Title: There
1Theres Plenty of Room at the BottomAnalyzing
and Verifying Machine Code
- T. Reps,1,2 J. Lim,1 A. Thakur,1
- G. Balakrishnan,3 and A. Lal4
- 1Univ. of Wisconsin 3NEC Laboratories
America - 2GrammaTech, Inc. 4Microsoft Research
India
Joint work with A. Burton, E. Driscoll, M. Elder,
T. Andersen (UW), T. Teitelbaum, D. Melski, D.
Gopan, S. Yong, T. Johnson, A. Loginov
(GrammaTech)
2Why Machine Code?
- Windows
- Login process keeps a users password in the heap
after a successful login - To minimize data lifetime
- clear buffer
- call free()
- But . . .
- the compiler might optimize away the
buffer-clearing code (useless-code elimination)
memset(buffer, \0, len) free(buffer)
free(buffer)
3WYSINWYXWhat You See Is Not What You eXecute
- Computers do not execute source-code programs
- They execute machine-code programs that are
generated from source code
- An issue for any verification/analysis method
- theorem proving
- model checking
- abstract interpretation
4Goals of the Talk
- WYSINWYX . . . Gulp!
- Why is analyzing machine code important?
- What makes machine code challenging?
- what analysis techniques dont work right out of
the box - Why can it be advantageous to analyze machine
code? - A peek at what we have been able to accomplish
starting from stripped executables
5UW Machine-Code Analysis Projects
McVeto talk Saturday, July 17 at 1530
- CodeSurfer/x86 machine-code slicing CC04,
TOPLAS10 - tracks dependences across memory updates and
accesses - DDA/x86 device-driver verification TACAS08
- TSL analysis generator CC08
- concrete semantics abstract domain ? abstract
semantics - McVeto machine-code verification CAV10
- unrestricted machine-code programs
- including self-modifying code and instruction
aliasing - FFE/x86 file-format inference WCRE06
- Library summarization CAV07
- BCE botnet command extractor TR-1668
6SLAM Error Trace
DDA/x86 Error Trace
7Tutorial on x86 (Intel Syntax)
p q p q p q p a2
8Tutorial on x86 (Intel Syntax)
- mov ecx, edx
- mov ecx, edx
- mov ecx, edx
- lea ecx, esp8
ecx edx ecx edx ecx edx ecx
a2
Stack pointer esp Frame pointer ebp
9Demo
CodeSurfer/C CodeSurfer/x86
10Goals of the Talk
- WYSINWYX . . . Gulp!
- Why is analyzing machine code important?
- What makes machine code challenging?
- what analysis techniques dont work right out of
the box - Why can it be advantageous to analyze machine
code? - A peek at what we have been able to accomplish
starting from stripped executables
11A Surprise Many People Spend their Lives
Inspecting Machine Code
- Thousands of users of IDA Pro disassembler
- Hex-Rays SA Liège, Belgium
- Computer Emergency Response Teams
- every major country has one
- Anti-malware companies
- Three-letter agencies
- Malware writers
- . . .
12Machine Code can be a Better Platformfor Finding
Security Vulnerabilities
- Many exploits utilize platform-specific quirks
- non-obvious and unexpected
- compiler artifacts (choices made by the compiler)
- memory layout
- padding between fields of a struct
- which variables are adjacent?
- register usage
- execution order
- optimizations performed
- compiler bugs
13Example of a Compiler Artifact
int callee(int a, int b) int local if
(local 5) return 1 else return 2 int
main() int c 5 int d 7 int v
callee(c,d) // What is the value of v here?
return 0
Answer 1 (for the Microsoft compiler)
14Example of a Compiler Artifact
Standard prolog Prolog for 1 local push
ebp push ebp mov ebp, esp
mov ebp, esp sub esp, 4
push ecx
int callee(int a, int b) int local if
(local 5) return 1 else return 2 int
main() int c 5 int d 7 int v
callee(c,d) // What is the value of v here?
return 0
Answer 1 (for the Microsoft compiler)
15- Standard prolog
- push ebp
- mov ebp, esp
- sub esp, 4
5
ecx
ebp
???
16- Standard prolog
- push ebp
- mov ebp, esp
- sub esp, 4
- Prolog for 1 local
- push ebp
- mov ebp, esp
- push ecx
5
5
ecx
ecx
ebp
ebp
???
