Skip to main content
Log in

Context-sensitive analysis without calling-context

Higher-Order and Symbolic Computation

    We’re sorry, something doesn't seem to be working properly.

    Please try refreshing the page. If that doesn't work, please contact support so we can address the problem.

Abstract

Since Sharir and Pnueli, algorithms for context-sensitivity have been defined in terms of ‘valid’ paths in an interprocedural flow graph. The definition of valid paths requires atomic call and ret statements, and encapsulated procedures. Thus, the resulting algorithms are not directly applicable when behavior similar to call and ret instructions may be realized using non-atomic statements, or when procedures do not have rigid boundaries, such as with programs in low level languages like assembly or RTL.

We present a framework for context-sensitive analysis that requires neither atomic call and ret instructions, nor encapsulated procedures. The framework presented decouples the transfer of control semantics and the context manipulation semantics of statements. A new definition of context-sensitivity, called stack contexts, is developed. A stack context, which is defined using trace semantics, is more general than Sharir and Pnueli’s interprocedural path based calling-context. An abstract interpretation based framework is developed to reason about stack-contexts and to derive analogues of calling-context based algorithms using stack-context.

The framework presented is suitable for deriving algorithms for analyzing binary programs, such as malware, that employ obfuscations with the deliberate intent of defeating automated analysis. The framework is used to create a context-sensitive version of Venable et al.’s algorithm for analyzing x86 binaries without requiring that a binary conforms to a standard compilation model for maintaining procedures, calls, and returns. Experimental results show that a context-sensitive analysis using stack-context performs just as well for programs where the use of Sharir and Pnueli’s calling-context produces correct approximations. However, if those programs are transformed to use call obfuscations, a context-sensitive analysis using stack-context still provides the same, correct results and without any additional overhead.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Amme, W., Braun, P., Zehendner, E., Thomasset, F.: Data dependence analysis of assembly code. In: Int. J. Parallel Proc. (2000)

    Google Scholar 

  2. Backes, W.: Programmanalyse des XRTL Zwischencodes (in German.). Ph.D. thesis, Universität des Saarlandes (2004)

  3. Balakrishnan, G., Reps, T.: WYSINWYX: What you see is not what you eXecute. ACM Trans. Program. Lang. Syst. 32, 23:1–23:84 (2010)

    Article  Google Scholar 

  4. Bergeron, J., Debbabi, M., Desharnais, J., Erhioui, M., Lavoie, Y., Tawbi, N.: Static detection of malicious code in executable programs. In: Proceedings of the International Symposium on Requirements Engineering for Information Security SREIS’01, pp. 1–8 (2001)

    Google Scholar 

  5. Bergeron, J., Debbabi, M., Erhioui, M., Ktari, B.: Static analysis of binary code to isolate malicious behaviors. In: Proceedings of the IEEE 8th International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises, pp. 184–189 (1999)

    Chapter  Google Scholar 

  6. Christodorescu, M., Jha S.: Static analysis of executables to detect malicious patterns. In: Proc. of the 12th USENIX Security Symposium (2003)

    Google Scholar 

  7. Cifuentes, C., Fraboulet, A.: Interprocedural data flow recovery of high-level language code from assembly. Technical Report 421, Univ. Queensland (1997)

  8. Cifuentes, C., Fraboulet, A.: Intraprocedural static slicing of binary executables. In: Proc. Int. Conf. on Software Maintenance (ICSM), pp. 188–195 (1997)

    Chapter  Google Scholar 

  9. Cifuentes, C., Simon, D., Fraboulet, A.: Assembly to high-level language translation. In: Proc. Int. Conf. on Software Maintenance (ICSM), pp. 228–237 (1998)

    Google Scholar 

  10. Collberg, C., Nagra, J.: Surreptitious Software: Obfuscation, Watermarking, and Tamperproofing for Software Protection. Addison Wesley, Reading (2010)

    Google Scholar 

  11. Collberg, C.S., Thomborson, C.: Watermarking, tamper-proofing, and obfuscation tools for software protection. IEEE Trans. Softw. Eng. 28(8), 735–746 (2002)

    Article  Google Scholar 

  12. Coogan, K., Debray, S., Kaochar, T., Townsend, G.: Automatic static unpacking of malware binaries. In: 2009, WCRE’09, 16th Working Conference on Reverse Engineering, pp. 167–176 (2009)

    Chapter  Google Scholar 

  13. Cousot, P., Cousot, R.: Abstract interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixed points. In: Proc. Principles of Programming Languages (POPL), Los Angeles, CA, USA, pp. 238–252 (1977)

    Google Scholar 

  14. Cousot, P., Cousot, R.: Systematic design of program analysis frameworks by abstract interpretation. In: Proc. Principles of Programming Languages (POPL), San Antonio, TX, USA, pp. 269–282 (1979)

