Range Analysis of Binaries with Minimal Effort

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7437)


COTS components are ubiquitous in military, industrial and governmental systems. However, the benefits of reduced development and maintainance costs are compromised by security concerns. Since source code is unavailable, security audits necessarily occur at the binary level. Push-button formal method techniques, such as model checking and abstract interpretation, can support this process by, among other things, inferring ranges of values for registers. Ranges aid the security engineer in checking for vulnerabilities that relate, for example, to integer wrapping, uninitialised variables and buffer overflows. Yet the lack of structure in binaries limits the effectiveness of classical range analyses based on widening. This paper thus contributes a simple but novel range analysis, formulated in terms of linear programming, which calculates ranges without manual intervention.


Model Check Range Analysis Abstract Interpretation Binary Decision Diagram Program Point 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    National Vulnerability Database,
  2. 2.
    Andersen, H.R.: An Introduction to Binary Decision Diagrams. Lecture notes, available online, IT University of Copenhagen (1997),
  3. 3.
    Appel, A.W.: Modern Compiler Implementation in Java, Cambridge (2002)Google Scholar
  4. 4.
    Balakrishnan, G., Reps, T.: DIVINE: DIscovering Variables IN Executables. In: Cook, B., Podelski, A. (eds.) VMCAI 2007. LNCS, vol. 4349, pp. 1–28. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  5. 5.
    Balakrishnan, G., Reps, T.W.: WYSINWYX: What You See Is Not What You eXecute. TOPLAS 32(6) (2010)Google Scholar
  6. 6.
    Blanchet, B., Cousot, P., Cousot, R., Feret, J., Mauborgne, L., Miné, A., Monniaux, D., Rival, X.: A Static Analyzer for Large Safety-Critical Software. In: PLDI, vol. 38, pp. 196–207. ACM (2003)Google Scholar
  7. 7.
    Brauer, J., King, A., Kowalewski, S.: Range Analysis of Microcontroller Code Using Bit-Level Congruences. In: Kowalewski, S., Roveri, M. (eds.) FMICS 2010. LNCS, vol. 6371, pp. 82–98. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  8. 8.
    Chen, L., Miné, A., Wang, J., Cousot, P.: Linear Absolute Value Relation Analysis. In: Barthe, G. (ed.) ESOP 2011. LNCS, vol. 6602, pp. 156–175. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  9. 9.
    Cousot, P., Cousot, R.: Abstract interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: POPL, pp. 238–252. ACM (1977)Google Scholar
  10. 10.
    Cousot, P., Cousot, R.: Comparing the Galois Connection and Widening/Narrowing Approaches to Abstract Interpretation. In: Bruynooghe, M., Wirsing, M. (eds.) PLILP 1992. LNCS, vol. 631, pp. 269–295. Springer, Heidelberg (1992)CrossRefGoogle Scholar
  11. 11.
    Doan, D.: Commercial Off the Shelf (COTS) Security Issues and Approaches. Master’s thesis, Naval Postgraduate School, Monterey, California (2006),
  12. 12.
    Durden, T.: Automated Vulnerability Auditing in Machine Code. Phrack Magazine 64 (2007)Google Scholar
  13. 13.
    Godefroid, P., Levin, M.Y., Molnar, D.A.: Automated Whitebox Fuzz Testing. In: NDSS. The Internet Society (2008)Google Scholar
  14. 14.
    Gopan, D., Reps, T.: Lookahead Widening. In: Ball, T., Jones, R.B. (eds.) CAV 2006. LNCS, vol. 4144, pp. 452–466. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  15. 15.
    Goubault, E., Le Roux, S., Leconte, J., Liberti, L., Marinelli, F.: Static Analysis by Abstract Interpretation: A Mathematical Programming Approach. ENTCS 267(1), 73–87 (2010)Google Scholar
  16. 16.
    Harrison, W.H.: Compiler Analysis for the Value Ranges of Varibles. IEEE Transactions on Software Engineering SE-3(3), 243–250 (1977)CrossRefGoogle Scholar
  17. 17.
    Kapur, D.: Automatically Generating Loop Invariants using Quantifier Elimination. In: International Conference on Applications of Computer Algebra (2004)Google Scholar
  18. 18.
    Leino, K.R.M., Logozzo, F.: Using Widenings to Infer Loop Invariants Inside an SMT Solver, Or: A Theorem Prover as Abstract Domain. In: WING, pp. 70–84 (2007)Google Scholar
  19. 19.
    McMillan, K.L.: Applications of Craig Interpolants in Model Checking. In: Halbwachs, N., Zuck, L.D. (eds.) TACAS 2005. LNCS, vol. 3440, pp. 1–12. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  20. 20.
    Reps, T.W., Balakrishnan, G., Lim, J.: Intermediate-Representation Recovery from Low-Level Code. In: PEPM, pp. 100–111. ACM (2006)Google Scholar
  21. 21.
    Rodríguez-Carbonell, E., Kapur, D.: An Abstract Interpretation Approach for Automatic Generation of Polynomial Invariants. In: Giacobazzi, R. (ed.) SAS 2004. LNCS, vol. 3148, pp. 280–295. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  22. 22.
    Rugina, R., Rinard, M.C.: Symbolic bounds analysis of pointers, array indices, and accessed memory regions. TOPLAS 27, 185–235 (2005)CrossRefGoogle Scholar
  23. 23.
    Rybalchenko, A., Sofronie-Stokkermans, V.: Constraint Solving for Interpolation. Journal of Symbolic Computation 45, 1212–1233 (2010)MathSciNetzbMATHCrossRefGoogle Scholar
  24. 24.
    Schlich, B.: Model Checking of Software for Microcontrollers. ACM Transactions in Embedded Computing Systems 9, 1–27 (2010)CrossRefGoogle Scholar
  25. 25.
    Simon, A., King, A.: Widening Polyhedra with Landmarks. In: Kobayashi, N. (ed.) APLAS 2006. LNCS, vol. 4279, pp. 166–182. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  26. 26.
    Su, Z., Wagner, D.: A class of polynomially solvable range constraints for interval analysis without widenings. TCS 345(1), 122–138 (2005)MathSciNetzbMATHCrossRefGoogle Scholar
  27. 27.
    Weissenbacher, G.: Program Analysis with Interpolants. PhD thesis, Magdalen College (2010),
  28. 28.
    Wille, R., Fey, G., Drechsler, R.: Building Free Binary Decision Diagrams Using Sat Solvers. Facta Universitatis-series: Electronics and Energetics 20(3), 381–394 (2007)CrossRefGoogle Scholar
  29. 29.
    Zaks, A., Yang, Z., Shlyakhter, I., Ivancic, F., Cadambi, S., Ganai, M.K., Gupta, A., Ashar, P.: Bitwidth Reduction via Symbolic Interval Analysis for Software Model Checking. IEEE TACAD 27(8), 1513–1517 (2008)Google Scholar
  30. 30.
    Zhong, Q., Edward, N.: Security Control COTS Components. IEEE Computer Society 31, 67–73 (1998)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  1. 1.School of ComputingUniversity of KentUK

Personalised recommendations