5
17Example of a Compiler Artifact
Standard prolog Prolog for 1 local push
ebp push ebp mov ebp, esp
mov ebp, esp sub esp, 4
push ecx
int callee(int a, int b) int local if
(local 5) return 1 else return 2 int
main() int c 5 int d 7 int v
callee(c,d) // What is the value of v here?
return 0
Answer 1 (for the Microsoft compiler)
mov ebp - 8, 5 mov ebp - C, 7 mov
eax, ebp - C push eax mov ecx, ebp -
8 push ecx call _callee . . .
18Analysis of Indirect Calls
- Case Study Nimda virus
- Use of telltale system routines are obfuscated
- indirect use of LoadLibrary() and
GetProcAddress() - indirection through memory
- Detailed modeling of Dynamic Linked Libraries
(DLLs) - runtime linking
- aliasing forwarding
- Ability to resolve indirect calls
NIMDA Resolved / Total
Indirect calls 366 / 373 209 via import table
LoadLibrary 6 / 8 5 indirect
GetProcAddress 45 / 46 45 indirect
19Goals of the Talk
- WYSINWYX . . . Gulp!
- Why is analyzing machine code important?
- What makes machine code challenging?
- what analysis techniques dont work right out of
the box - Why can it be advantageous to analyze machine
code? - A peek at what we have been able to accomplish
starting from stripped executables
20State-Space Exploration
- Bug detection
- Policy adherence
- Malicious-code detection
21State-Space Exploration
22Locate Bugs by Finding Problematic Paths
enter
exit
if (v malloc()) 0)
T
F
free(v)
double free!
path ? possible sequence of runtime events
23State Machine for Allocation Bugs
- v.unknown, v.null, v.notNull, v.freed
- (v malloc(_)) 0 ?t v.null
- ?f
v.notNull - v malloc(_) ? v.unknown
- v.notNull
- free(v) ? v.freed
- v ? ?no
state change? - v.freed
- free(v) ? double
free! - v ? use
after free! - v.null
- free(v) ? free of
NULL! - v.unknown
- free(v) ? possible
free of NULL!
24Locate Bugs by Finding Problematic Paths
enter
exit
v.freed
if (v malloc()) 0)
v.notNull
T
F
v.freed
v.freed
v.notNull
double free!
free(v)
v.freed
path in CFG ? possible sequence of runtime events
25State-Space Exploration in Machine Code
Target PC 62
Initial PC 0
55 8B EC 83 EC 14 83 7D F4 0F 7D 1F C7 45 F0 01
00 00 00 83 7D F8 08 7E 09 C7 45 EC 05 00 00 00
EB 07 C7 45 EC 06 00 00 00 EB 07 C7 45 F0 00 00
00 00 83 7D F0 01 75 16 83 7D F4 0F 7C 07 3D 00
2A 00 00 EB 07 C7 45 FC 08 00 00 00 EB 07 C7 45
FC 09 00 00 00 33 C0 8B E5 5D C3
PC Program Counter
26- 00 push ebp
- 01 mov ebp, esp
- 03 sub esp, 14h
- 06 cmp ebpvar_C, 0Fh
- 0A jge short loc_2B
- 0C mov ebpvar_10, 1
- 13 cmp ebpvar_8, 8
- 17 jle short loc_22
- 19 mov ebpvar_14, 5
- 20 jmp short loc_29
- 22 mov ebpvar_14, 6
- 29 jmp short loc_32
- 2B mov ebpvar_10, 0
- 32 cmp ebpvar_10, 1
- 36 jnz short loc_4E
- 38 cmp ebpvar_C, 0Fh
- 3C jl short loc_45
- 3E cmp eax, 2A00h
- 43 jmp short loc_4C
55 8B EC 83 EC 14 83 7D F4 0F 7D 1F C7 45 F0 01
00 00 00 83 7D F8 08 7E 09 C7 45 EC 05 00 00 00
EB 07 C7 45 EC 06 00 00 00 EB 07 C7 45 F0 00 00
00 00 83 7D F0 01 75 16 83 7D F4 0F 7C 07 3D 00
2A 00 00 EB 07 C7 45 FC 08 00 00 00 EB 07 C7 45
FC 09 00 00 00 33 C0 8B E5 5D C3
27- 00 push ebp
- 01 mov ebp, esp
- 03 sub esp, 14h
- 06 cmp ebpvar_C, 0Fh
- 0A jge short loc_2B
- 0C mov ebpvar_10, 1
- 13 cmp ebpvar_8, 8
- 17 jle short loc_22
- 19 mov ebpvar_14, 5