    Google Scholar 

  15. Cousot, P., Cousot, R.: Basic concepts of abstract interpretation. In: IFIP World Computer Congress, Toulouse France, pp. 359–366 (2004)

    Google Scholar 

  16. Dalla Preda, M.: Code obfuscation and malware detection by abstract interpretation. Ph.D. thesis, Università di Verona (2007)

  17. DallaPreda, M., Christodorescu, M., Jha S., Debray S.: A semantics-based approach to malware detection. In: Proc. Principles of Programming Languages (POPL), New York, NY, USA, pp. 377–388 (2007)

    Google Scholar 

  18. DallaPreda, M., Giacobazzi, R.: Semantics-based code obfuscation by abstract interpretation. J. Comput. Secur. 17(6), 855–908 (2009)

    Google Scholar 

  19. DallaPreda, M., Giacobazzi, R., Debray, S., Coogan, K., Townsend, G.M.: Modelling metamorphism by abstract interpretation. In: Proceedings of the 17th International Conference on Static Analysis, Berlin, Heidelberg, pp. 218–235 (2010)

    Google Scholar 

  20. DallaPreda, M., Madou, M., De Bosschere, K., Giacobazzi, R.: Opaque predicates detection by abstract interpretation. Algebraic Methodology and Software Technology, pp. 81–95 (2006)

  21. Debray, S.K., Muth, R., Weippert, M.: Alias analysis of executable code. In: Proc. Principles of Programming Languages (POPL), pp. 12–24 (1998)

    Google Scholar 

  22. Emami, M., Ghiya, R., Hendren, L.J.: Context-sensitive interprocedural points-to analysis in the presence of function pointers. SIGPLAN Not. 29(6), 242–256 (1994)

    Article  Google Scholar 

  23. Engelmore, R., Morgan, T.: Blackboard Systems, vol. 141. Addison-Wesley, Reading (1988)

    Google Scholar 

  24. Giacobazzi, R.: Hiding information in completeness holes: new perspectives in code obfuscation and watermarking. In: 2008 Sixth IEEE International Conference on Software Engineering and Formal Methods, pp. 7–18 (2008)

    Chapter  Google Scholar 

  25. Goodwin, D.W.: Interprocedural dataflow analysis in an executable optimizer. In: Conf. on Prog. Lang. Design and Implementation (PLDI), New York, NY, USA, pp. 122–133 (1997)

    Chapter  Google Scholar 

  26. Guo, B., Bridges, M.J., Triantafyllis, S., Ottoni, G., Raman, E., August, D.: Practical and accurate low-level pointer analysis. In: 3nd Int. Symp. on Code Gen. and Opt. (2005)

    Google Scholar 

  27. IdaPro: Ida Pro—Disassembler. http://www.hex-rays.com/idapro/ (Last accessed October 2010)

  28. Khedkar, U.P., Sanyal, A., Karkare, B.: Data Flow Analysis: Theory and Practice. CRC Press, Boca Raton (2009)

    Book  Google Scholar 

  29. Kinder, J., Veith, H., Zuleger, F.: An abstract interpretation-based framework for control flow reconstruction from binaries. In: 10th International Conference on Verification, Model Checking, and Abstract Interpretation (VMCAI 2009), pp. 214–228 (2009)

    Chapter  Google Scholar 

  30. Lakhotia, A., Kumar, E.U.: Abstracting stack to detect obfuscated calls in binaries. In: 4th IEEE Int. Workshop on Source Code Analysis and Manipulation (SCAM), Chicago, Illinois (2004)

    Google Scholar 

  31. Lakhotia, A., Kumar, E.U., Venable, M.: A method for detecting obfuscated calls in malicious binaries. IEEE Trans. Softw. Eng. 31(11), 955–968 (2005)

    Article  Google Scholar 

  32. Lakhotia, A., Singh, P.K.: Challenges in getting ‘formal’ with viruses. Virus Bull., pp. 15–19 (2003)

  33. Lal, A., Reps, T.: Improving pushdown system model checking. In: Proc. Computer-Aided Verification (2006)

    Google Scholar 

  34. Larus, J.R., Schnarr, E.: EEL: Machine-independent executable editing. In: Conf. on Prog. Lang. Design and Implementation (PLDI), pp. 291–300 (1995)

    Google Scholar 

  35. Lhoták, O., Hendren, L.: Context-sensitive points-to analysis: Is it worth it. In: Compiler Construction, 15th International Conference. LNCS, vol. 3923, pp. 47–64 (2006)

    Chapter  Google Scholar 

  36. Linn, C., Debray, S.: Obfuscation of executable code to improve resistance to static disassembly. In: 10th ACM Conf. on Computer and Communications Security (CCS) (2003)

