There’s Plenty of Room at the Bottom: Analyzing and Verifying Machine Code

(Invited Tutorial)
  • Thomas Reps
  • Junghee Lim
  • Aditya Thakur
  • Gogul Balakrishnan
  • Akash Lal
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6174)


This paper discusses the obstacles that stand in the way of doing a good job of machine-code analysis. Compared with analysis of source code, the challenge is to drop all assumptions about having certain kinds of information available (variables, control-flow graph, call-graph, etc.) and also to address new kinds of behaviors (arithmetic on addresses, jumps to “hidden” instructions starting at positions that are out of registration with the instruction boundaries of a given reading of an instruction stream, self-modifying code, etc.).

The paper describes some of the challenges that arise when analyzing machine code, and what can be done about them. It also provides a rationale for some of the design decisions made in the machine-code-analysis tools that we have built over the past few years.


Abstract Graph Execution Trace Return Address Program Counter Machine Code 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Alur, R., Madhusudan, P.: Adding nesting structure to words. JACM 56 (2009)Google Scholar
  2. 2.
    Balakrishnan, G.: WYSINWYX: What You See Is Not What You eXecute. PhD thesis, C.S. Dept., Univ. of Wisconsin, Madison, WI, Tech. Rep. 1603 (August 2007)Google Scholar
  3. 3.
    Balakrishnan, G., Reps, T.: WYSINWYX: What You See Is Not What You eXecute. Trans. on Prog. Lang. and Syst. (to appear)Google Scholar
  4. 4.
    Balakrishnan, G., Reps, T.: Analyzing memory accesses in x86 executables. In: Comp. Construct., pp. 5–23 (2004)Google Scholar
  5. 5.
    Balakrishnan, G., Reps, T.: Recency-abstraction for heap-allocated storage. In: Static. Analysis Symp. (2006)Google Scholar
  6. 6.
    Balakrishnan, G., Reps, T.: DIVINE: DIscovering Variables IN Executables. In: Verif., Model Checking, and Abs. Interp. (2007)Google Scholar
  7. 7.
    Balakrishnan, G., Reps, T.: Analyzing stripped device-driver executables. In: Tools and Algs. for the Construct. and Anal. of Syst. (2008)Google Scholar
  8. 8.
    Balakrishnan, G., Reps, T., Kidd, N., Lal, A., Lim, J., Melski, D., Gruian, R., Yong, S., Chen, C.-H., Teitelbaum, T.: Model checking x86 executables with CodeSurfer/x86 and WPDS++. In: Etessami, K., Rajamani, S.K. (eds.) CAV 2005. LNCS, vol. 3576, pp. 158–163. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  9. 9.
    Balakrishnan, G., Reps, T., Melski, D., Teitelbaum, T.: WYSINWYX: What You See Is Not What You eXecute. In: Meyer, B., Woodcock, J. (eds.) VSTTE 2005. LNCS, vol. 4171, pp. 202–213. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  10. 10.
    Beckman, N., Nori, A., Rajamani, S., Simmons, R.: Proofs from tests. In: Int. Symp. on Softw. Testing and Analysis (2008)Google Scholar
  11. 11.
    Beyer, D., Henzinger, T., Majumdar, R., Rybalchenko, A.: Path invariants. In: Prog. Lang. Design and Impl. (2007)Google Scholar
  12. 12.
    Cousot, P., Cousot, R.: Abstract interpretation: A unified lattice model for static analysis of programs by construction of approximation of fixed points. In: POPL (1977)Google Scholar
  13. 13.
    Ernst, M., Perkins, J., Guo, P., McCamant, S., Pacheco, C., Tschantz, M., Xiao, C.: The Daikon system for dynamic detection of likely invariants. SCP 69(1-3) (2007)Google Scholar
  14. 14.
    Godefroid, P., Klarlund, N., Sen, K.: DART: Directed automated random testing. In: Prog. Lang. Design and Impl. (2005)Google Scholar
  15. 15.
    Godefroid, P., Nori, A., Rajamani, S., Tetali, S.: Compositional may-must program analysis: Unleashing the power of alternation. In: POPL (2010)Google Scholar
  16. 16.
    Gulavani, B., Henzinger, T., Kannan, Y., Nori, A., Rajamani, S.: SYNERGY: A new algorithm for property checking. In: Found. of Softw. Eng. (2006)Google Scholar
  17. 17.
    Heizmann, M., Hoenicke, J., Podelski, A.: Nested interpolants. In: POPL (2010)Google Scholar
  18. 18.
    Johnson, S.: YACC: Yet another compiler-compiler. Technical Report Comp. Sci. Tech. Rep. 32, Bell Laboratories (1975)Google Scholar
  19. 19.
    Lal, A., Reps, T., Balakrishnan, G.: Extended weighted pushdown systems. In: Etessami, K., Rajamani, S.K. (eds.) CAV 2005. LNCS, vol. 3576, pp. 434–448. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  20. 20.
    Lim, J., Lal, A., Reps, T.: Symbolic analysis via semantic reinterpretation. In: Păsăreanu, C.S. (ed.) SPIN Workshop. LNCS, vol. 5578, pp. 148–168. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  21. 21.
    Lim, J., Reps, T.: A system for generating static analyzers for machine instructions. In: Comp. Construct. (2008)Google Scholar
  22. 22.
    Linn, C., Debray, S.: Obfuscation of executable code to improve resistance to static disassembly. In: CCS (2003)Google Scholar
  23. 23.
    Müller-Olm, M., Seidl, H.: Analysis of modular arithmetic. In: European Symp. on Programming (2005)Google Scholar
  24. 24.
    Ramalingam, G., Field, J., Tip, F.: Aggregate structure identification and its application to program analysis. In: POPL (1999)Google Scholar
  25. 25.
    Reps, T., Balakrishnan, G., Lim, J.: Intermediate-representation recovery from low-level code. In: Part. Eval. and Semantics-Based Prog. Manip. (2006)Google Scholar
  26. 26.
    Reps, T., Balakrishnan, G., Lim, J., Teitelbaum, T.: A next-generation platform for analyzing executables. In: Asian Symp. on Prog. Lang. and Systems (2005)Google Scholar
  27. 27.
    Thakur, A., Lim, J., Lal, A., Burton, A., Driscoll, E., Elder, M., Andersen, T., Reps, T.: Directed proof generation for machine code. In: Touili, T., Cook, B., Jackson, P. (eds.) CAV 2010. LNCS, vol. 6174, pp. 288–305. Springer, Heidelberg (2010)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Thomas Reps
    • 1
    • 2
  • Junghee Lim
    • 1
  • Aditya Thakur
    • 1
  • Gogul Balakrishnan
    • 3
  • Akash Lal
    • 4
  1. 1.University of WisconsinMadisonUSA
  2. 2.GrammaTech, Inc.IthacaUSA
  3. 3.NEC Laboratories America, Inc.PrincetonUSA
  4. 4.Microsoft Research IndiaBangaloreIndia

Personalised recommendations