction module structure by defining:

• ExtractionConfig struct with fields: skip_dwarf: bool (default: false), max_dwarf_size: Option<usize> (default: Some(100 * 1024 * 1024) for 100MB limit), and other extraction parameters like minimum string lengths.

• Public function pub fn extract_strings(data: &[u8], container_info: &ContainerInfo, config: &ExtractionConfig) -> Result<Vec<FoundString>, Box<dyn Error>> to orchestrate extraction from multiple sources, including a conditional call to DWARF extraction if not skipped.

• Module declaration pub mod dwarf; to expose the new submodule.

• Basic error handling and logging for extraction failures.

This establishes the pipeline foundation, allowing DWARF extraction to integrate seamlessly as one phase among section scanning and symbol table processing.

📄 src/extraction/dwarf.rs ^(NEW) 🔗

References

• 📄 src/types.rs ^(MODIFY)
• 📄 src/container/mod.rs

Implement the DWARF extraction module as follows:

• Define pub fn extract_dwarf_strings(sections: &[Section], data: &[u8], config: &ExtractionConfig) -> Result<Vec<FoundString>, Box<dyn Error>> as the entry point.

• Identify relevant DWARF sections (.debug_info, .debug_str, .debug_line, .debug_abbrev, .debug_types) from the provided sections vector, skipping if config.skip_dwarf is true or section size exceeds max_dwarf_size.

• Use the object crate to create an Object from data and load section data into gimli::DwarfSections buffers.

• Construct gimli::Dwarf with EndianSlice readers, detecting endianness from the binary format.

• Iterate over compilation units using dwarf.units() and type units with dwarf.debug_types().

• For each unit, traverse DIEs with unit.entries() and next_dfs() to visit all entries depth-first.

• Extract strings via:

  • DW_AT_name: Use dwarf.attr_string(unit, attr.value())? to get UTF-8 strings, create FoundString with text, encoding: Encoding::Utf8, source: StringSource::DebugInfo, tags: vec![Tag::DwarfSymbol], score: 95.
  • DW_AT_comp_dir: Resolve as directory path, tag with Tag::DwarfFilePath, score 90.
  • DW_AT_decl_file: Combine with line program (unit.line_program) to resolve full file path using header.file(index).as_ref()?.path().to_string_lossy(), prepend DW_AT_comp_dir if available, tag Tag::DwarfFilePath, score 90.
  • For type DIEs (DW_TAG_structure_type, etc.): Extract name with Tag::DwarfType, score 92.

• Set offset to approximate position (section offset + attribute offset), section to the source section name, rva: None, length: text.len() as u32.

• Deduplicate within DWARF results using a HashSet<String> before returning.

• Handle errors gracefully: malformed sections return empty vec, log warnings for parse failures.

• Support DWARF versions 2-5 implicitly via gimli's compatibility layer.

Reference gimli examples for DwarfSections::load, unit iteration, and attribute resolution to ensure correct API usage.

📄 src/main.rs ^(MODIFY) 🔗

References

• 📄 src/extraction/mod.rs ^(MODIFY)

Enhance the CLI parsing and main logic to support DWARF extraction:

• Add to Cli struct (using clap::Parser): #[arg(long, default_value_t = false, help = "Skip DWARF debug section extraction (faster for large binaries)")] skip_dwarf: bool, and #[arg(long, default_value_t = 100, help = "Maximum DWARF section size to process (in MB)")] max_dwarf_size: usize,.

• In the main function, after parsing the binary and obtaining ContainerInfo:

  • Create ExtractionConfig { skip_dwarf: cli.skip_dwarf, max_dwarf_size: Some(cli.max_dwarf_size * 1024 * 1024), ..Default::default() }.
  • Call extraction::extract_strings(&file_data, &container_info, &config)? to get Vec<FoundString>.
  • Proceed to classification, ranking, and output as per existing pipeline (placeholders to be filled).

• Update error handling to propagate extraction errors.

• For now, if extraction is not yet fully implemented, add a debug print showing config values to verify flag parsing.

This integrates user controls into the workflow, enabling performance tuning for DWARF processing.

📄 src/lib.rs ^(MODIFY) 🔗

References

• 📄 src/extraction/mod.rs ^(MODIFY)

Update the library documentation and public API:

• In the module docstring, add a section describing DWARF extraction: "Supports extraction from DWARF debug sections using the gimli crate, providing function names, source paths, and type information with high confidence scores."

• Re-export ExtractionConfig from extraction module: pub use extraction::{extract_strings, ExtractionConfig};.

• Update "Current Implementation Status" to note: "DWARF extraction: Implemented via src/extraction/dwarf.rs, integrated into main pipeline."

• Add an example usage snippet showing DWARF-enabled extraction.

This ensures the crate's public interface reflects the new functionality and guides library users on DWARF features.