- 20 jmp short loc_29
- 22 mov ebpvar_14, 6
- 29 jmp short loc_32
- 2B mov ebpvar_10, 0
- 32 cmp ebpvar_10, 1
- 36 jnz short loc_4E
- 38 cmp ebpvar_C, 0Fh
- 3C jl short loc_45
- 3E cmp eax, 2A00h
- 43 jmp short loc_4C
PC 17 2-byte instruction
55 8B EC 83 EC 14 83 7D F4 0F 7D 1F C7 45 F0 01
00 00 00 83 7D F8 08 7E 09 C7 45 EC 05 00 00 00
EB 07 C7 45 EC 06 00 00 00 EB 07 C7 45 F0 00 00
00 00 83 7D F0 01 75 16 83 7D F4 0F 7C 07 3D 00
2A 00 00 EB 07 C7 45 FC 08 00 00 00 EB 07 C7 45
FC 09 00 00 00 33 C0 8B E5 5D C3
PC 18 2-byte instruction
18 or edi, eax 1A inc ebp 1B in al, dx 1C
add eax, 0EB000000h 21 pop es 22 mov dword ptr
ebp-14h, 6
28- 00 push ebp
- 01 mov ebp, esp
- 03 sub esp, 14h
- 06 cmp ebpvar_C, 0Fh
- 0A jge short loc_2B
- 0C mov ebpvar_10, 1
- 13 cmp ebpvar_8, 8
- 17 jle short loc_22
- 19 mov ebpvar_14, 5
- 20 jmp short loc_29
- 22 mov ebpvar_14, 6
- 29 jmp short loc_32
- 2B mov ebpvar_10, 0
- 32 cmp ebpvar_10, 1
- 36 jnz short loc_4E
- 38 cmp ebpvar_C, 0Fh
- 3C jl short loc_45
- 3E cmp eax, 2A00h
- 43 jmp short loc_4C
int main() int x, y, z, p, tmp1 if(x
lt 15) tmp1 1 if(y gt 8) z
5 else z 6 else tmp1 0
if(tmp1 1) if(x gt 15)
UNREACHABLE() else p 8 else
p 9 return 0
29More ChallengesNeed Simultaneous Numeric
Pointer Analysis
dereference operation
Source int a . . . a 2
Compiled code sub esp, 40 for all
locals mov dword ptr ebp-12, 2
saved ret. addr
saved frame ptr
ebp
a
arithmetic operation
30Intervals Not Appropriate forSets of Addresses
- Checking for non-aligned accesses
- pointer forging? e.g., 4-byte fetch from
1020,1028 - need to keep stride (congruence) information
- e.g., 4-byte fetch from 41020,1028
31Arithmetic on Integers vs. Ints
- Machine arithmetic is 32-bit twos complement
(int) - Static analysis based on infinite-precision
integer arithmetic is unsound
Unreachable!
232 ? 0
x 232 1 if (trigger) x x 1 if (x 0)
?Do something malicious?
32Design Space for Machine-Code-Analysis Tools
- What is available initially?
- source code plus the executable
- no source code, but the executable includes
symbol-table/debugging information (unstripped) - no source code no symbol-table/debugging
information (stripped) - What properties are checked?
- What is expected of the analyzer after the first
anomalous action is detected?
33Two Points in the Design Space
- CodeSurfer/x86, DDA/x86
- Stripped executables
- IR recovery property checking (DDA/x86)
- Account only for behaviors expected from a
standard compilation model - Report evidence of possible deviations from such
behaviors
- McVeto/x86 PPC32
- Stripped executables
- Check reachability properties
- Account for deviant behaviors
- self-modifying code
- instruction aliasing
- report definite instances of stack corruption
34Invariant Checking
?
?
?
?
35Goals of the Talk
- WYSINWYX . . . Gulp!
- Why is analyzing machine code important?
- What makes machine code challenging?
- what analysis techniques dont work right out of
the box - Why can it be advantageous to analyze machine
code? - A peek at what we have been able to accomplish
starting from stripped executables
36A Surprise Analyzing Executables can be Less
Complicated than Analyzing Source
- Some source-level issues go away!
