Analyzing Memory Accesses in x86 Executables

  • Gogul Balakrishnan
  • Thomas Reps
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2985)


This paper concerns static-analysis algorithms for analyzing x86 executables. The aim of the work is to recover intermediate representations that are similar to those that can be created for a program written in a high-level language. Our goal is to perform this task for programs such as plugins, mobile code, worms, and virus-infected code. For such programs, symbol-table and debugging information is either entirely absent, or cannot be relied upon if present; hence, the technique described in the paper makes no use of symbol-table/debugging information. Instead, an analysis is carried out to recover information about the contents of memory locations and how they are manipulated by the executable.


Memory Location Memory Address Abstract Domain Program Point Mobile Code 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Bergeron, J., Debbabi, M., Desharnais, J., Erhioui, M.M., Lavoie, Y., Tawbi, N.: Static detection of malicious code in executable programs. Int. J. of Req. Eng. (2001)Google Scholar
  2. 2.
    Bergeron, J., Debbabi, M., Erhioui, M.M., Ktari, B.: Static analysis of binary code to isolate malicious behaviors. In: WETICE, pp. 184–189 (1999)Google Scholar
  3. 3.
    Bourdoncle, F.: Efficient chaotic iteration strategies with widenings. In: Pottosin, I.V., Bjorner, D., Broy, M. (eds.) FMP&TA 1993. LNCS, vol. 735. Springer, Heidelberg (1993)CrossRefGoogle Scholar
  4. 4.
    Cifuentes, C., Fraboulet, A.: Interprocedural data flow recovery of high-level language code from assembly. Technical Report 421, Univ. Queensland (1997)Google Scholar
  5. 5.
    Cifuentes, C., Fraboulet, A.: Intraprocedural static slicing of binary executables. In: Int. Conf. on Softw. Maint., pp. 188–195 (1997)Google Scholar
  6. 6.
    Cifuentes, C., Simon, D., Fraboulet, A.: Assembly to high-level language translation. In: Int. Conf. on Softw. Maint., pp. 228–237 (1998)Google Scholar
  7. 7.
    CodeSurfer, GrammaTech, Inc.,
  8. 8.
    Cousot, P., Cousot, R.: Static determination of dynamic properties of programs. In: Proc. 2nd Int. Symp. on Programming, Dunod, Paris, France, pp. 106–130 (1976)Google Scholar
  9. 9.
    Cousot, P., Cousot, R.: Abstract interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints. Princ. of Prog. Lang. (1977)Google Scholar
  10. 10.
    Cousot, P., Cousot, R.: Automatic discovery of linear restraints among variables of a program. Princ. of Prog. Lang., 84–97 (1978)Google Scholar
  11. 11.
    Debray, S.K., Muth, R., Weippert, M.: Alias analysis of executable code. Princ. of Prog. Lang., 12–24 (1998)Google Scholar
  12. 12.
    Dor, N., Rodeh, M., Sagiv, M.: CSSV: Towards a realistic tool for statically detecting all buffer overflows in C. Prog. Lang. Design and Impl., 155–167 (2003)Google Scholar
  13. 13.
    Fast library identification and recognition technology, DataRescue sa/nv, Liège, Belgium,
  14. 14.
    Granger, P.: Static analysis of arithmetic congruences. Int. J. of Comp. Math. (1989)Google Scholar
  15. 15.
    Halbwachs, N., Proy, Y.-E., Roumanoff, P.: Verification of real-time systems using linear relation analysis. Formal Methods in System Design 11(2), 157–185 (1997)CrossRefGoogle Scholar
  16. 16.
    Horwitz, S., Reps, T., Binkley, D.: Interprocedural slicing using dependence graphs. Trans. on Prog. Lang. and Syst. 12(1), 26–60 (1990)CrossRefGoogle Scholar
  17. 17.
  18. 18.
    Larus, J.R., Schnarr, E.: EEL: Machine-independent executable editing. Prog. Lang. Design and Impl., 291–300 (1995)Google Scholar
  19. 19.
    Müller-Olm, M., Seidl, H.: Precise interprocedural analysis through linear algebra. Princ. of Prog. Lang. (2004)Google Scholar
  20. 20.
    Mycroft. Type-based decompilation. In: European Symp. on Programming (1999)Google Scholar
  21. 21.
    Myers, E.W.: Efficient applicative data types. Princ. of Prog. Lang., 66–75 (1984)Google Scholar
  22. 22.
    Pioli, A., Hind, M.: Combining interprocedural pointer analysis and conditional constant propagation. Tech. Rep. RC 21532(96749), IBM T.J.Watson Research Center (March 1999)Google Scholar
  23. 23.
    Pugh, W.: The Omega test:A fast and practical integer programming algorithm for dependence analysis. In: Supercomputing, pp. 4–13 (1991)Google Scholar
  24. 24.
    Ramalingam, G., Field, J., Tip, F.: Aggregate structure identification and its application to program analysis. Princ. of Prog. Lang., 119–132 (1999)Google Scholar
  25. 25.
    Reps, T., Rosay, G.: Precise interprocedural chopping. In: Found. of Softw. Eng. (1995)Google Scholar
  26. 26.
    Reps, T., Teitelbaum, T., Demers, A.: Incremental context-dependent analysis for languagebased editors. Trans. on Prog. Lang. and Syst. 5(3), 449–477 (1983)CrossRefGoogle Scholar
  27. 27.
    Rival, X.: Abstract interpretation based certification of assembly code. In: Int. Conf. on Verif., Model Checking, and Abs. Int. (2003)Google Scholar
  28. 28.
    Rugina, R., Rinard, M.C.: Symbolic bounds analysis of pointers, array indices, and accessed memory regions. ACM Press, New YorkGoogle Scholar
  29. 29.
    Sharir, M., Pnueli, A.: Two approaches to interprocedural data flow analysis. In: Muchnick, S.S., Jones, N.D. (eds.) Program Flow Analysis: Theory and Applications, ch. 7, pp. 189–234. Prentice-Hall, Englewood Cliffs (1981)Google Scholar
  30. 30.
    Suzuki, N., Ishihata, K.: Implementation of an array bound checker. Princ. of Prog. Lang., 132–143 (1977)Google Scholar
  31. 31.
    Xu, Z., Miller, B., Reps, T.: Safety checking of machine code. Prog. Lang. Design and Impl., 70–82 (2000)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2004

Authors and Affiliations

  • Gogul Balakrishnan
    • 1
  • Thomas Reps
    • 1
  1. 1.Comp. Sci. Dept.University of Wisconsin 

Personalised recommendations