📄 tests/integration_dwarf.rs ^(NEW) 🔗

References

• 📄 tests/integration_elf.rs
• 📄 tests/fixtures/README.md

Create comprehensive integration tests for DWARF extraction, following patterns from tests/integration_elf.rs:

• Use #[test] functions with fixtures: Assume new fixtures tests/fixtures/hello_debug (C program compiled with gcc -g), tests/fixtures/hello_stripped (stripped version), and tests/fixtures/rust_debug (Rust binary with debug info).

• Test section detection: Verify parse_elf identifies DWARF sections as SectionType::Debug.

• Test extraction with debug binary: Call extract_strings with skip_dwarf: false, assert extracted strings include expected DW_AT_name like "main", "printf" with Tag::DwarfSymbol, score >=95, source: StringSource::DebugInfo.

• Test file path extraction: Assert paths like "hello.c" or full /path/to/hello.c with Tag::DwarfFilePath, score 90.

• Test type extraction: For Rust fixture, verify struct names with Tag::DwarfType.

• Test skip flag: With skip_dwarf: true, assert no DWARF strings in results.

• Test size limit: Mock a large section, verify skipping when exceeding max_dwarf_size.

• Test stripped binary: No crash, empty DWARF results.

• Test malformed DWARF: Use a corrupted fixture, ensure graceful error handling without panic.

• Use insta::assert_snapshot! for output validation, comparing JSON-serialized FoundString vectors.

• Add #[cfg(feature = "integration")] if needed, and helper functions like get_fixture_path("hello_debug").

These tests validate the full pipeline, from section loading to string creation and scoring.

📄 README.md ^(MODIFY) 🔗

Enhance the README to highlight DWARF extraction capabilities:

• In "Features" section, add bullet: "🔍 DWARF Debug Extraction: Retrieve function names, variable identifiers, type information, and source file paths from debug sections in non-stripped binaries."

• In "Usage" section, include CLI examples:

  # Full extraction including DWARF
  cargo run -- target/debug/my_binary
  
  # Skip DWARF for performance
  cargo run -- --skip-dwarf target/debug/my_binary
  
  # Limit DWARF section size
  cargo run -- --max-dwarf-size 50 target/debug/my_binary

• Update "Development Status" or "Roadmap" to mark DWARF extraction as ✅ Implemented.

• In "Advantages" section, add: "- Extracts semantic identifiers from DWARF debug info, revealing internal implementation details beyond surface-level strings."

• Add to "Acknowledgements": "- gimli crate for robust DWARF parsing."

• Include a brief example output showing a DWARF-extracted function name with tags and score.

These updates inform users about the feature, its benefits, and usage options.

📄 docs/src/string-extraction.md ^(MODIFY) 🔗

References

• 📄 src/extraction/dwarf.rs ^(NEW)

Expand the string extraction documentation with a dedicated DWARF section:

• Add heading "## DWARF Debug Information Extraction" describing the value of extracting from .debug_info, .debug_str, .debug_line, etc., including examples of function names, paths, and types.

• Detail the implementation: gimli crate usage, DIE traversal, attribute extraction (DW_AT_name, etc.), and path resolution via line programs.

• Cover scoring: 95 for symbols, 90 for paths, 92 for types, explaining high confidence due to structured data.

• Discuss performance mitigations: skip flag, size limits, and when to use stripped binaries.

• Include deduplication notes: How DWARF strings merge with symtab/rodata results, preserving best score and tags.

• Provide code snippets (non-executable) showing extraction flow and FoundString creation.

• Reference DWARF standard and gimli docs.

• End with usage example in JSON output format.

This comprehensive doc serves as a user guide and technical reference for the feature.

📄 .kiro/specs/stringy-binary-analyzer/tasks.md ^(MODIFY) 🔗

Update the tasks document by adding or completing the DWARF extraction task:

• Insert or modify task Implement File Path Classification for POSIX, Windows, and Registry Paths #17 (or appropriate number): "Implement DWARF debug information extraction"
  • Subtasks:
    • Add gimli and object dependencies
    • Create src/extraction/dwarf.rs module
    • Extend Tag enum with DwarfSymbol, DwarfFilePath, DwarfType
    • Implement DIE traversal and attribute extraction (DW_AT_name, DW_AT_comp_dir, DW_AT_decl_file)
    • Add CLI flags --skip-dwarf and --max-dwarf-size
    • Integrate into extraction pipeline with deduplication
    • Implement scoring (90-95 range)
    • Add unit tests for attribute parsing
    • Add integration tests for debug/stripped/large binaries
    • Update documentation (README, string-extraction.md)
  • Requirements: High-confidence string extraction from debug sections, performance controls.

Mark subtasks as completed based on this plan's implementation. Ensure the task aligns with the epic for enhanced analyzer capabilities.