- use of multiple source languages
- in-lined assembly code
- avoids build problems (i.e., for the application
to be analyzed) - analyze the actual library code, not hand-written
stubs - D. Gopan T. Reps, Low-level library analysis
and summarization CAV 07
37A Surprise Analyzing Executables can be More
Precise than Analyzing Source
Source f( p(x), q(y), r(z) )
Executable r(z) q(y) p(x) f
To be as precise, a source-code-analysis tool
would have to duplicate all choices made by the
compiler optimizer
38Platform-Specific ? Fewer Behaviors
?
39Join Over-Approximation to Union
X ? 5,10
X ? 18,22
X ? 5,10 ? 18,22
40Platform-Specific ? Fewer Behaviors
?
41Goals of the Talk
- WYSINWYX . . . Gulp!
- Why is analyzing machine code important?
- What makes machine code challenging?
- what analysis techniques dont work right out of
the box - Why can it be advantageous to analyze machine
code? - A peek at what we have been able to accomplish
starting from stripped executables
42UW Machine-Code Analysis Projects
- CodeSurfer/x86 machine-code slicing CC04,
TOPLAS10 - tracks dependences across memory updates and
accesses - DDA/x86 device-driver verification TACAS08
- TSL analysis generator CC08
- concrete semantics abstract domain ? abstract
semantics - McVeto machine-code verification CAV10
- unrestricted machine-code programs
- including self-modifying code and instruction
aliasing - FFE/x86 file-format inference WCRE06
- Library summarization CAV07
- BCE botnet command extractor TR-1668
43Static Analysis of ExecutablesPrior State of
the Art (2001)
- Relies on debugging information
- Atom, EEL, Vulcan
- Able to track only data movements via registers
- EEL, Cifuentes, Debbabi, Debray
- Poor treatment of memory operations
- Overly conservative treatment ? many false
positives - Non-conservative treatment ? many false negatives
- Limited usefulness for security analysis
CodeSurfer/x86s analyses Able to track the
effects of memory operations
44What Sets Our Work Apart?
- Create an analyzer to identify indirect calls
- Create an analyzer to identify strings
- Create an analyzer to check stack height
- versus our approach
- Create an analyzer that, for
- each instruction I in the executable and its
libraries - each calling context of I
- each register and variable V in scope
- statically determines an over-approximation to
- the set of values that V may contain when I
executes
But what are the variables if we start with a
stripped executable?
45State-Space Exploration
46State-Space Exploration
47State-Space Exploration
- Memory-safety violations!
- Access outside of activation record
- Access outside of malloced block
- Call/jump to data
- Use of code as data
48IR Recovery in CodeSurfer/x86Scope of our
Ambitions
- Aim to handle programs that conform to a
standard compilation model - procedures
- activation records
- global data region
- heap-allocated structs/objects (malloc/new)
- virtual functions
- dynamically linked libraries
- Limitations
- single-threaded applications
- interrupts signal handlers
49IR Recovery in CodeSurfer/x86Scope of our
Ambitions
- Aim to handle programs that conform to a
standard compilation model - procedures
- activation records
- global data region
- heap-allocated structs/objects (malloc/new)
- virtual functions
- dynamically linked libraries
- Report indications of non-conformance
- violations of stack protocol
- return address modified within procedure
- Memory-safety violations
- Access outside of activation record
- Access outside of malloced block
- Call/jump to data
- Use of code as data
50Invariant Checking
?
?
?
?
51The IR-Recovery Problem
- Given a stripped executable E, identify the
- procedures
- variables
- data objects
- types
- libraries
- that it uses, and
- for each instruction I in E and its libraries
- for each interprocedural calling context of I
- for each machine register and variable V in scope
- statically determine an over-approximation to
- the set of values that V may contain when I
executes
Bootstrapped analysis Obtain better and better
estimates using multiple rounds of analysis
52Quality of Variables Structs RecoveredComparis
on with Debugging Information
Structure of data allocated on stack (locals)
Structure of data allocated on heap
53Stripped executable
IDA Pro disassembler
IR Recovery Phases
- Initial IR
- instruction ASTs
- initial call graph CFGs
Memory-access and variable-recovery analyzer
- Fleshed-out IR
- improved call graph CFGs
- a-locs ( inferred variables structs)
- possible values held by each a-loc at each CFG
node - used, killed, may-killed a-locs at each CFG node
CodeSurfer dependence-graph builder
- program dependence graphs
- forward backward slicing chopping
- GUI for dependence-graph navigation
54What Does an Analyst Want to Know?
