Presentation is loading. Please wait.

Presentation is loading. Please wait.

Gogul Balakrishnan, Radu Gruian and Thomas Reps Computer Science Dept., Univ. of Wisconsin GrammaTech, Inc. April, 2005 CodeSurfer / x86 A Platform for.

Published byWilfred Powell Modified over 8 years ago

Similar presentations

Presentation on theme: "Gogul Balakrishnan, Radu Gruian and Thomas Reps Computer Science Dept., Univ. of Wisconsin GrammaTech, Inc. April, 2005 CodeSurfer / x86 A Platform for."— Presentation transcript:

1 Gogul Balakrishnan, Radu Gruian and Thomas Reps Computer Science Dept., Univ. of Wisconsin GrammaTech, Inc. April, 2005 CodeSurfer / x86 A Platform for Analyzing x86 Executables 1

2 Contents Introduction CodeSurfer / x86 Architecture CodeSurfer / x86 Facilities CodeSurfer / x86 Limitations Recent Work 2

3 Introduction 3 Motivation Ensuring that 3 rd -party applications do not perform malicious operations Issues Symbol-table and debugging information is either absent No abstract location information (variables) Existing binary analysis tools are not capable of dealing with these issues

4 Introduction 4 CodeSurfer Program analysis and inspection tool Programming API is bundled with the CodeSurfer programmable package

5 Introduction IDAPro Powerful and commercial disassemby toolkit Provide APIs for its internal plug-ins 5

6 Introduction 6 CodeSurfer / x86 Prototype system for analyzing x86 executables Combine Value-Set Analysis(VSA) with facilities provided by the IDAPro and CodeSurfer toolkits Recover Intermediate Representations(IR) of programs using VSA Provide a platform for investigating the properties and behaviors of potentially malicious code

7 CodeSurfer / x86 Architecture 7 Overall Architecture

8 CodeSurfer / x86 Architecture 8 Value-set Analysis(VSA) Purpose Over-approximate possible range of values at each program point each memory Location(registers, stack...) might store Description Separate address space into a set of disjoint areas Memory Locations are represented as a-locs Ex) EAX -> ( ㅗ, 4[0, 1]-20, ㅜ ) means that EAX may not contain any meaningful value in Global Environment, may have value 4 * [0, 1] – 20 + ESP in some Local Environment and be able to have any value in some other Local Environment

9 CodeSurfer / x86 Architecture 9 IDAPro Input x86 Executable Process Disassemble x86 binary executable Analyze static information Output Assembly code Control Flow Graphs(CFGs) Procedure boundaries Statically known memory addresses and offsets

10 CodeSurfer / x86 Architecture 10 Connector – Parsing Process Parse input data into connector’s data structures for VSA Output Parsed Data which keeps whole information intact

11 CodeSurfer / x86 Architecture 11 Connector – Abstraction Process Value-set Analysis – a-locs Output Parsed Data with Abstract Information including a-locs with value-sets

12 CodeSurfer / x86 Architecture 12 Connector – Augmentation Process Augment incomplete(indirect jumps, indirect calls) call graph and CFGs using each program point’s a-locs and value-sets Output Code Surfer compatible format data(IRs)

13 CodeSurfer / x86 Architecture 13 CodeSurfer Input Code Surfer compatible format Data Output Collection of IRs, consisting of Abstract Syntax Tree, CFGs, call graph, System Dependence Graph(SDG)

14 CodeSurfer / x86 Architecture 14 Overall Architecture (revisit)

15 CodeSurfer / x86 Facilities 15 Standard Compilation Model Check Checkpoints Runtime Stack Self-modification Separation of Program’s Data If it cannot be confirmed that the executable conforms to the model, then the IR is possibly incorrect

16 CodeSurfer / x86 Facilities 16 CodeSurfer’s GUI SDG Browser CodeSurfer’s API Access lower-level information individual nodes and edges of the program’s SDG Call graph CFGs Conjunction with GrammaTech’s Path Inspector Detect possibly problematic paths

17 CodeSurfer / x86 Limitations 17 Limitations Dynamically Determined Information IDAPro and VSA cannot fully recover dynamically determined information such as heap-allocated data, indirect calls, and indirect jumps Complex Data Structure Recover only very coarse information about arrays Value-sets are only suitable for congruence, contiguous data structure

18 Recent Work 18

Download ppt "Gogul Balakrishnan, Radu Gruian and Thomas Reps Computer Science Dept., Univ. of Wisconsin GrammaTech, Inc. April, 2005 CodeSurfer / x86 A Platform for."