Import In IDE

🤖 Prompt for AI Agents

I have created the following plan after thorough exploration and analysis of the codebase. Follow the below plan verbatim. Trust the files and references. Do not re-verify what's written in the plan. Explore only when absolutely necessary. First implement all the proposed file changes and then I'll review all the changes together at the end.

### Observations

The codebase features a modular architecture with established container parsing for ELF, PE, and Mach-O formats using the `goblin` crate. The `types.rs` module includes `StringSource::DebugInfo` and `SectionType::Debug`, facilitating DWARF integration. Extraction and classification modules are placeholders awaiting implementation. The ELF parser correctly identifies DWARF sections like `.debug_info` and `.debug_str`. CLI structure in `main.rs` supports extensible argument parsing. Documentation and test fixtures exist but lack DWARF-specific content. The project follows Rust best practices with Cargo dependencies and integration testing patterns.

### Approach

Implement DWARF string extraction by adding `gimli` and `object` dependencies for parsing. Create a `dwarf.rs` module to load DWARF sections, traverse DIEs in compilation units, and extract high-value strings from `DW_AT_name`, `DW_AT_comp_dir`, and `DW_AT_decl_file` attributes. Extend the `Tag` enum with `DwarfSymbol`, `DwarfFilePath`, and `DwarfType` variants. Integrate into the extraction pipeline with configurable skipping via CLI flags. Assign scores of 90-95 to DWARF strings based on their structured nature. Add unit and integration tests using debug-compiled fixtures, and update documentation to cover the new feature.

### Reasoning

Examined the repository structure and key files including Cargo.toml, types.rs, extraction mod, container parsers, main.rs, and documentation. Reviewed existing section classification logic in ELF parser to confirm DWARF section handling. Studied the proposed implementation in the ticket for gimli usage patterns, attribute extraction, and scoring strategy. Analyzed test fixtures and integration test patterns to plan appropriate testing coverage. Consulted gimli documentation examples for DIE traversal and string resolution techniques.

## Proposed File Changes

### Cargo.toml(MODIFY)

Add the following dependencies to the `[dependencies]` section:

- `gimli = "0.29"` for DWARF parsing capabilities, including support for reading compilation units, traversing DIEs, and extracting attribute values.
- `object = "0.36"` to interface with binary sections, load DWARF data into buffers, and handle endianness detection as demonstrated in gimli examples.

These crates enable robust DWARF section processing without introducing optional features, keeping the core binary lightweight while providing essential debug information extraction.

### src/types.rs(MODIFY)

Extend the `Tag` enum with new variants to classify DWARF-extracted strings:

- `DwarfSymbol` for function and variable names derived from `DW_AT_name` attributes on `DW_TAG_subprogram` and `DW_TAG_variable` DIEs.
- `DwarfFilePath` for source file paths resolved from `DW_AT_comp_dir` and `DW_AT_decl_file` attributes, building on the existing `FilePath` tag for consistency.
- `DwarfType` for type names from `DW_TAG_structure_type`, `DW_TAG_class_type`, and similar DIEs representing structs, classes, and enums.

Use `#[serde(rename = "dwarf-symbol")]`, `#[serde(rename = "dwarf-file-path")]`, and `#[serde(rename = "dwarf-type")]` attributes to ensure proper JSON serialization. These tags enable filtering and identification of DWARF-sourced content in outputs, complementing existing tags like `Symbol` and `FilePath`.

### src/extraction/mod.rs(MODIFY)

References: 

- src/types.rs(MODIFY)

Introduce the extraction module structure by defining:

- `ExtractionConfig` struct with fields: `skip_dwarf: bool` (default: false), `max_dwarf_size: Option<usize>` (default: Some(100 * 1024 * 1024) for 100MB limit), and other extraction parameters like minimum string lengths.

- Public function `pub fn extract_strings(data: &[u8], container_info: &ContainerInfo, config: &ExtractionConfig) -> Result<Vec<FoundString>, Box<dyn Error>>` to orchestrate extraction from multiple sources, including a conditional call to DWARF extraction if not skipped.

- Module declaration `pub mod dwarf;` to expose the new submodule.

- Basic error handling and logging for extraction failures.

This establishes the pipeline foundation, allowing DWARF extraction to integrate seamlessly as one phase among section scanning and symbol table processing.

### src/extraction/dwarf.rs(NEW)

References: 

- src/types.rs(MODIFY)
- src/container/mod.rs

Implement the DWARF extraction module as follows:

- Define `pub fn extract_dwarf_strings(sections: &[Section], data: &[u8], config: &ExtractionConfig) -> Result<Vec<FoundString>, Box<dyn Error>>` as the entry point.

- Identify relevant DWARF sections (`.debug_info`, `.debug_str`, `.debug_line`, `.debug_abbrev`, `.debug_types`) from the provided `sections` vector, skipping if `config.skip_dwarf` is true or section size exceeds `max_dwarf_size`.