    Google Scholar 

  37. McDonald, J.: Delphi falls prey. http://www.symantec.com/connect/blogs/delphi-falls-prey (Last accessed October 2010)

  38. Might, M., Shivers, O.: Environment analysis via ΔCFA. SIGPLAN Not. 41(1), 127–140 (2006)

    Article  Google Scholar 

  39. Mycroft, A.: Type-based decompilation. In: European Symp. on Programming (ESOP) (1999)

    Google Scholar 

  40. Reps, T., Balakrishnan, G.: Improved memory-access analysis for x86 executables. In: Proc. Int. Conf. on Compiler Construction (2008)

    Google Scholar 

  41. Reps, T., Balakrishnan, G., Lim, J.: Intermediate-representation recovery from low-level code. In: Proc. Workshop on Partial Evaluation and Program Manipulation (PEPM), Charleston, SC (2006)

    Google Scholar 

  42. Reps, T., Lim, J., Thakur, A., Balakrishnan, G., Lal, A.: There’s plenty of room at the bottom: analyzing and verifying machine code. In: Computer Aided Verification, pp. 41–56 (2010)

    Chapter  Google Scholar 

  43. Reps, T., Schwoon, S., Jha, S., Melski, D.: Weighted pushdown systems and their application to interprocedural dataflow analysis. Sci. Comput. Program. 58(1–2), 206–263 (2005)

    Article  MATH  MathSciNet  Google Scholar 

  44. Sagiv, M., Reps, T., Horwitz, S.: Precise interprocedural dataflow analysis with applications to constant propagation. Theor. Comput. Sci. 167(1–2), 131–170 (1996)

    Article  MATH  MathSciNet  Google Scholar 

  45. Schwarz, B., Debray, S.K., Andrews, G.R.: PLTO: A link-time optimizer for the Intel IA-32 architecture. In: Proc. Workshop on Binary Translation (WBT) (2001)

    Google Scholar 

  46. Sharir, M., Pnueli, A.: Two approaches to interprocedural data flow analysis. In: Muchnick, S.S., Jones, N.D. (eds.) Program Flow Analysis: Theory and Applications, Chap. 7, pp. 189–234. Prentice-Hall, Englewood Cliffs (1981)

    Google Scholar 

  47. Srivastava, A., Wall, D.: A practical system for intermodule code optimization at linktime. J. Program. Lang. 1(I), 1–18 (1993)

    Google Scholar 

  48. Symantec, Inc., Understanding heuristics. http://www.symantec.com/avcenter/reference/heuristc.pdf (1997)

  49. Thakur, A., Lim, J., Lal, A., Burton, A., Driscoll, E., Elder, M., Andersen, T., Reps, T.: Directed proof generation for machine code. In: Computer Aided Verification, pp. 288–305 (2010)

    Chapter  Google Scholar 

  50. Thompson, K.: Reflections on trusting trust. Commun. ACM 27(8), 761–763 (1984)

    Article  Google Scholar 

  51. Venable, M., Chouchane, M.R., Karim, M.E., Lakhotia, A.: Analyzing memory accesses in obfuscated x86 executables. In: DIMVA’05, pp. 1–18 (2005)

    Google Scholar 

  52. Walenstein, A., Mathur, R., Chouchane, M.R., Lakhotia, A.: Normalizing metamorphic malware using term-rewriting. In: 6th IEEE Int. Workshop on Source Code Analysis and Manipulation (SCAM) (2006)

    Google Scholar 

  53. Walenstein, A., Mathur, R., Chouchane, M.R., Lakhotia, A.: The design space of metamorphic malware. In: 2nd International Conference on i-Warfare and Security (ICIW) (2007)

    Google Scholar 

  54. Whaley, J., Lam, M.S.: Cloning-based context-sensitive pointer alias analysis using binary decision diagrams. In: PLDI’04: Proceedings of the ACM SIGPLAN 2004 conference on Programming language design and implementation, New York, NY, USA, pp. 131–144 (2004)

    Chapter  Google Scholar 

  55. Zhu, J.: Towards scalable flow and context sensitive pointer analysis. In: DAC’05: Proceedings of the 42nd Annual Design Automation Conference, New York, NY, USA, pp. 831–836 (2005)

    Chapter  Google Scholar 

  56. Zhu, J., Calman, S.: Symbolic pointer analysis revisited. In: PLDI’04: Proceedings of the ACM SIGPLAN 2004 Conference on Programming Language Design and Implementation, New York, NY, USA, pp. 145–157 (2004)

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Arun Lakhotia.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Lakhotia, A., Boccardo, D.R., Singh, A. et al. Context-sensitive analysis without calling-context. Higher-Order Symb Comput 23, 275–313 (2010). https://doi.org/10.1007/s10990-011-9080-1

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10990-011-9080-1

Keywords

Navigation