A Next-Generation Platform for Analyzing Executables

  • T. Reps
  • G. Balakrishnan
  • J. Lim
  • T. Teitelbaum
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3780)

Abstract

In recent years, there has been a growing need for tools that an analyst can use to understand the workings of COTS components, plugins, mobile code, and DLLs, as well as memory snapshots of worms and virus-infected code. Static analysis provides techniques that can help with such problems; however, there are several obstacles that must be overcome:

– For many kinds of potentially malicious programs, symbol-table and debugging information is entirely absent. Even if it is present, it cannot be relied upon.

– To understand memory-access operations, it is necessary to determine the set of addresses accessed by each operation. This is difficult because

  • While some memory operations use explicit memory addresses in the instruction (easy), others use indirect addressing via address expressions (difficult).

  • Arithmetic on addresses is pervasive. For instance, even when the value of a local variable is loaded from its slot in an activation record, address arithmetic is performed.

  • There is no notion of type at the hardware level, so address values cannot be distinguished from integer values.

  • Memory accesses do not have to be aligned, so word-sized address values could potentially be cobbled together from misaligned reads and writes.

We have developed static-analysis algorithms to recover information about the contents of memory locations and how they are manipulated by an executable. By combining these analyses with facilities provided by the IDAPro and CodeSurfer toolkits, we have created CodeSurfer/x86, a prototype tool for browsing, inspecting, and analyzing x86 executables. From an x86 executable, CodeSurfer/x86 recovers intermediate representations that are similar to what would be created by a compiler for a program written in a high-level language. CodeSurfer/x86 also supports a scripting language, as well as several kinds of sophisticated pattern-matching capabilities. These facilities provide a platform for the development of additional tools for analyzing the security properties of executables.