- Use the `object` crate to create an `Object` from `data` and load section data into `gimli::DwarfSections` buffers.

- Construct `gimli::Dwarf` with `EndianSlice` readers, detecting endianness from the binary format.

- Iterate over compilation units using `dwarf.units()` and type units with `dwarf.debug_types()`.

- For each unit, traverse DIEs with `unit.entries()` and `next_dfs()` to visit all entries depth-first.

- Extract strings via:
  - `DW_AT_name`: Use `dwarf.attr_string(unit, attr.value())?` to get UTF-8 strings, create `FoundString` with `text`, `encoding: Encoding::Utf8`, `source: StringSource::DebugInfo`, `tags: vec![Tag::DwarfSymbol]`, `score: 95`.
  - `DW_AT_comp_dir`: Resolve as directory path, tag with `Tag::DwarfFilePath`, score 90.
  - `DW_AT_decl_file`: Combine with line program (`unit.line_program`) to resolve full file path using `header.file(index).as_ref()?.path().to_string_lossy()`, prepend `DW_AT_comp_dir` if available, tag `Tag::DwarfFilePath`, score 90.
  - For type DIEs (`DW_TAG_structure_type`, etc.): Extract name with `Tag::DwarfType`, score 92.

- Set `offset` to approximate position (section offset + attribute offset), `section` to the source section name, `rva: None`, `length: text.len() as u32`.

- Deduplicate within DWARF results using a `HashSet<String>` before returning.

- Handle errors gracefully: malformed sections return empty vec, log warnings for parse failures.

- Support DWARF versions 2-5 implicitly via gimli's compatibility layer.

Reference gimli examples for `DwarfSections::load`, unit iteration, and attribute resolution to ensure correct API usage.

### src/main.rs(MODIFY)

References: 

- src/extraction/mod.rs(MODIFY)

Enhance the CLI parsing and main logic to support DWARF extraction:

- Add to `Cli` struct (using `clap::Parser`): `#[arg(long, default_value_t = false, help = "Skip DWARF debug section extraction (faster for large binaries)")] skip_dwarf: bool,` and `#[arg(long, default_value_t = 100, help = "Maximum DWARF section size to process (in MB)")] max_dwarf_size: usize,`.

- In the `main` function, after parsing the binary and obtaining `ContainerInfo`:
  - Create `ExtractionConfig { skip_dwarf: cli.skip_dwarf, max_dwarf_size: Some(cli.max_dwarf_size * 1024 * 1024), ..Default::default() }`.
  - Call `extraction::extract_strings(&file_data, &container_info, &config)?` to get `Vec<FoundString>`.
  - Proceed to classification, ranking, and output as per existing pipeline (placeholders to be filled).

- Update error handling to propagate extraction errors.

- For now, if extraction is not yet fully implemented, add a debug print showing config values to verify flag parsing.

This integrates user controls into the workflow, enabling performance tuning for DWARF processing.

### src/lib.rs(MODIFY)

References: 

- src/extraction/mod.rs(MODIFY)

Update the library documentation and public API:

- In the module docstring, add a section describing DWARF extraction: "Supports extraction from DWARF debug sections using the gimli crate, providing function names, source paths, and type information with high confidence scores."

- Re-export `ExtractionConfig` from `extraction` module: `pub use extraction::{extract_strings, ExtractionConfig};`.

- Update "Current Implementation Status" to note: "DWARF extraction: Implemented via src/extraction/dwarf.rs, integrated into main pipeline."

- Add an example usage snippet showing DWARF-enabled extraction.

This ensures the crate's public interface reflects the new functionality and guides library users on DWARF features.

### tests/integration_dwarf.rs(NEW)

References: 

- tests/integration_elf.rs
- tests/fixtures/README.md

Create comprehensive integration tests for DWARF extraction, following patterns from `tests/integration_elf.rs`:

- Use `#[test]` functions with fixtures: Assume new fixtures `tests/fixtures/hello_debug` (C program compiled with `gcc -g`), `tests/fixtures/hello_stripped` (stripped version), and `tests/fixtures/rust_debug` (Rust binary with debug info).

- Test section detection: Verify `parse_elf` identifies DWARF sections as `SectionType::Debug`.

- Test extraction with debug binary: Call `extract_strings` with `skip_dwarf: false`, assert extracted strings include expected `DW_AT_name` like "main", "printf" with `Tag::DwarfSymbol`, score >=95, `source: StringSource::DebugInfo`.

- Test file path extraction: Assert paths like "hello.c" or full `/path/to/hello.c` with `Tag::DwarfFilePath`, score 90.

- Test type extraction: For Rust fixture, verify struct names with `Tag::DwarfType`.

- Test skip flag: With `skip_dwarf: true`, assert no DWARF strings in results.

- Test size limit: Mock a large section, verify skipping when exceeding `max_dwarf_size`.