- What are the
- programs variables?
- What are the
- programs parameters?
- Where could this
- indirect jump go?
- What function could be
- called at this indirect call site?
- What could this dereference
- operation access/affect?
- What kind of object is
- allocated at this allocation site?
- What could the value held
- in V eventually affect?
- What could have affected
- the value of V?
55Example
- int arrVal0, pArray2
- int main()
- int i, a10, p
- / Initialize pointers /
- pArray2 a2
- p a0
- / Initialize Array /
- for(i 0 ilt10 i)
- p arrVal
- p
-
- / Return a2 /
- return pArray2
ebx ? variable i ecx ? variable p sub
esp, 40 adjust stack lea edx, esp8
mov 8, edx pArray2a2 lea ecx,
esp pa0 mov edx, 4
loc_9 mov ecx, edx parrVal add
ecx, 4 p inc ebx i cmp
ebx, 10 ilt10? jl short loc_9 mov
edi, 8 mov eax, edi return
pArray2 add esp, 40 retn
56Example
- int arrVal0, pArray2
- int main()
- int i, a10, p
- / Initialize pointers /
- pArray2 a2
- p a0
- / Initialize Array /
- for(i 0 ilt10 i)
- p arrVal
- p
-
- / Return a2 /
- return pArray2
ebx ? variable i ecx ? variable p sub
esp, 40 adjust stack lea edx, esp8
mov 8, edx pArray2a2 lea ecx,
esp pa0 mov edx, 4
loc_9 mov ecx, edx parrVal add
ecx, 4 p inc ebx i cmp
ebx, 10 ilt10? jl short loc_9 mov
edi, 8 mov eax, edi return
pArray2 add esp, 40 retn
?
57Example
ffffffffh
ebx ? variable i ecx ? variable p sub
esp, 40 adjust stack lea edx, esp8
mov 8, edx pArray2a2 lea ecx,
esp pa0 mov edx, 4
loc_9 mov ecx, edx parrVal add
ecx, 4 p inc ebx i cmp
ebx, 10 ilt10? jl short loc_9 mov
edi, 8 mov eax, edi return
pArray2 add esp, 40 retn
a(40 bytes)
Data local to main (Activation Record)
?
pArray2(4 bytes)
8h
Global data
arrVal(4 bytes)
4h
58Example
ffffffffh
ebx ? variable i ecx ? variable p sub
esp, 40 adjust stack lea edx, esp8
mov 8, edx pArray2a2 lea ecx,
esp pa0 mov edx, 4
loc_9 mov ecx, edx parrVal add
ecx, 4 p inc ebx i cmp
ebx, 10 ilt10? jl short loc_9 mov
edi, 8 mov eax, edi return
pArray2 add esp, 40 retn
Data local to main (Activation Record)
No debugging information
?
Global data
4h
59Memory-Regions
- Memory-region a sequence of similar runtime
locations - AR-region Locations that belong to an activation
record - Malloc-region Locations that are allocated at a
malloc site - Global-region Locations that correspond to
global data
. . .
AR of G
AR of F
. . .
AR of F
. . .
AR of G
AR of G
GLOBAL DATA
GLOBAL DATA
60Example Memory-Regions
(main, 0)
ebx ? variable i ecx ? variable p sub
esp, 40 adjust stack lea edx, esp8
mov 8, edx pArray2a2 lea ecx,
esp pa0 mov edx, 4
loc_9 mov ecx, edx parrVal add
ecx, 4 p inc ebx i cmp
ebx, 10 ilt10? jl short loc_9 mov
edi, 8 mov eax, edi return
pArray2 add esp, 40 retn
(GL,12)
(GL,4)
Global Region
(main, -40)
Region for main
?
