Skip to main content
SpringerLink
Log in

Range Analysis of Binaries with Minimal Effort

  • Conference paper
Formal Methods for Industrial Critical Systems (FMICS 2012)

Part of the book series: Lecture Notes in Computer Science ((LNPSE,volume 7437))

Abstract

COTS components are ubiquitous in military, industrial and governmental systems. However, the benefits of reduced development and maintainance costs are compromised by security concerns. Since source code is unavailable, security audits necessarily occur at the binary level. Push-button formal method techniques, such as model checking and abstract interpretation, can support this process by, among other things, inferring ranges of values for registers. Ranges aid the security engineer in checking for vulnerabilities that relate, for example, to integer wrapping, uninitialised variables and buffer overflows. Yet the lack of structure in binaries limits the effectiveness of classical range analyses based on widening. This paper thus contributes a simple but novel range analysis, formulated in terms of linear programming, which calculates ranges without manual intervention.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 49.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. National Vulnerability Database, http://nvd.nist.gov

  2. Andersen, H.R.: An Introduction to Binary Decision Diagrams. Lecture notes, available online, IT University of Copenhagen (1997), http://www.itu.dk/courses/AVA/E2005/bdd-eap.pdf

  3. Appel, A.W.: Modern Compiler Implementation in Java, Cambridge (2002)

    Google Scholar 

  4. Balakrishnan, G., Reps, T.: DIVINE: DIscovering Variables IN Executables. In: Cook, B., Podelski, A. (eds.) VMCAI 2007. LNCS, vol. 4349, pp. 1–28. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  5. Balakrishnan, G., Reps, T.W.: WYSINWYX: What You See Is Not What You eXecute. TOPLAS 32(6) (2010)

    Google Scholar 

  6. Blanchet, B., Cousot, P., Cousot, R., Feret, J., Mauborgne, L., Miné, A., Monniaux, D., Rival, X.: A Static Analyzer for Large Safety-Critical Software. In: PLDI, vol. 38, pp. 196–207. ACM (2003)

    Google Scholar 

  7. Brauer, J., King, A., Kowalewski, S.: Range Analysis of Microcontroller Code Using Bit-Level Congruences. In: Kowalewski, S., Roveri, M. (eds.) FMICS 2010. LNCS, vol. 6371, pp. 82–98. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  8. Chen, L., Miné, A., Wang, J., Cousot, P.: Linear Absolute Value Relation Analysis. In: Barthe, G. (ed.) ESOP 2011. LNCS, vol. 6602, pp. 156–175. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  9. Cousot, P., Cousot, R.: Abstract interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: POPL, pp. 238–252. ACM (1977)

    Google Scholar 

  10. Cousot, P., Cousot, R.: Comparing the Galois Connection and Widening/Narrowing Approaches to Abstract Interpretation. In: Bruynooghe, M., Wirsing, M. (eds.) PLILP 1992. LNCS, vol. 631, pp. 269–295. Springer, Heidelberg (1992)

    Chapter  Google Scholar 

  11. Doan, D.: Commercial Off the Shelf (COTS) Security Issues and Approaches. Master’s thesis, Naval Postgraduate School, Monterey, California (2006), http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA456996

  12. Durden, T.: Automated Vulnerability Auditing in Machine Code. Phrack Magazine 64 (2007)

    Google Scholar 

  13. Godefroid, P., Levin, M.Y., Molnar, D.A.: Automated Whitebox Fuzz Testing. In: NDSS. The Internet Society (2008)

    Google Scholar 

  14. Gopan, D., Reps, T.: Lookahead Widening. In: Ball, T., Jones, R.B. (eds.) CAV 2006. LNCS, vol. 4144, pp. 452–466. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  15. Goubault, E., Le Roux, S., Leconte, J., Liberti, L., Marinelli, F.: Static Analysis by Abstract Interpretation: A Mathematical Programming Approach. ENTCS 267(1), 73–87 (2010)

    Google Scholar 

  16. Harrison, W.H.: Compiler Analysis for the Value Ranges of Varibles. IEEE Transactions on Software Engineering SE-3(3), 243–250 (1977)

