Skip to main content
SpringerLink
Log in
Book cover

International Workshop on Formal Methods for Industrial Critical Systems

FMICS 2012: Formal Methods for Industrial Critical Systems pp 93–107Cite as

Range Analysis of Binaries with Minimal Effort

  • Conference paper

Part of the Lecture Notes in Computer Science book series (LNPSE,volume 7437)

Abstract

COTS components are ubiquitous in military, industrial and governmental systems. However, the benefits of reduced development and maintainance costs are compromised by security concerns. Since source code is unavailable, security audits necessarily occur at the binary level. Push-button formal method techniques, such as model checking and abstract interpretation, can support this process by, among other things, inferring ranges of values for registers. Ranges aid the security engineer in checking for vulnerabilities that relate, for example, to integer wrapping, uninitialised variables and buffer overflows. Yet the lack of structure in binaries limits the effectiveness of classical range analyses based on widening. This paper thus contributes a simple but novel range analysis, formulated in terms of linear programming, which calculates ranges without manual intervention.

Keywords

  • Model Check
  • Range Analysis
  • Abstract Interpretation
  • Binary Decision Diagram
  • Program Point

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

This is a preview of subscription content, access via your institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   49.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. National Vulnerability Database, http://nvd.nist.gov

  2. Andersen, H.R.: An Introduction to Binary Decision Diagrams. Lecture notes, available online, IT University of Copenhagen (1997), http://www.itu.dk/courses/AVA/E2005/bdd-eap.pdf

  3. Appel, A.W.: Modern Compiler Implementation in Java, Cambridge (2002)

    Google Scholar 

  4. Balakrishnan, G., Reps, T.: DIVINE: DIscovering Variables IN Executables. In: Cook, B., Podelski, A. (eds.) VMCAI 2007. LNCS, vol. 4349, pp. 1–28. Springer, Heidelberg (2007)

    CrossRef  Google Scholar 

  5. Balakrishnan, G., Reps, T.W.: WYSINWYX: What You See Is Not What You eXecute. TOPLAS 32(6) (2010)

    Google Scholar 

  6. Blanchet, B., Cousot, P., Cousot, R., Feret, J., Mauborgne, L., Miné, A., Monniaux, D., Rival, X.: A Static Analyzer for Large Safety-Critical Software. In: PLDI, vol. 38, pp. 196–207. ACM (2003)

    Google Scholar 

  7. Brauer, J., King, A., Kowalewski, S.: Range Analysis of Microcontroller Code Using Bit-Level Congruences. In: Kowalewski, S., Roveri, M. (eds.) FMICS 2010. LNCS, vol. 6371, pp. 82–98. Springer, Heidelberg (2010)

    CrossRef  Google Scholar 

  8. Chen, L., Miné, A., Wang, J., Cousot, P.: Linear Absolute Value Relation Analysis. In: Barthe, G. (ed.) ESOP 2011. LNCS, vol. 6602, pp. 156–175. Springer, Heidelberg (2011)

    CrossRef  Google Scholar 

  9. Cousot, P., Cousot, R.: Abstract interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: POPL, pp. 238–252. ACM (1977)

    Google Scholar 

  10. Cousot, P., Cousot, R.: Comparing the Galois Connection and Widening/Narrowing Approaches to Abstract Interpretation. In: Bruynooghe, M., Wirsing, M. (eds.) PLILP 1992. LNCS, vol. 631, pp. 269–295. Springer, Heidelberg (1992)

    CrossRef  Google Scholar 

  11. Doan, D.: Commercial Off the Shelf (COTS) Security Issues and Approaches. Master’s thesis, Naval Postgraduate School, Monterey, California (2006), http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA456996

  12. Durden, T.: Automated Vulnerability Auditing in Machine Code. Phrack Magazine 64 (2007)

    Google Scholar 

  13. Godefroid, P., Levin, M.Y., Molnar, D.A.: Automated Whitebox Fuzz Testing. In: NDSS. The Internet Society (2008)

    Google Scholar 

  14. Gopan, D., Reps, T.: Lookahead Widening. In: Ball, T., Jones, R.B. (eds.) CAV 2006. LNCS, vol. 4144, pp. 452–466. Springer, Heidelberg (2006)

    CrossRef  Google Scholar 

  15. Goubault, E., Le Roux, S., Leconte, J., Liberti, L., Marinelli, F.: Static Analysis by Abstract Interpretation: A Mathematical Programming Approach. ENTCS 267(1), 73–87 (2010)