61Memory-Layout Inference (1st Cut)
- Data-layout clues (IDAPros approach)
- some variables held in registers
- global variables ? absolute addresses
- local variables ? offsets in stack frame
- A-locs
- locations between consecutive addresses
- locations between consecutive offsets
- registers
- Drawbacks No information for
- indirect accesses using a non-stack-frame
register - dynamically-allocated objects
62Example A-locs
(main, 0)
ebx ? variable i ecx ? variable p sub
esp, 40 adjust stack lea edx, esp8
mov 8, edx pArray2a2 lea ecx,
esp pa0 mov edx, 4
loc_9 mov ecx, edx parrVal add
ecx, 4 p inc ebx i cmp
ebx, 10 ilt10? jl short loc_9 mov
edi, 8 mov eax, edi return
pArray2 add esp, 40 retn
(GL,12)
8
(GL,8)
4
(GL,4)
esp8
(main, -32)
Global Region
esp
(main, -40)
Region for main
?
63Example A-locs
(main, 0)
ebx ? variable i ecx ? variable p sub
esp, 40 adjust stack lea edx, esp8
mov 8, edx pArray2a2 lea ecx,
esp pa0 mov edx, 4
loc_9 mov ecx, edx parrVal add
ecx, 4 p inc ebx i cmp
ebx, 10 ilt10? jl short loc_9 mov
edi, 8 mov eax, edi return
pArray2 add esp, 40 retn
(GL,12)
mem_8
main_32
(GL,8)
mem_4
(GL,4)
(main, -32)
Global Region
main_40
(main, -40)
Region for main
?
64Value-Set An Abstraction of aSet of Values
Addresses
Concrete state
Memory-regions
. . .
AR of G
AR of F
. . .
AR of F
Value-set
. . .
AR of G
AR of G
GLOBAL DATA
(SIGlobal, SIG, SIF)
GLOBAL DATA
65Example Value-Set Analysis
(main, 0)
ebx ? variable i ecx ? variable p sub
esp, 40 adjust stack lea edx, esp8
mov 8, edx pArray2a2 lea ecx,
esp pa0 mov edx, 4
loc_9 mov ecx, edx parrVal add
ecx, 4 p inc ebx i cmp
ebx, 10 ilt10? jl short loc_9 mov
edi, 8 mov eax, edi return
pArray2 add esp, 40 retn
(GL,12)
mem_8
main_32
(GL,8)
mem_4
(GL,4)
(main, -32)
Global Region
main_40
(main, -40)
Region for main
?
66Memory-Layout Inference (2nd Cut)
- IDAPro only provides information about
- variables accessed via globals
- variables accessed via ebp or esp
- Problem indirect accesses that use a
- non-stack-frame register, e.g., mov eax,10
- Idea Use VSA results
- VSA indicates what addresses eax can hold
67Identifying Variables VSA ASI
- Aggregate Structure Identification (ASI)
- Ramalingam et al. POPL 1999
- Partition aggregates according to the programs
memory-access patterns - Original motivation Y2K
- VSA provides ASI with the count, size, and stride
of an array access - ASI identifies structs and arrays
68Aggregate Structure Identification
ebx ? variable i ecx ? variable p sub
esp, 40 adjust stack lea edx, esp8
mov 8, edx pArray2a2 lea ecx,
esp pa0 mov edx, 4
loc_9 mov ecx, edx parrVal add
ecx, 4 p inc ebx i cmp
ebx, 10 ilt10? jl short loc_9 mov
edi, 8 mov eax, edi return
pArray2 add esp, 40 retn
40
edi ? (?, -32)
69Aggregate Structure Identification
ebx ? variable i ecx ? variable p sub
esp, 40 adjust stack lea edx, esp8
mov 8, edx pArray2a2 lea ecx,
esp pa0 mov edx, 4
loc_9 mov ecx, edx parrVal add
ecx, 4 p inc ebx i cmp
ebx, 10 ilt10? jl short loc_9 mov
edi, 8 mov eax, edi return
pArray2 add esp, 40 retn
40
1?
7?
2?
4
ecx ?? (?, 4-40,-4)
70Aggregate Structure Identification
ebx ? variable i ecx ? variable p sub
esp, 40 adjust stack lea edx, esp8
mov 8, edx pArray2a2 lea ecx,
esp pa0 mov edx, 4
loc_9 mov ecx, edx parrVal add
ecx, 4 p inc ebx i cmp
ebx, 10 ilt10? jl short loc_9 mov
edi, 8 mov eax, edi return
pArray2 add esp, 40 retn
40
1?
7?
2?
4
4
4
ASI two arrays one scalar
71Aggregate Structure Identification
(main, 0)
40
main_32
(main, -32)
1?
7?