Similar presentations

ANALYSIS OF PROG. LANG. PROGRAM ANALYSIS Instructors: Crista Lopes Copyright © Instructors. 1.

ANALYSIS OF PROG. LANG. PROGRAM ANALYSIS Instructors: Crista Lopes Copyright © Instructors. 1.
Intermediate Code Generation

Intermediate Code Generation
1 Program Slicing Purvi Patel. 2 Contents Introduction What is program slicing? Principle of dependences Variants of program slicing Slicing classifications.

1 Program Slicing Purvi Patel. 2 Contents Introduction What is program slicing? Principle of dependences Variants of program slicing Slicing classifications.
Assembly Code Verification Using Model Checking Hao XIAO Singapore University of Technology and Design.

Assembly Code Verification Using Model Checking Hao XIAO Singapore University of Technology and Design.
Semantic analysis Parsing only verifies that the program consists of tokens arranged in a syntactically-valid combination, we now move on to semantic analysis,

Semantic analysis Parsing only verifies that the program consists of tokens arranged in a syntactically-valid combination, we now move on to semantic analysis,
Model Checking x86 Executables with CodeSurfer/x86 and WPDS++ G. Balakrishnan 1, T. Reps 1,2, N. Kidd 1, A. Lal 1, J. Lim 1, D. Melski 2, R. Gruian 2,

Model Checking x86 Executables with CodeSurfer/x86 and WPDS++ G. Balakrishnan 1, T. Reps 1,2, N. Kidd 1, A. Lal 1, J. Lim 1, D. Melski 2, R. Gruian 2,
Run-Time Storage Organization

Run-Time Storage Organization
Run time vs. Compile time

Run time vs. Compile time
Compiler Summary Mooly Sagiv html://www.math.tau.ac.il/~msagiv/courses/wcc03.html.

Compiler Summary Mooly Sagiv html://
Topic 6 -Code Generation Dr. William A. Maniatty Assistant Prof. Dept. of Computer Science University At Albany CSI 511 Programming Languages and Systems.

Topic 6 -Code Generation Dr. William A. Maniatty Assistant Prof. Dept. of Computer Science University At Albany CSI 511 Programming Languages and Systems.
Partial Automation of an Integration Reverse Engineering Environment of Binary Code Author : Cristina Cifuentes Reverse Engineering, 1996., Proceedings.

Partial Automation of an Integration Reverse Engineering Environment of Binary Code Author : Cristina Cifuentes Reverse Engineering, 1996., Proceedings.
1 Run time vs. Compile time The compiler must generate code to handle issues that arise at run time Representation of various data types Procedure linkage.

1 Run time vs. Compile time The compiler must generate code to handle issues that arise at run time Representation of various data types Procedure linkage.
Compiler Construction A Compulsory Module for Students in Computer Science Department Faculty of IT / Al – Al Bayt University Second Semester 2008/2009.

Compiler Construction A Compulsory Module for Students in Computer Science Department Faculty of IT / Al – Al Bayt University Second Semester 2008/2009.
Strategies to relate the program and problem domains using code instrumentation Mario Marcelo Berón University of Minho Pedro Rangel Henriques University.

Strategies to relate the program and problem domains using code instrumentation Mario Marcelo Berón University of Minho Pedro Rangel Henriques University.
CS102 Introduction to Computer Programming

CS102 Introduction to Computer Programming
Effective C# 50 Specific Way to Improve Your C# Item 50 Scott68.Chang.

Effective C# 50 Specific Way to Improve Your C# Item 50 Scott68.Chang.
Previous Next 06/18/2000Shanghai Jiaotong Univ. Computer Science & Engineering Dept. C+J Software Architecture Shanghai Jiaotong University Author: Lu,

Previous Next 06/18/2000Shanghai Jiaotong Univ. Computer Science & Engineering Dept. C+J Software Architecture Shanghai Jiaotong University Author: Lu,
AutoHacking with Phoenix Enabled Data Flow Analysis Richard Johnson |

AutoHacking with Phoenix Enabled Data Flow Analysis Richard Johnson |
Course Revision Contents  Compilers  Compilers Vs Interpreters  Structure of Compiler  Compilation Phases  Compiler Construction Tools  A Simple.

Course Revision Contents  Compilers  Compilers Vs Interpreters  Structure of Compiler  Compilation Phases  Compiler Construction Tools  A Simple.
Module 1: Introduction to C# Module 2: Variables and Data Types

Module 1: Introduction to C# Module 2: Variables and Data Types

Similar presentations

Ads by Google