- Test stripped binary: No crash, empty DWARF results.

- Test malformed DWARF: Use a corrupted fixture, ensure graceful error handling without panic.

- Use `insta::assert_snapshot!` for output validation, comparing JSON-serialized `FoundString` vectors.

- Add `#[cfg(feature = "integration")]` if needed, and helper functions like `get_fixture_path("hello_debug")`.

These tests validate the full pipeline, from section loading to string creation and scoring.

### README.md(MODIFY)

Enhance the README to highlight DWARF extraction capabilities:

- In "Features" section, add bullet: "🔍 DWARF Debug Extraction: Retrieve function names, variable identifiers, type information, and source file paths from debug sections in non-stripped binaries."

- In "Usage" section, include CLI examples:
  ```bash
  # Full extraction including DWARF
  cargo run -- target/debug/my_binary
  
  # Skip DWARF for performance
  cargo run -- --skip-dwarf target/debug/my_binary
  
  # Limit DWARF section size
  cargo run -- --max-dwarf-size 50 target/debug/my_binary
  ```

- Update "Development Status" or "Roadmap" to mark DWARF extraction as ✅ Implemented.

- In "Advantages" section, add: "- Extracts semantic identifiers from DWARF debug info, revealing internal implementation details beyond surface-level strings."

- Add to "Acknowledgements": "- gimli crate for robust DWARF parsing."

- Include a brief example output showing a DWARF-extracted function name with tags and score.

These updates inform users about the feature, its benefits, and usage options.

### docs/src/string-extraction.md(MODIFY)

References: 

- src/extraction/dwarf.rs(NEW)

Expand the string extraction documentation with a dedicated DWARF section:

- Add heading "## DWARF Debug Information Extraction" describing the value of extracting from `.debug_info`, `.debug_str`, `.debug_line`, etc., including examples of function names, paths, and types.

- Detail the implementation: gimli crate usage, DIE traversal, attribute extraction (`DW_AT_name`, etc.), and path resolution via line programs.

- Cover scoring: 95 for symbols, 90 for paths, 92 for types, explaining high confidence due to structured data.

- Discuss performance mitigations: skip flag, size limits, and when to use stripped binaries.

- Include deduplication notes: How DWARF strings merge with symtab/rodata results, preserving best score and tags.

- Provide code snippets (non-executable) showing extraction flow and `FoundString` creation.

- Reference DWARF standard and gimli docs.

- End with usage example in JSON output format.

This comprehensive doc serves as a user guide and technical reference for the feature.

### .kiro/specs/stringy-binary-analyzer/tasks.md(MODIFY)

Update the tasks document by adding or completing the DWARF extraction task:

- Insert or modify task #17 (or appropriate number): "Implement DWARF debug information extraction"
  - Subtasks:
    - [x] Add gimli and object dependencies
    - [x] Create src/extraction/dwarf.rs module
    - [x] Extend Tag enum with DwarfSymbol, DwarfFilePath, DwarfType
    - [x] Implement DIE traversal and attribute extraction (DW_AT_name, DW_AT_comp_dir, DW_AT_decl_file)
    - [x] Add CLI flags --skip-dwarf and --max-dwarf-size
    - [x] Integrate into extraction pipeline with deduplication
    - [x] Implement scoring (90-95 range)
    - [x] Add unit tests for attribute parsing
    - [x] Add integration tests for debug/stripped/large binaries
    - [x] Update documentation (README, string-extraction.md)
  - Requirements: High-confidence string extraction from debug sections, performance controls.

Mark subtasks as completed based on this plan's implementation. Ensure the task aligns with the epic for enhanced analyzer capabilities.

---

Developer Humor

In the depths of .debug_info, where DIEs dwell,\n> Gimli parses the secrets that compilers tell.\n> Function names emerge, paths come to light,\n> With scores so high, they're a reverse engineer's delight!\n> But strip the debug, and they vanish from sight—\n> Use --skip-dwarf if you want speed, not insight. 🛠️🔍

---

Execution Information

Branch: main
Commit: 37cfc7c

---

💡 Tips

Supported Commands (Inside Comments)

• Use @traycerai generate to iterate on the previous version of the implementation plan.

Supported Commands (Inside Description)

• Add @traycerai ignore anywhere in the ticket description to prevent this ticket from being processed.
• Add @traycerai branch:<branch-name> anywhere in the ticket description to specify the target branch for the implementation plan.

Community

• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[unclesp1d3r]

@coderabbitai Enhance this issue body with additional context and a proposed solution. Improve the issue title and assign the proper labels and other metadata.

