Summary
In recent years, there has been a growing need for tools that an analyst can use to understand the workings of COTS components, plug-ins, mobile code, and DLLs, as well as memory snapshots of worms and virus-infected code. Static analysis provides techniques that can help with such problems; however, there are several obstacles that must be overcome:
-
For many kinds of potentially malicious programs, symbol-table and debugging information is entirely absent. Even if it is present, it cannot be relied upon.
-
To understand memory-access operations, it is necessary to determine the set of addresses accessed by each operation. This is difficult because
-
While some memory operations use explicit memory addresses in the instruction (easy), others use indirect addressing via address expressions (difficult).
-
Arithmetic on addresses is pervasive. For instance, even when the value of a local variable is loaded from its slot in an activation record, address arithmetic is performed.
-
There is no notion of type at the hardware level, so address values cannot be distinguished from integer values.
-
Memory accesses do not have to be aligned, so word-sized address values could potentially be cobbled together from misaligned reads and writes.
We have developed static-analysis algorithms to recover information about the contents of memory locations and how they are manipulated by an executable. By combining these analyses with facilities provided by the IDAPro and Codesurfer toolkits, we have created CodeSurfer/x86, a prototype tool for browsing, inspecting, and analyzing x86 executables.
From an x86 executable, CodeSurfer/x86 recovers intermediate representations that are similar to what would be created by a compiler for a program written in a high-level language. CodeSurfer/x86 also supports a scripting language, as well as several kinds of sophisticated pattern-matching capabilities. These facilities provide a platform for the development of additional tools for analyzing the security properties of executables.
This chapter is a slightly revised version of a paper that appeared in Proceedings of the 3rd Asian Symposium on Programming Languages and Systems [37]. Portions of the chapter also appeared in [3,5,36].
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
..*. PREfast with driver-specific rules, Oct. 2004. WHDC, Microsoft Corp., http://www.microsoft.com/whdc/devtools/tools/PREfast-dm.mspx.
W. Amme, P. Braun, E. Zehendner, and E Thomasset. Data dependence analysis of assembly code. Int. J. Parallel Proc., 2000.
G. Balakrishnan and T. Reps. Analyzing memory accesses in x86 executables. In Comp. Construct., pages 5–23,2004.
G. Balakrishnan and T. Reps. Recency-abstraction for heap-allocated storage. In Static Analysis Symp., 2006.
G. Balakrishnan, T. Reps, D. Melski, and T. Teitelbaum. WYSINWYX: What You See Is Not What You execute. In IFIP Working Conf. on Verified Software: Theories, Tools, Experiments, 2005.
T. Ball and S. Rajamani. The SLAM toolkit. In Computer Aided Verit., volume 2102 of Lec. Notes in Comp. Sci., pages 260–264,2001.
A. Bouajjani, J. Esparza, and 0. Maler. Reachability analysis of pushdown automata: Application to model checking. In Proc. CONCUR, volume 1243 of Lec. Notes in Comp. Sci., pages 135–150. Springer-Verlag, 1997.
A. Bouajjani, J. Esparza, and T. Touili. A generic approach to the static analysis of concurrent programs with procedures. In Princ. of Prog. Lung., pages 62–73,2003.
W. Bush, J. Pincus, and D. Sielaff. A static analyzer for finding dynamic programming errors. Software-Practice & Experience, 30:775–802,2000.
H. Chen, D. Dean, and D. Wagner. Model checking one million lines of C code. In Network and Dist. Syst. Security, 2004.
H. Chen and D. Wagner. MOPS: An infrastructure for examining security properties of software. In Conf on Comp. and Commun. Sec., pages 235–244, Nov. 2002.
C. Cifuentes and A. Fraboulet. Intraprocedural static slicing of binary executables. In Int. Conf on Softw. Maint., pages 188–195,1997.
E. Clarke, Jr., 0. Grumberg, and D. Peled. Model Checking. The M.I.T. Press, 1999.
Codesurfer, GrammaTech, Inc., http:llwww.grammatech.comlproductslcodesurferl.
J. Corbett, M. Dwyer, J. Hatcliff, S. Laubach, C. Pasareanu, Robby, and H. Zheng. Bandera: Extracting finite-state models from Java source code. In Int. Con$ on Softw. Eng., pages 439–448,2000.
P. Cousot and R. Cousot. Abstract interpretation: A unified lattice model for static analysis of programs by construction of approximation of fixed points. In Princ. of Prog. Lung., pages 238–252, 1977.
D. Coutant, S. Meloy, and M. Ruscetta. DOC: A practical approach to source-level debugging of globally optimized code. In Prog. Lung. Design and Impl., 1988.
M. Das, S. Lerner, and M. Seigle. ESP: Path-sensitive program verification in polynomial time. In Prog. Lang. Design and Impl., pages 57–68, New York, NY, 2002. ACM Press.