    Article  Google Scholar 

  17. Kapur, D.: Automatically Generating Loop Invariants using Quantifier Elimination. In: International Conference on Applications of Computer Algebra (2004)

    Google Scholar 

  18. Leino, K.R.M., Logozzo, F.: Using Widenings to Infer Loop Invariants Inside an SMT Solver, Or: A Theorem Prover as Abstract Domain. In: WING, pp. 70–84 (2007)

    Google Scholar 

  19. McMillan, K.L.: Applications of Craig Interpolants in Model Checking. In: Halbwachs, N., Zuck, L.D. (eds.) TACAS 2005. LNCS, vol. 3440, pp. 1–12. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  20. Reps, T.W., Balakrishnan, G., Lim, J.: Intermediate-Representation Recovery from Low-Level Code. In: PEPM, pp. 100–111. ACM (2006)

    Google Scholar 

  21. Rodríguez-Carbonell, E., Kapur, D.: An Abstract Interpretation Approach for Automatic Generation of Polynomial Invariants. In: Giacobazzi, R. (ed.) SAS 2004. LNCS, vol. 3148, pp. 280–295. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  22. Rugina, R., Rinard, M.C.: Symbolic bounds analysis of pointers, array indices, and accessed memory regions. TOPLAS 27, 185–235 (2005)

    Article  Google Scholar 

  23. Rybalchenko, A., Sofronie-Stokkermans, V.: Constraint Solving for Interpolation. Journal of Symbolic Computation 45, 1212–1233 (2010)

    Article  MathSciNet  MATH  Google Scholar 

  24. Schlich, B.: Model Checking of Software for Microcontrollers. ACM Transactions in Embedded Computing Systems 9, 1–27 (2010)

    Article  Google Scholar 

  25. Simon, A., King, A.: Widening Polyhedra with Landmarks. In: Kobayashi, N. (ed.) APLAS 2006. LNCS, vol. 4279, pp. 166–182. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  26. Su, Z., Wagner, D.: A class of polynomially solvable range constraints for interval analysis without widenings. TCS 345(1), 122–138 (2005)

    Article  MathSciNet  MATH  Google Scholar 

  27. Weissenbacher, G.: Program Analysis with Interpolants. PhD thesis, Magdalen College (2010), http://ora.ouls.ox.ac.uk/objects/uuid:6987de8b-92c2-4309-b762-f0b0b9a165e6

  28. Wille, R., Fey, G., Drechsler, R.: Building Free Binary Decision Diagrams Using Sat Solvers. Facta Universitatis-series: Electronics and Energetics 20(3), 381–394 (2007)

    Article  Google Scholar 

  29. Zaks, A., Yang, Z., Shlyakhter, I., Ivancic, F., Cadambi, S., Ganai, M.K., Gupta, A., Ashar, P.: Bitwidth Reduction via Symbolic Interval Analysis for Software Model Checking. IEEE TACAD 27(8), 1513–1517 (2008)

    Google Scholar 

  30. Zhong, Q., Edward, N.: Security Control COTS Components. IEEE Computer Society 31, 67–73 (1998)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. School of Computing, University of Kent, CT2 7NF, UK

    Edd Barrett & Andy King

Authors
  1. Edd Barrett
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Andy King
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computer Science, Formal Methods and Tools, University of Twente, P.O. Box 217, 7500 AE, Enschede, The Netherlands

    Mariëlle Stoelinga

  2. Infrastructure and Cities Sector, Mobility and Logistics Division, Rail Automation, Siemens AG, Ackerstraße 22, 38126, Braunschweig, Germany

    Ralf Pinger

Rights and permissions

Reprints and permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Barrett, E., King, A. (2012). Range Analysis of Binaries with Minimal Effort. In: Stoelinga, M., Pinger, R. (eds) Formal Methods for Industrial Critical Systems. FMICS 2012. Lecture Notes in Computer Science, vol 7437. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-32469-7_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-32469-7_7

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-32468-0

  • Online ISBN: 978-3-642-32469-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation