Skip to main content
SpringerLink
Log in
Book cover

Asian Symposium on Programming Languages and Systems

APLAS 2005: Programming Languages and Systems pp 212–229Cite as

A Next-Generation Platform for Analyzing Executables

  • Conference paper

Part of the book series: Lecture Notes in Computer Science ((LNPSE,volume 3780))

Abstract

In recent years, there has been a growing need for tools that an analyst can use to understand the workings of COTS components, plugins, mobile code, and DLLs, as well as memory snapshots of worms and virus-infected code. Static analysis provides techniques that can help with such problems; however, there are several obstacles that must be overcome:

– For many kinds of potentially malicious programs, symbol-table and debugging information is entirely absent. Even if it is present, it cannot be relied upon.

– To understand memory-access operations, it is necessary to determine the set of addresses accessed by each operation. This is difficult because

  • While some memory operations use explicit memory addresses in the instruction (easy), others use indirect addressing via address expressions (difficult).

  • Arithmetic on addresses is pervasive. For instance, even when the value of a local variable is loaded from its slot in an activation record, address arithmetic is performed.

  • There is no notion of type at the hardware level, so address values cannot be distinguished from integer values.

  • Memory accesses do not have to be aligned, so word-sized address values could potentially be cobbled together from misaligned reads and writes.

We have developed static-analysis algorithms to recover information about the contents of memory locations and how they are manipulated by an executable. By combining these analyses with facilities provided by the IDAPro and CodeSurfer toolkits, we have created CodeSurfer/x86, a prototype tool for browsing, inspecting, and analyzing x86 executables. From an x86 executable, CodeSurfer/x86 recovers intermediate representations that are similar to what would be created by a compiler for a program written in a high-level language. CodeSurfer/x86 also supports a scripting language, as well as several kinds of sophisticated pattern-matching capabilities. These facilities provide a platform for the development of additional tools for analyzing the security properties of executables.

Portions of this paper have appeared in [3,4].

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. PREfast with driver-specific rules (October 2004) WHDC, Microsoft Corp., http://www.microsoft.com/whdc/devtools/tools/PREfast-drv.mspx

  2. Amme, W., Braun, P., Zehendner, E., Thomasset, F.: Data dependence analysis of assembly code. Int. J. Parallel Proc. (2000)

    Google Scholar 

  3. Balakrishnan, G., Reps, T.: Analyzing memory accesses in x86 executables. Comp. Construct., 5–23 (2004)

    Google Scholar 

  4. Balakrishnan, G., Reps, T., Melski, D., Teitelbaum, T.: WYSINWYX: What You See Is Not What You eXecute. In: IFIP Working Conf. on Verified Software: Theories, Tools, Experiments (2005)

    Google Scholar 

  5. Ball, T., Rajamani, S.K.: The SLAM toolkit. In: Berry, G., Comon, H., Finkel, A. (eds.) CAV 2001. LNCS, vol. 2102, pp. 260–264. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  6. Bouajjani, A., Esparza, J., Maler, O.: Reachability analysis of pushdown automata: Application to model checking. In: Proc. CONCUR. LNCS, vol. 1243, pp. 135–150. Springer, Heidelberg (1997)

    Google Scholar 

  7. Bouajjani, A., Esparza, J., Touili, T.: A generic approach to the static analysis of concurrent programs with procedures. In: Princ. of Prog. Lang., pp. 62–73 (2003)

    Google Scholar 

  8. Bush, W., Pincus, J., Sielaff, D.: A static analyzer for finding dynamic programming errors. Software–Practice & Experience 30, 775–802 (2000)

    Article  MATH  Google Scholar 

  9. Chen, H., Dean, D., Wagner, D.: Model checking one million lines of C code. Network and Dist. Syst. Security (2004)

    Google Scholar 

  10. Chen, H., Wagner, D.: MOPS: An infrastructure for examining security properties of software. In: Conf. on Comp. and Commun. Sec., November 2002, pp. 235–244 (2002)

    Google Scholar 

  11. Cifuentes, C., Fraboulet, A.: Intraprocedural static slicing of binary executables. In: Int. Conf. on Softw. Maint., pp. 188–195 (1997)

    Google Scholar 

  12. Clarke Jr., E.M., Grumberg, O., Peled, D.A.: Model Checking. MIT Press, Cambridge (1999)

    Google Scholar 

  13. CodeSurfer, GrammaTech, Inc., http://www.grammatech.com/products/codesurfer/

  14. Corbett, J.C., Dwyer, M.B., Hatcliff, J., Laubach, S., Robby, C.S.P. , Zheng, H.: Bandera: Extracting finite-state models from Java source code. In: Int. Conf. on Softw. Eng., pp. 439–448 (2000)

    Google Scholar 

  15. Cousot, P., Cousot, R.: Abstract interpretation: A unified lattice model for static analysis of programs by construction of approximation of fixed points. In: Princ. of Prog. Lang., pp. 238–252 (1977)

    Google Scholar 

  16. Coutant, D.S., Meloy, S., Ruscetta, M.: DOC: A practical approach to source-level debugging of globally optimized code. In: Prog. Lang. Design and Impl. (1988)

    Google Scholar 

  17. Das, M., Lerner, S., Seigle, M.: ESP: Path-sensitive program verification in polynomial time. In: Prog. Lang. Design and Impl., pp. 57–68. ACM Press, New York (2002)

    Google Scholar 

  18. Debray, S.K., Muth, R., Weippert, M.: Alias analysis of executable code. In: Princ. of Prog. Lang., pp. 12–24 (1998)

    Google Scholar 

  19. Dwyer, M., Avrunin, G., Corbett, J.: Patterns in property specifications for finite-state verification. In: Int. Conf. on Softw. Eng. (1999)

