A System for Generating Static Analyzers for Machine Instructions

  • Junghee Lim
  • Thomas Reps
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4959)


This paper describes the design and implementation of a language for specifying the semantics of an instruction set, along with a run-time system to support the static analysis of executables written in that instruction set. The work advances the state of the art by creating multiple analysis phases from a specification of the concrete operational semantics of the language to be analyzed.


  1. 1.
    IA-32 Intel Architecture Software Developer’s Manual, http://developer.intel.com/design/pentiumii/manuals/243191.htm
  2. 2.
    Amme, W., Braun, P., Zehendner, E., Thomasset, F.: Data dependence analysis of assembly code. In: IFPP 2000 (2000)Google Scholar
  3. 3.
    Balakrishnan, G.: WYSINWYX: What You See Is Not What You eXecute. PhD thesis, Univ. of Wisc. (2007)Google Scholar
  4. 4.
    Balakrishnan, G., Gruian, R., Reps, T., Teitelbaum, T.: CodeSurfer/x86—A Platform for Analyzing x86 Executables. In: Bodik, R. (ed.) CC 2005. LNCS, vol. 3443, pp. 250–254. Springer, Heidelberg (2005)Google Scholar
  5. 5.
    Balakrishnan, G., Reps, T.: Analyzing Memory Accesses in x86 Executables. In: Duesterwald, E. (ed.) CC 2004. LNCS, vol. 2985, pp. 5–23. Springer, Heidelberg (2004)Google Scholar
  6. 6.
    Balakrishnan, G., Reps, T.: DIVINE: DIscovering Variables IN Executables. In: Cook, B., Podelski, A. (eds.) VMCAI 2007. LNCS, vol. 4349, pp. 1–28. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  7. 7.
    Christodorescu, M., Goh, W., Kidd, N.: String analysis for x86 binaries. In: PASTE 2005 (2005)Google Scholar
  8. 8.
    Cifuentes, C., Fraboulet, A.: Intraprocedural static slicing of binary executables. In: ICSM 1997 (1997)Google Scholar
  9. 9.
    Cook, T.A., Franzon, P.D., Harcourt, E.A., Miller, T.K.: System-level specification of instruction sets. In: DAC 1993 (1993)Google Scholar
  10. 10.
    Cooper, K., Kennedy, K.: Interprocedural side-effect analysis in linear time. In: PLDI 1988 (1988)Google Scholar
  11. 11.
    Cousot, P., Cousot, R.: Systematic design of program analysis frameworks. In: POPL 1979 (1979)Google Scholar
  12. 12.
    De Sutter, B., De Bus, B., De Bosschere, K., Keyngnaert, P., Demoen, B.: On the static analysis of indirect control transfers in binaries. In: PDPTA 2000 (2000)Google Scholar
  13. 13.
    Debray, S., Muth, R., Weippert, M.: Alias analysis of executable code. In: POPL 1998(1998)Google Scholar
  14. 14.
    Harcourt, E., Mauney, J., Cook, T.: Functional specification and simulation of instruction set architectures. In: PLC 1994 (1994)Google Scholar
  15. 15.
    Lim, J., Reps, T.: A system for generating static analyzers for machine instructions. TR-1622, C.S.Dept., Univ. of Wisconsin, Madison, WI (October 2007)Google Scholar
  16. 16.
    Mauborgne, L., Rival, X.: Trace Partitioning in Abstract Interpretation Based Static Analyzers. In: Sagiv, M. (ed.) ESOP 2005. LNCS, vol. 3444, pp. 5–20. Springer, Heidelberg (2005)Google Scholar
  17. 17.
    Müller-Olm, M., Seidl, H.: Analysis of Modular Arithmetic. In: Sagiv, M. (ed.) ESOP 2005. LNCS, vol. 3444, pp. 46–60. Springer, Heidelberg (2005)Google Scholar
  18. 18.
    Pettersson, M.: A term pattern-match compiler inspired by finite automata theory. In: Pfahler, P., Kastens, U. (eds.) CC 1992. LNCS, vol. 641, pp. 258–270. Springer, Heidelberg (1992)Google Scholar
  19. 19.
    Ramsey, N., Davidson, J.: Specifying instructions’ semantics using λ-RTL (unpublished manuscript, 1999)Google Scholar
  20. 20.
    Regehr, J., Reid, A., Webb, K.: Eliminating stack overflow by abstract interpretation. In: TECS 2005 (2005)Google Scholar
  21. 21.
    Reps, T., Balakrishnan, G., Lim, J.: Intermediate-representation recovery from low-level code. In: PEPM 2006 (2006)Google Scholar
  22. 22.
    Sharir, M., Pnueli, A.: Two approaches to interprocedural data flow analysis. In: Program Flow Analysis: Theory and Applications, Prentice-Hall, Englewood Cliffs (1981)Google Scholar
  23. 23.
    Wadler, P.: Efficient compilation of pattern-matching. The Impl. of Func. Prog. Lang. (1987)Google Scholar
  24. 24.
    Zhang, J., Zhao, R., Pang, J.: Parameter and return-value analysis of binary executables. In: COMPSAC 2007 (2007)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Junghee Lim
    • 1
  • Thomas Reps
    • 1
    • 2
  1. 1.Comp. Sci. Dept.Univ. of Wisconsin-Madison, WIUSA
  2. 2.GrammaTech, Inc.Ithaca, NYUSA

Personalised recommendations