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Get current issue details
gh issue view 62 --json title,body,labels,assignees,milestone,state

Length of output: 1705

---

🏁 Script executed:

#!/bin/bash
# Explore the project structure to understand extraction patterns
fd -t f -e rs | head -20

Length of output: 277

---

🏁 Script executed:

#!/bin/bash
# Look for existing extraction source definitions
rg -n "ExtractionSource" --type=rs -C3

Length of output: 26

---

🏁 Script executed:

#!/bin/bash
# Check for existing string extraction implementations
rg -n "extract.*string" --type=rs -i -C2

Length of output: 26

---

🏁 Script executed:

#!/bin/bash
# Check if gimli is already in dependencies
cat Cargo.toml | grep -A 20 "\[dependencies\]"

Length of output: 385

---

🏁 Script executed:

#!/bin/bash
# Look for any existing DWARF-related code
rg -n "dwarf\|DWARF" --type=rs -i

Length of output: 26

---

🏁 Script executed:

#!/bin/bash
# Check the main binary/library structure
ls -la src/

Length of output: 530

---

🏁 Script executed:

#!/bin/bash
# Read the main README to understand project context
cat README.md

Length of output: 7196

---

🏁 Script executed:

#!/bin/bash
# Look at the types to understand the data structures
cat src/types.rs

Length of output: 5122

---

🏁 Script executed:

#!/bin/bash
# Look at extraction module to understand current extraction patterns
cat src/extraction/mod.rs

Length of output: 26

---

🏁 Script executed:

#!/bin/bash
# Look at container modules to understand how sections are parsed
cat src/container/mod.rs

Length of output: 2262

---

🏁 Script executed:

#!/bin/bash
# Check ELF container implementation for pattern
cat src/container/elf.rs

Length of output: 23307

---

🏁 Script executed:

#!/bin/bash
# Look at classification module
cat src/classification/mod.rs

Length of output: 30

---

🏁 Script executed:

#!/bin/bash
# Check lib.rs to understand the main API
cat src/lib.rs

Length of output: 1939

---

🏁 Script executed:

#!/bin/bash
# List all available labels in the repository
gh label list --limit 100

Length of output: 1519

---

🏁 Script executed:

#!/bin/bash
# Update the issue with enhanced content
gh issue edit 62 \
  --title "Extract strings from DWARF debug information (.debug_info, .debug_str, .debug_line)" \
  --body "## Overview

Extract meaningful strings and metadata from DWARF debug sections present in non-stripped binaries. DWARF debug information contains high-confidence, developer-chosen identifiers that provide significant value for binary analysis even when traditional symbols are unavailable.

## Background: What is DWARF?

DWARF (Debugging With Attributed Record Formats) is a standardized debugging data format used by compilers to embed source-level information into binaries. It's the dominant debug format for ELF (Linux/Unix) and Mach-O (macOS) binaries compiled with \`-g\` flags.

### Key DWARF Sections

- **\`.debug_info\`**: Core debugging data containing DIEs (Debug Information Entries) with function/variable names, types, and source locations
- **\`.debug_str\`**: String table containing all text references from \`.debug_info\`
- **\`.debug_line\`**: Line number program mapping machine instructions to source file paths and line numbers
- **\`.debug_abbrev\`**: Abbreviation declarations describing DIE structure (needed for parsing \`.debug_info\`)
- **\`.debug_types\`** (DWARF 4), **\`.debug_str_offsets\`** (DWARF 5): Additional optimization sections

## Value Proposition

### High-Confidence Identifiers
DWARF data is **structured and intentional**—not arbitrary byte patterns. Extracting from DWARF provides:

- **Function names**: \`handle_authentication\`, \`decrypt_payload\`, \`validate_license\`
- **Variable names**: \`secret_key\`, \`api_endpoint\`, \`config_path\`
- **Type information**: \`struct UserCredentials\`, \`class DatabaseConnection\`
- **Source file paths**: \`/home/builder/project/src/crypto/aes.c\`, revealing project structure

### Intelligence Value

- **Build environment disclosure**: Absolute paths expose developer machines, CI systems, directory structures
- **Code organization**: Source file names reveal architectural patterns and module boundaries
- **Semantic context**: Variable/function names provide intent rather than raw string literals
- **Reverse engineering**: Symbolic names dramatically accelerate understanding compiled code

### Complementary to Existing Extraction

DWARF augments rather than replaces existing string extraction:
- **Symbols**: DWARF works when \`.symtab\` is stripped but debug sections remain
- **Section data**: DWARF names often don't appear in \`.rodata\` (they're in \`.debug_str\`)
- **Imports/exports**: DWARF reveals *internal* implementation details, not just API boundaries

## Proposed Implementation

### 1. Add \`gimli\` Dependency

\`\`\`toml
[dependencies]
gimli = \"0.29\"
object = \"0.36\"  # Provides DWARF section reader interface
\`\`\`

**Rationale**: \`gimli\` is the de-facto Rust DWARF parser, maintained by the Rust debugging tools team and used by \`addr2line\`, \`cargo\`, and debuggers.