    Google Scholar 

  20. Engler, D.R., Chelf, B., Chou, A., Hallem, S.: Checking system rules using system-specific, programmer-written compiler extensions. Op. Syst. Design and Impl., 1–16 (2000)

    Google Scholar 

  21. Ferrante, J., Ottenstein, K., Warren, J.: The program dependence graph and its use in optimization. Trans. on Prog. Lang. and Syst. 3(9), 319–349 (1987)

    Article  Google Scholar 

  22. Finkel, A., Willems, B., Wolper, P.: A direct symbolic approach to model checking pushdown systems. Elec. Notes in Theor. Comp. Sci. 9 (1997)

    Google Scholar 

  23. Fast Library Identification and Recognition Technology, DataRescue sa/nv, Liège, Belgium, http://www.datarescue.com/idabase/flirt.htm

  24. Guo, B., Bridges, M.J., Triantafyllis, S., Ottoni, G., Raman, E., August, D.I.: Practical and accurate low-level pointer analysis. In: 3rd Int. Symp. on Code Gen. and Opt., pp. 291–302 (2005)

    Google Scholar 

  25. Havelund, K., Pressburger, T.: Model checking Java programs using Java PathFinder. Softw. Tools for Tech. Transfer 2(4) (2000)

    Google Scholar 

  26. Hennessy, J.L.: Symbolic debugging of optimized code. Trans. on Prog. Lang. and Syst. 4(3), 323–344 (1982)

    Article  MATH  Google Scholar 

  27. Henzinger, T.A., Jhala, R., Majumdar, R., Sutre, G.: Lazy abstraction. In: Princ. of Prog. Lang., pp. 58–70 (2002)

    Google Scholar 

  28. Horwitz, S., Reps, T., Binkley, D.: Interprocedural slicing using dependence graphs. Trans. on Prog. Lang. and Syst. 12(1), 26–60 (1990)

    Article  Google Scholar 

  29. Howard, M.: Some bad news and some good news (October 2002) MSDN, Microsoft Corp., http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncode/html/secure10102002.asp

  30. IDAPro disassembler, http://www.datarescue.com/idabase/

  31. Kidd, N., Reps, T., Melski, D., Lal, A.: WPDS++: A C++ library for weighted pushdown systems (2004), http://www.cs.wisc.edu/wpis/wpds++/

  32. Lal, A., Reps, T., Balakrishnan, G.: Extended weighted pushdown systems. In: Etessami, K., Rajamani, S.K. (eds.) CAV 2005. LNCS, vol. 3576, pp. 434–448. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  33. Müller-Olm, M., Seidl, H.: Analysis of modular arithmetic. In: European Symp. on Programming (2005)

    Google Scholar 

  34. Ramalingam, G., Field, J., Tip, F.: Aggregate structure identification and its application to program analysis. In: Princ. of Prog. Lang., pp. 119–132 (1999)

    Google Scholar 

  35. Reps, T., Rosay, G.: Precise interprocedural chopping. In: Found. of Softw. Eng. (1995)

    Google Scholar 

  36. Reps, T., Schwoon, S., Jha, S.: Weighted pushdown systems and their application to interprocedural dataflow analysis. In: Static Analysis Symp. (2003)

    Google Scholar 

  37. Reps, T., Schwoon, S., Jha, S., Melski, D.: Weighted pushdown systems and their application to interprocedural dataflow analysis. In: Sci. of Comp. Prog. (to appear)

    Google Scholar 

  38. Schwoon, S.: Moped system, http://www.fmi.uni-stuttgart.de/szs/tools/moped/

  39. Schwoon, S.: Model-Checking Pushdown Systems. PhD thesis, Technical Univ. of Munich, Munich, Germany (July 2002)

    Google Scholar 

  40. Wagner, D., Foster, J., Brewer, E., Aiken, A.: A first step towards automated detection of buffer overrun vulnerabilities. In: Network and Dist. Syst. Security (February 2000)

    Google Scholar 

  41. Wall, D.W.: Systems for late code modification. In: Giegerich, R., Graham, S.L. (eds.) Code Generation – Concepts, Tools, Techniques, pp. 275–293. Springer, Heidelberg (1992)

    Google Scholar 

  42. Wilson, R.P., Lam, M.S.: Efficient context-sensitive pointer analysis for C programs. In: Prog. Lang. Design and Impl., pp. 1–12 (1995)

    Google Scholar 

  43. Zellweger, P.T.: Interactive Source-Level Debugging of Optimized Programs. PhD thesis, Univ. of California, Berkeley (1984)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Comp. Sci. Dept., University of Wisconsin,  

    T. Reps, G. Balakrishnan & J. Lim

  2. GrammaTech, Inc,  

    T. Reps & T. Teitelbaum

Authors
  1. T. Reps
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. G. Balakrishnan
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. J. Lim
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. T. Teitelbaum
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Seoul National University, Korea

    Kwangkeun Yi

Rights and permissions

Reprints and permissions

Copyright information

© 2005 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Reps, T., Balakrishnan, G., Lim, J., Teitelbaum, T. (2005). A Next-Generation Platform for Analyzing Executables. In: Yi, K. (eds) Programming Languages and Systems. APLAS 2005. Lecture Notes in Computer Science, vol 3780. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11575467_15

Download citation

  • DOI: https://doi.org/10.1007/11575467_15

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-29735-2

  • Online ISBN: 978-3-540-32247-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation