by T. Reps, G. Balakrishnan, J. Lim, T. Teitelbaum
In APLAS
http://www.cs.wisc.edu/wpis/papers/aplas05.invited.ps
Add To MetaCart
Abstract:
Abstract. In recent years, there has been a growing need for tools that an analyst can use to understand the workings of COTS components, plugins, mobile code, and DLLs, as well as memory snapshots of worms and virus-infected code. Static analysis provides techniques that can help with such problems; however, there are several obstacles that must be overcome: – For many kinds of potentially malicious programs, symbol-table and debugging information is entirely absent. Even if it is present, it cannot be relied upon. – To understand memory-access operations, it is necessary to determine the set of addresses accessed by each operation. This is difficult because ¯While some memory operations use explicit memory addresses in the instruction (easy), others use indirect addressing via address expressions (difficult). ¯Arithmetic on addresses is pervasive. For instance, even when the value of a local variable is loaded from its slot in an activation record, address arithmetic is performed. ¯There is no notion of type at the hardware level, so address values cannot be distinguished from integer values. ¯Memory accesses do not have to be aligned, so word-sized address values could potentially be cobbled together from misaligned reads and writes. We have developed static-analysis algorithms to recover information about the contents of memory locations and how they are manipulated by an executable. By combining these analyses with facilities provided by the IDAPro and CodeSurfer toolkits, we have created CodeSurfer/x86, a prototype tool for browsing, inspecting, and analyzing x86 executables. From an x86 executable, CodeSurfer/x86 recovers intermediate representations that are similar to what would be created by a compiler for a program written in a high-level language. CodeSurfer/x86 also supports a scripting language, as well as several kinds of sophisticated pattern-matching capabilities. These facilities provide a platform for the development of additional tools for analyzing the security properties of executables. 1
Citations
|
1267
|
Abstract interpretation : a unified lattice model for the static analysis of programs by construction or approximation of fixpoints
– Cousot, Cousot
- 1977
|
|
672
|
The program dependence graph and its use in optimization
– Ferrante, Ottenstein, et al.
- 1987
|
|
519
|
Interprocedural slicing using dependence graphs
– Horwitz, Reps, et al.
- 1990
|
|
403
|
Bandera: extracting finitestate models from java source code
– Corbett, Dwyer, et al.
- 2000
|
|
339
|
Effective context-sensitive pointer analysis for C programs
– Wilson, Lam
- 1995
|
|
238
|
Lazy Abstraction
– Henzinger, Jhala, et al.
- 2002
|
|
229
|
Model checking java programs using java pathfinder
– Havelund, Presburger
- 1998
|
|
224
|
A First Step towards Automated Detection of Buffer Overrun Vulnerabilities
– Wagner, Foster, et al.
- 2000
|
|
211
|
Checking system rules using system-specific, programmer-written compiler extensions
– Engler, Chelf, et al.
- 2000
|
|
200
|
Reachability analysis of pushdown automata: Application to model-checking
– Bouajjani, Esparza, et al.
- 1997
|
|
172
|
A static analyzer for finding dynamic, programming errors. Software - Practice and Experience
– Bush, Pincus, et al.
- 2000
|
|
160
|
Patterns in property specifications for finite-state verification
– Dwyer, Avrunin, et al.
- 1999
|
|
131
|
ESP: path-sensitive program verification in polynomial time
– Das, Lerner, et al.
- 2002
|
|
115
|
MOPS: an infrastructure for examining security properties of software
– Chen, Wagner
|
|
98
|
A direct symbolic approach to model checking pushdown systems
– Finkel, Willems, et al.
- 1997
|
|
89
|
Systems for Late Code Modification
– Wall
- 1991
|
|
81
|
The SLAM Toolkit
– Ball, Rajamani
- 2001
|
|
70
|
Symbolic debugging of optimized code
– Hennessy
- 1982
|
|
50
|
Analyzing memory accesses in x86 executables
– Balakrishnan, Reps
- 2004
|
|
50
|
DOC: A practical approach to source-level debugging of globally optimized code
– Coutant, Meloy, et al.
- 1988
|
|
43
|
Weighted pushdown systems and theirapplication to interprocedural dataflow analysis
– Reps, Schwoon, et al.
- 1981
|
|
42
|
Precise Interprocedural Chopping
– Reps, Rosay
- 1995
|
|
41
|
Alias analysis of executable code
– Debray, Muth, et al.
- 1998
|
|
39
|
A generic approach to the static analysis of concurrent programs with procedures
– Bouajjani, Esparza, et al.
- 2003
|
|
39
|
Model checking one million lines of C code
– Chen, Dean, et al.
- 2004
|
|
37
|
Aggregate structure identification and its application to program analysis
– Ramalingam, Field, et al.
- 1999
|
|
36
|
Interactive Source-Level Debugging of Optimized Programs
– Zellweger
- 1984
|
|
31
|
Model-checking pushdown systems
– Schwoon
- 2002
|
|
25
|
A Fraboulet. Intraprocedural static slic-ing of binary executables
– Cifuentes, Simona
- 1997
|
|
17
|
Analysis of modular arithmetic
– Müller-Olm, Seidl
|
|
16
|
Extended weighted pushdown systems
– Lal, Reps, et al.
- 2005
|
|
15
|
Practical and accurate low-level pointer analysis
– Guo, Bridges, et al.
- 2005
|
|
14
|
WPDS++: A C++ library for weighted pushdown systems
– Kidd, Reps, et al.
- 2004
|
|
13
|
Data dependence analysis of assembly code
– Amme, Braun, et al.
- 1998
|
|
9
|
WYSINWYX: What You See Is Not What You eXecute
– Balakrishnan, Reps, et al.
- 2005
|
|
5
|
Some bad news and some good news
– Howard
- 2002
|
|
3
|
Moped system. “http://www.fmi.uni-stuttgart.de/szs/tools/moped
– Schwoon
|
|
2
|
PREfast with driver-specific rules
– Amme, Braun, et al.
|