### 2. Extend Existing Types

**In \`src/types.rs\`**:
- \`StringSource::DebugInfo\` already exists ✅
- Add new \`Tag\` variants:
  \`\`\`rust
  pub enum Tag {
      // ... existing tags
      DwarfSymbol,      // Function/variable name from DW_AT_name
      DwarfFilePath,    // Source file path from DW_AT_comp_dir / DW_AT_decl_file
      DwarfType,        // Type name from DW_TAG_structure_type, DW_TAG_class_type
  }
  \`\`\`

### 3. Create DWARF Extraction Module

**New file: \`src/extraction/dwarf.rs\`**

\`\`\`rust
use gimli::{Dwarf, EndianSlice, RunTimeEndian};
use object::{Object, ObjectSection};

pub struct DwarfExtractor {
    skip_dwarf: bool,
    max_section_size: Option<usize>,
}

impl DwarfExtractor {
    pub fn extract(&self, data: &[u8], format: BinaryFormat) -> Result<Vec<FoundString>> {
        // 1. Load DWARF sections using object crate
        // 2. Parse with gimli::Dwarf
        // 3. Iterate compilation units
        // 4. Extract DW_AT_name, DW_AT_comp_dir, DW_AT_decl_file
        // 5. Return FoundString with high scores (90+)
    }
}
\`\`\`

### 4. Integration Points

**In \`src/container/elf.rs\`**:
- Classify DWARF sections correctly (already done: \`SectionType::Debug\` for \`.debug_*\` ✅)
- Ensure DWARF sections are included in \`ContainerInfo\`

**In \`src/extraction/mod.rs\`**:
- Import and instantiate \`DwarfExtractor\`
- Call after section-based extraction
- Coordinate with deduplication logic

### 5. CLI Integration

**In \`src/main.rs\` (when CLI is implemented)**:
\`\`\`rust
#[derive(Parser)]
struct Args {
    // ... existing args
    
    /// Skip DWARF debug section extraction (faster for large binaries)
    #[arg(long)]
    skip_dwarf: bool,
    
    /// Maximum DWARF section size to process (in MB)
    #[arg(long, default_value = \"100\")]
    max_dwarf_size: usize,
}
\`\`\`

## Technical Considerations

### Performance

- **DWARF parsing is CPU-intensive**: A single \`.debug_info\` section can be 50-200MB in optimized Rust binaries with full debug info
- **Mitigation strategies**:
  - \`--skip-dwarf\` flag for performance-critical scenarios
  - Size limits (\`--max-dwarf-size\`) to skip enormous sections
  - Lazy parsing: only process compilation units, skip full type graphs
  - Skip \`.debug_types\` initially (less string content, high complexity)

### Binary Size Realities

- **Stripped binaries** (\`strip --strip-debug\`): No DWARF sections → graceful no-op
- **Partially stripped** (\`strip --strip-unneeded\`): May retain DWARF → full extraction
- **Debug builds**: Massive DWARF sections (10-100x code size) → sampling or limits needed

### Scoring Strategy

Assign high scores since DWARF strings are definitionally meaningful:

- **Function/variable names** (\`DW_AT_name\`): Score **95**
- **Source file paths** (\`DW_AT_comp_dir\`, \`DW_AT_decl_file\`): Score **90**
- **Type names** (\`DW_TAG_structure_type\`): Score **92**

These should rank above most \`.rodata\` strings but below critical items like hardcoded URLs/keys.

### Deduplication

- **Problem**: A string like \`parse_config\` may appear in:
  1. \`.debug_str\` (DWARF)
  2. \`.symtab\` (symbol table)
  3. \`.dynstr\` (dynamic symbols)
  4. \`.rodata\` (error messages mentioning the function)

- **Solution**: Deduplication by \`(text, encoding)\` tuple in final output, preserving highest score and all relevant tags.

### Security & Privacy

- **Build path disclosure**: DWARF exposes absolute paths like \`/home/alice/secret-project/src/\`
  - This is **intentional** for binary analysis—users examining untrusted binaries want this intel
  - Document in output that DWARF reveals build environment details

## Implementation Checklist

- [ ] Add \`gimli\` and \`object\` dependencies to \`Cargo.toml\`
- [ ] Create \`src/extraction/dwarf.rs\` module
- [ ] Add \`DwarfSymbol\`, \`DwarfFilePath\`, \`DwarfType\` tags to \`Tag\` enum
- [ ] Implement \`DwarfExtractor::extract()\` method
  - [ ] Load DWARF sections from ELF/Mach-O
  - [ ] Parse \`.debug_info\` compilation units
  - [ ] Extract \`DW_AT_name\` attributes → \`FoundString\` with \`Tag::DwarfSymbol\`
  - [ ] Extract \`DW_AT_comp_dir\` / \`DW_AT_decl_file\` → \`Tag::DwarfFilePath\`
  - [ ] Extract structure/class type names → \`Tag::DwarfType\`
- [ ] Add \`--skip-dwarf\` and \`--max-dwarf-size\` CLI flags
- [ ] Integrate into main extraction pipeline
- [ ] Add deduplication logic for DWARF + symbol table overlap
- [ ] Write unit tests with small DWARF samples
- [ ] Write integration tests:
  - [ ] Test with stripped binary (no DWARF)
  - [ ] Test with debug build (full DWARF)
  - [ ] Test with large DWARF section (size limits)
- [ ] Document DWARF extraction in README and \`--help\`