Keywords

Source Code Model Check Malicious Code Program Point Call Graph 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    PREfast with driver-specific rules (October 2004) WHDC, Microsoft Corp., http://www.microsoft.com/whdc/devtools/tools/PREfast-drv.mspx
  2. 2.
    Amme, W., Braun, P., Zehendner, E., Thomasset, F.: Data dependence analysis of assembly code. Int. J. Parallel Proc. (2000)Google Scholar
  3. 3.
    Balakrishnan, G., Reps, T.: Analyzing memory accesses in x86 executables. Comp. Construct., 5–23 (2004)Google Scholar
  4. 4.
    Balakrishnan, G., Reps, T., Melski, D., Teitelbaum, T.: WYSINWYX: What You See Is Not What You eXecute. In: IFIP Working Conf. on Verified Software: Theories, Tools, Experiments (2005)Google Scholar
  5. 5.
    Ball, T., Rajamani, S.K.: The SLAM toolkit. In: Berry, G., Comon, H., Finkel, A. (eds.) CAV 2001. LNCS, vol. 2102, pp. 260–264. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  6. 6.
    Bouajjani, A., Esparza, J., Maler, O.: Reachability analysis of pushdown automata: Application to model checking. In: Proc. CONCUR. LNCS, vol. 1243, pp. 135–150. Springer, Heidelberg (1997)Google Scholar
  7. 7.
    Bouajjani, A., Esparza, J., Touili, T.: A generic approach to the static analysis of concurrent programs with procedures. In: Princ. of Prog. Lang., pp. 62–73 (2003)Google Scholar
  8. 8.
    Bush, W., Pincus, J., Sielaff, D.: A static analyzer for finding dynamic programming errors. Software–Practice & Experience 30, 775–802 (2000)MATHCrossRefGoogle Scholar
  9. 9.
    Chen, H., Dean, D., Wagner, D.: Model checking one million lines of C code. Network and Dist. Syst. Security (2004)Google Scholar
  10. 10.
    Chen, H., Wagner, D.: MOPS: An infrastructure for examining security properties of software. In: Conf. on Comp. and Commun. Sec., November 2002, pp. 235–244 (2002)Google Scholar
  11. 11.
    Cifuentes, C., Fraboulet, A.: Intraprocedural static slicing of binary executables. In: Int. Conf. on Softw. Maint., pp. 188–195 (1997)Google Scholar
  12. 12.
    Clarke Jr., E.M., Grumberg, O., Peled, D.A.: Model Checking. MIT Press, Cambridge (1999)Google Scholar
  13. 13.
    CodeSurfer, GrammaTech, Inc., http://www.grammatech.com/products/codesurfer/
  14. 14.
    Corbett, J.C., Dwyer, M.B., Hatcliff, J., Laubach, S., Robby, C.S.P. , Zheng, H.: Bandera: Extracting finite-state models from Java source code. In: Int. Conf. on Softw. Eng., pp. 439–448 (2000)Google Scholar
  15. 15.
    Cousot, P., Cousot, R.: Abstract interpretation: A unified lattice model for static analysis of programs by construction of approximation of fixed points. In: Princ. of Prog. Lang., pp. 238–252 (1977)Google Scholar
  16. 16.
    Coutant, D.S., Meloy, S., Ruscetta, M.: DOC: A practical approach to source-level debugging of globally optimized code. In: Prog. Lang. Design and Impl. (1988)Google Scholar
  17. 17.
    Das, M., Lerner, S., Seigle, M.: ESP: Path-sensitive program verification in polynomial time. In: Prog. Lang. Design and Impl., pp. 57–68. ACM Press, New York (2002)Google Scholar
  18. 18.
    Debray, S.K., Muth, R., Weippert, M.: Alias analysis of executable code. In: Princ. of Prog. Lang., pp. 12–24 (1998)Google Scholar
  19. 19.
    Dwyer, M., Avrunin, G., Corbett, J.: Patterns in property specifications for finite-state verification. In: Int. Conf. on Softw. Eng. (1999)Google Scholar
  20. 20.
    Engler, D.R., Chelf, B., Chou, A., Hallem, S.: Checking system rules using system-specific, programmer-written compiler extensions. Op. Syst. Design and Impl., 1–16 (2000)Google Scholar
  21. 21.
    Ferrante, J., Ottenstein, K., Warren, J.: The program dependence graph and its use in optimization. Trans. on Prog. Lang. and Syst. 3(9), 319–349 (1987)CrossRefGoogle Scholar
  22. 22.
    Finkel, A., Willems, B., Wolper, P.: A direct symbolic approach to model checking pushdown systems. Elec. Notes in Theor. Comp. Sci. 9 (1997)Google Scholar
  23. 23.
    Fast Library Identification and Recognition Technology, DataRescue sa/nv, Liège, Belgium, http://www.datarescue.com/idabase/flirt.htm
  24. 24.
    Guo, B., Bridges, M.J., Triantafyllis, S., Ottoni, G., Raman, E., August, D.I.: Practical and accurate low-level pointer analysis. In: 3rd Int. Symp. on Code Gen. and Opt., pp. 291–302 (2005)Google Scholar
  25. 25.
    Havelund, K., Pressburger, T.: Model checking Java programs using Java PathFinder. Softw. Tools for Tech. Transfer 2(4) (2000)Google Scholar
  26. 26.
    Hennessy, J.L.: Symbolic debugging of optimized code. Trans. on Prog. Lang. and Syst. 4(3), 323–344 (1982)MATHCrossRefGoogle Scholar
  27. 27.
    Henzinger, T.A., Jhala, R., Majumdar, R., Sutre, G.: Lazy abstraction. In: Princ. of Prog. Lang., pp. 58–70 (2002)Google Scholar
  28. 28.
    Horwitz, S., Reps, T., Binkley, D.: Interprocedural slicing using dependence graphs. Trans. on Prog. Lang. and Syst. 12(1), 26–60 (1990)CrossRefGoogle Scholar
  29. 29.
    Howard, M.: Some bad news and some good news (October 2002) MSDN, Microsoft Corp., http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncode/html/secure10102002.asp
  30. 30.
  31. 31.
    Kidd, N., Reps, T., Melski, D., Lal, A.: WPDS++: A C++ library for weighted pushdown systems (2004), http://www.cs.wisc.edu/wpis/wpds++/
  32. 32.
    Lal, A., Reps, T., Balakrishnan, G.: Extended weighted pushdown systems. In: Etessami, K., Rajamani, S.K. (eds.) CAV 2005. LNCS, vol. 3576, pp. 434–448. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  33. 33.
    Müller-Olm, M., Seidl, H.: Analysis of modular arithmetic. In: European Symp. on Programming (2005)Google Scholar
  34. 34.
    Ramalingam, G., Field, J., Tip, F.: Aggregate structure identification and its application to program analysis. In: Princ. of Prog. Lang., pp. 119–132 (1999)Google Scholar
  35. 35.
    Reps, T., Rosay, G.: Precise interprocedural chopping. In: Found. of Softw. Eng. (1995)Google Scholar
  36. 36.
    Reps, T., Schwoon, S., Jha, S.: Weighted pushdown systems and their application to interprocedural dataflow analysis. In: Static Analysis Symp. (2003)Google Scholar
  37. 37.
    Reps, T., Schwoon, S., Jha, S., Melski, D.: Weighted pushdown systems and their application to interprocedural dataflow analysis. In: Sci. of Comp. Prog. (to appear)Google Scholar
  38. 38.
  39. 39.
    Schwoon, S.: Model-Checking Pushdown Systems. PhD thesis, Technical Univ. of Munich, Munich, Germany (July 2002)Google Scholar
  40. 40.
    Wagner, D., Foster, J., Brewer, E., Aiken, A.: A first step towards automated detection of buffer overrun vulnerabilities. In: Network and Dist. Syst. Security (February 2000)Google Scholar
  41. 41.
    Wall, D.W.: Systems for late code modification. In: Giegerich, R., Graham, S.L. (eds.) Code Generation – Concepts, Tools, Techniques, pp. 275–293. Springer, Heidelberg (1992)Google Scholar
  42. 42.
    Wilson, R.P., Lam, M.S.: Efficient context-sensitive pointer analysis for C programs. In: Prog. Lang. Design and Impl., pp. 1–12 (1995)Google Scholar
  43. 43.
    Zellweger, P.T.: Interactive Source-Level Debugging of Optimized Programs. PhD thesis, Univ. of California, Berkeley (1984)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • T. Reps
    • 1
    • 2
  • G. Balakrishnan
    • 1
  • J. Lim
    • 1
  • T. Teitelbaum
    • 2
  1. 1.Comp. Sci. Dept.University of Wisconsin 
  2. 2.GrammaTech, Inc 

Personalised recommendations