S. Debray, R. Muth, and M. Weippert. Alias analysis of executable code. In Princ. of Prog. Lung., pages 12–24,1998.
M. Dwyer, G. Avrunin, and J. Corbett. Patterns in property specifications for finite-state verification. In Int. Conf on Softw. Eng., 1999.
D. Engler, B. Chelf, A. Chou, and S. Hallem. Checking system rules using systemspecific, programmer-written compiler extensions. In Op. Syst. Design and Impl., pages 1–16,2000.
J. Ferrante, K. Ottenstein, and J. Warren. The program dependence graph and its use in optimization. Trans. on Prog. Lung. and Syst., 3(9):319–349, 1987.
A. Finkel, B. Willems, and P. Wolper. A direct symbolic approach to model checking pushdown systems. Elec. Notes in Theor. Comp. Sci., 9, 1997.
Fast Library Identification and Recognition Technology, DataRescue sa/nv, Liège, Belgium, http:l/www.datarescue.comlidabase/flirt.htm.
B. Guo, M. Bridges, S. Triantafyllis, G. Ottoni, E. Raman, and D. August. Practical and accurate low-level pointer analysis. In 3nd Int. Symp. on Code Gen. and Opt., pages 291–302,2005.
K. Havelund and T. Pressburger. Model checking Java programs using Java PathFinder. Softw. Tools for Tech. Transfer, 2(4), 2000.
J. Hennessy. Symbolic debugging of optimized code. Trans. on Prog. Lung. and Syst., 4(3):323–344, 1982.
T. Henzinger, R. Jhala, R. Majumdar, and G. Sutre. Lazy abstraction. In Princ. of Prog. Lung., pages 58–70,2002.
S. Honvitz, T. Reps, and D. Binkley. Interprocedural slicing using dependence graphs. Trans. on Prog. Lang. and Syst., 12(1):26–60, Jan. 1990.
M. Howard. Some bad news and some good news. Oct. 2002. MSDN, Microsoft Corp., http://msdn.microsoft.com/library/default.asp?url=/library/enus/dncode/htm/secure10102002.asp.
IDAPro disassembler, http://www.datarescue.com/idabase/.
N. Kidd, T. Reps, D. Melski, and A. Lal. WPDS++: A C++ library for weighted pushdown systems, 2004. http://www.cs.wisc.edu/wpis/wpds++/.
A. Lal, T. Reps, and G. Balakrishnan. Extended weighted pushdown systems. In Computer Aided Verif, 2005.
M. Miiller-Olm and H. Seidl. Analysis of modular arithmetic. In European Symp. on Programming, 2005.
G. Ramalingam, J. Field, and F. Tip. Aggregate structure identification and its application to program analysis. In Princ. of Prog. Lung., pages 119–132,1999.
T. Reps, G. Balakrishnan, and J. Lim. Intermediate-representation recovery from lowlevel code. In Part. Eval. and Semantics-Based Prog. Manip., 2006.
T. Reps, G. Balakrishnan, J. Lim, and T. Teitelbaum. A next-generation platform for analyzing executables. In Asian Symp. on Prog. Lung. and Systems, 2005.
T. Reps and G. Rosay. Precise interprocedural chopping. In Found. of Softw. Eng., 1995.
T. Reps, S. Schwoon, and S. Jha. Weighted pushdown systems and their application to interprocedural dataflow analysis. In Static Analysis Symp., 2003.
T. Reps, S. Schwoon, S. Jha, and D. Melski. Weighted pushdown systems and their application to interprocedural dataflow analysis. Sci. of Comp. Prog., 58(1-2):206–263, Oct. 2005.
S. Schwoon. Moped system. http://www.fmi.uni-stuttgart.de/szs/tools/mopedl.
S. Schwoon. Model-Checking Pushdown Systems. PhD thesis, Technical Univ. of Munich, Munich, Germany, July 2002.
D. Wagner, J. Foster, E. Brewer, and A. Aiken. A first step towards automated detection of buffer overrun vulnerabilities. In Network and Dist. Syst. Security, Feb. 2000.
D. Wall. Systems for late code modification. In R. Giegerich and S. Graham, editors, Code Generation-Concepts, Tools, Techniques, pages 275–293. Springer-Verlag, 1992.
R. Wilson and M. Lam. Efficient context-sensitive pointer analysis for C programs. In Prog. Lung. Design and Impl., pages 1–12,1995.
P. Zellweger. Interactive Source-Level Debugging of Optimized Programs. PhD thesis, Univ. of California, Berkeley, 1984.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2007 Springer Science+Business Media, LLC.
About this paper
Cite this paper
Reps, T., Balakrishnan, G., Lim, J., Teitelbaum, T. (2007). A Next-Generation Platform for Analyzing Executables. In: Christodorescu, M., Jha, S., Maughan, D., Song, D., Wang, C. (eds) Malware Detection. Advances in Information Security, vol 27. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-44599-1_3
Download citation
DOI: https://doi.org/10.1007/978-0-387-44599-1_3
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-32720-4
Online ISBN: 978-0-387-44599-1
eBook Packages: Computer ScienceComputer Science (R0)