    Google Scholar 

  16. Harrison, W.H.: Compiler Analysis for the Value Ranges of Varibles. IEEE Transactions on Software Engineering SE-3(3), 243–250 (1977)

    CrossRef  Google Scholar 

  17. Kapur, D.: Automatically Generating Loop Invariants using Quantifier Elimination. In: International Conference on Applications of Computer Algebra (2004)

    Google Scholar 

  18. Leino, K.R.M., Logozzo, F.: Using Widenings to Infer Loop Invariants Inside an SMT Solver, Or: A Theorem Prover as Abstract Domain. In: WING, pp. 70–84 (2007)

    Google Scholar 

  19. McMillan, K.L.: Applications of Craig Interpolants in Model Checking. In: Halbwachs, N., Zuck, L.D. (eds.) TACAS 2005. LNCS, vol. 3440, pp. 1–12. Springer, Heidelberg (2005)

    CrossRef  Google Scholar 

  20. Reps, T.W., Balakrishnan, G., Lim, J.: Intermediate-Representation Recovery from Low-Level Code. In: PEPM, pp. 100–111. ACM (2006)

    Google Scholar 

  21. Rodríguez-Carbonell, E., Kapur, D.: An Abstract Interpretation Approach for Automatic Generation of Polynomial Invariants. In: Giacobazzi, R. (ed.) SAS 2004. LNCS, vol. 3148, pp. 280–295. Springer, Heidelberg (2004)

    CrossRef  Google Scholar 

  22. Rugina, R., Rinard, M.C.: Symbolic bounds analysis of pointers, array indices, and accessed memory regions. TOPLAS 27, 185–235 (2005)

    CrossRef  Google Scholar 

  23. Rybalchenko, A., Sofronie-Stokkermans, V.: Constraint Solving for Interpolation. Journal of Symbolic Computation 45, 1212–1233 (2010)

    CrossRef  MathSciNet  MATH  Google Scholar 

  24. Schlich, B.: Model Checking of Software for Microcontrollers. ACM Transactions in Embedded Computing Systems 9, 1–27 (2010)

    CrossRef  Google Scholar 

  25. Simon, A., King, A.: Widening Polyhedra with Landmarks. In: Kobayashi, N. (ed.) APLAS 2006. LNCS, vol. 4279, pp. 166–182. Springer, Heidelberg (2006)

    CrossRef  Google Scholar 

  26. Su, Z., Wagner, D.: A class of polynomially solvable range constraints for interval analysis without widenings. TCS 345(1), 122–138 (2005)

    CrossRef  MathSciNet  MATH  Google Scholar 

  27. Weissenbacher, G.: Program Analysis with Interpolants. PhD thesis, Magdalen College (2010), http://ora.ouls.ox.ac.uk/objects/uuid:6987de8b-92c2-4309-b762-f0b0b9a165e6

  28. Wille, R., Fey, G., Drechsler, R.: Building Free Binary Decision Diagrams Using Sat Solvers. Facta Universitatis-series: Electronics and Energetics 20(3), 381–394 (2007)

    CrossRef  Google Scholar 

  29. Zaks, A., Yang, Z., Shlyakhter, I., Ivancic, F., Cadambi, S., Ganai, M.K., Gupta, A., Ashar, P.: Bitwidth Reduction via Symbolic Interval Analysis for Software Model Checking. IEEE TACAD 27(8), 1513–1517 (2008)

    Google Scholar 

  30. Zhong, Q., Edward, N.: Security Control COTS Components. IEEE Computer Society 31, 67–73 (1998)

    CrossRef  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. School of Computing, University of Kent, CT2 7NF, UK

    Edd Barrett & Andy King

Authors
  1. Edd Barrett
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Andy King
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computer Science, Formal Methods and Tools, University of Twente, P.O. Box 217, 7500 AE, Enschede, The Netherlands

    Mariëlle Stoelinga

  2. Infrastructure and Cities Sector, Mobility and Logistics Division, Rail Automation, Siemens AG, Ackerstraße 22, 38126, Braunschweig, Germany

    Ralf Pinger

Rights and permissions

Reprints and Permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Barrett, E., King, A. (2012). Range Analysis of Binaries with Minimal Effort. In: Stoelinga, M., Pinger, R. (eds) Formal Methods for Industrial Critical Systems. FMICS 2012. Lecture Notes in Computer Science, vol 7437. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-32469-7_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-32469-7_7

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-32468-0

  • Online ISBN: 978-3-642-32469-7

  • eBook Packages: Computer ScienceComputer Science (R0)

search

Navigation