## Testing Strategy

### Unit Tests
- Mock DWARF sections with known DIEs
- Verify extraction of specific \`DW_AT_name\` values
- Test score assignment logic

### Integration Tests
Create test fixtures:
1. **\`tests/fixtures/hello_debug\`**: Minimal C program compiled with \`-g\`
2. **\`tests/fixtures/hello_stripped\`**: Same binary with \`strip --strip-debug\`
3. **\`tests/fixtures/rust_debug\`**: Rust binary with full debug info (tests demangling + DWARF)

Expected behavior:
- \`hello_debug\`: Extract function names (\`main\`, \`printf\`), source path
- \`hello_stripped\`: Gracefully skip, no errors
- \`rust_debug\`: Extract Rust function names, handle DWARF 4/5 versions

## References

- [DWARF 5 Standard](http://dwarfstd.org/)
- [\`gimli\` crate documentation](https://docs.rs/gimli/)
- [DWARF sections overview](https://wiki.osdev.org/DWARF)
- [Practical Binary Analysis (Chapter 6: Symbolic Execution)](https://nostarch.com/binaryanalysis) - discusses DWARF usage in reverse engineering

## Success Criteria

1. ✅ Extract all \`DW_AT_name\` attributes from \`.debug_info\`
2. ✅ Extract source file paths from line number programs
3. ✅ Handle DWARF versions 2-5 gracefully
4. ✅ \`--skip-dwarf\` flag works correctly
5. ✅ No crashes on malformed DWARF (handle \`gimli\` parse errors)
6. ✅ Deduplication prevents duplicate strings from DWARF + symtab
7. ✅ Documentation includes DWARF extraction examples" \
  --add-label "area:analyzer" \
  --add-label "MVP" \
  --add-label "priority:medium" \
  --add-label "needs:tests" \
  --add-label "epic"

Length of output: 61

---

@unclesp1d3r I've successfully enhanced issue #62 with comprehensive context and implementation details. Here's what was improved:

🎯 Enhanced Title

Before: "DWARF Debug Information Extraction"
After: "Extract strings from DWARF debug information (.debug_info, .debug_str, .debug_line)"

The new title is more specific and immediately tells developers which sections are involved.

📋 Major Content Additions

1. Background Section

• Explains what DWARF is and why it matters
• Documents key DWARF sections and their purposes
• Clarifies the difference between DWARF versions (2-5)

2. Detailed Value Proposition

• Intelligence value: build environment disclosure, code organization insights
• Complementary nature: works when symbols are stripped but debug info remains
• Real-world examples of extractable data

3. Concrete Implementation Plan

• Specific dependency versions (gimli = "0.29", object = "0.36")
• Code skeleton for DwarfExtractor struct
• Integration points within existing codebase architecture
• New Tag variants: DwarfSymbol, DwarfFilePath, DwarfType

4. Technical Considerations

• Performance: DWARF sections can be 50-200MB; proposed --skip-dwarf flag and size limits
• Scoring strategy: Function names (95), source paths (90), type names (92)
• Deduplication logic: Handles strings appearing in both DWARF and symbol tables
• Security implications: Documents build path disclosure as intentional feature

5. Implementation Checklist

Complete 13-step checklist covering dependencies, module creation, integration, testing, and documentation.

6. Testing Strategy

Specific test fixtures with expected behaviors:

• hello_debug (with DWARF)
• hello_stripped (graceful handling)
• rust_debug (DWARF 4/5 + demangling)

7. References

Links to DWARF standard, gimli docs, and relevant technical resources.

🏷️ Metadata & Labels Applied

• area:analyzer - Binary analyzer functionality
• MVP - Critical for minimum viable product
• priority:medium - Important but not blocking
• needs:tests - Requires comprehensive test coverage
• epic - Large feature spanning multiple tasks

🔑 Key Architecture Insights

The enhanced issue leverages existing codebase strengths:

• ✅ StringSource::DebugInfo already exists in types.rs
• ✅ ELF parser already classifies .debug_* sections as SectionType::Debug
• ✅ Trait-based ContainerParser design makes integration straightforward
• ✅ Existing scoring and tagging system can accommodate DWARF-specific tags

The issue is now ready for implementation with clear technical direction, measurable success criteria, and proper prioritization within your project roadmap.