2?
main_40
(main, -40)
Region for main
4
4
4
Earlier one 8-byte a-loc one 32-byte a-loc
ASI two arrays one scalar
72Aggregate Structure Identification
40
High-level type struct int a2 int b
int c7
1?
7?
2?
4
4
4
ASI two arrays one scalar
73Memory-Layout Inference (3rd Cut)
- What about dynamically-allocated objects?
- G. Balakrishnan and T. Reps,
- Recency-abstraction for heap-allocated
storage SAS 06
74Dynamically-Allocated Storage
MallocBlock
VirtualTable
p
p
VirtualTable
MallocBlock
75Most Analyses Unsound!
MallocBlock
VirtualTable
p
p
VirtualTable
MallocBlock
76Dynamically-Allocated Storage
- Use two regions per malloc-site
- Most-Recently-Allocated Block (MRAB)
- Non-Most-Recently-Allocated Block (NMRAB)
- MRAB
- Never a summary region
- At most one concrete heap block
- NMRAB
- Generally a summary region
- Can represent more than one concrete block
77Dynamically-Allocated Storage
MRAB
VT
f
g
f
g
f
g
NMRAB
MRAB
VT
78Dynamically-Allocated Storage
MRAB
NMRAB
VT
NMRAB
MRAB
VT
79Dynamically-Allocated Storage
MRAB
NMRAB
VT
p
v ?? w
v ?? w
NMRAB
MRAB
VT
80Dynamically-Allocated Storage
MRAB
NMRAB
VT
v ?? w
p
Strong Update!
v ?? w
v ?? w
NMRAB
MRAB
VT
81Dynamically-Allocated Storage
class parent int z public parent()
z(0) virtual void foo() virtual void
bar() class child public parent char
c public child() c(0) virtual
void foo() virtual void bar()
void virtualFnsDemo() parent p int x
scanf(" d ", x) if (x) p new
parent p-gtfoo() else p new
child p-gtfoo() p-gtbar() delete
p return
Constructor initializes the virtual-table field
call ??2_at_YAPAXI_at_Z operator new(uint) add
esp, 4 test eax, eax jz short
loc_F5 mov esi, eax mov dword ptr
eax4, 0 mov dword ptr eax, offset
??_7parent_at__at_6B_at_
parentvftable mov ecx, esi mov edx,
esi call dword ptr edx
edx parentfoo
82Dynamically-Allocated Storage
class parent int z public parent()
z(0) virtual void foo() virtual void
bar() class child public parent char
c public child() c(0) virtual
void foo() virtual void bar()
void virtualFnsDemo() parent p int x
scanf(" d ", x) if (x) p new
parent p-gtfoo() else p new
child p-gtfoo() p-gtbar() delete
p return
edx4 childbar, parentbar
mov esi, eax . . . mov ecx, esi mov
edx, esi call dword ptr edx4
83Dynamically-Allocated Storage
struct List int a struct List next
void mallocInALoop() int i List head
0 for(i 0 i lt 5 i) m List elem
(List)malloc(sizeof(List)) elem-gta
i elem-gtnext head head
elem return
84Stripped executable
IDA Pro disassembler
IR Recovery Phases
- Initial IR
- instruction ASTs
- initial call graph CFGs
Memory-access and variable-recovery analyzer
- Fleshed-out IR
- improved call graph CFGs
- a-locs ( inferred variables structs)
- possible values held by each a-loc at each CFG
node - used, killed, may-killed a-locs at each CFG node
CodeSurfer dependence-graph builder
- program dependence graphs
- forward backward slicing chopping
- GUI for dependence-graph navigation
85Why Iterate?
a
- Multi-level data structures
- struct A a
- a -gt b_ptr -gt c_ptr 17
- struct A
- int . . . char . . .
- struct B b_ptr
- . . .
-
- struct B
- int . . . char . . .
- struct C c_ptr
A
B
C
17
86Why Iterate?
a
- Multi-level data structures
- struct A a
- a -gt b_ptr -gt c_ptr 17
- mov eax, ebp - 20
- mov ebx, eax 8
- mov ecx, ebx 12
- mov ecx 8, 17
A
B
C
17
87Why Iterate?
ebp
a
- Multi-level data structures
- struct A a
- a -gt b_ptr -gt c_ptr 17
- mov eax, ebp - 20
- mov ebx, eax 8
- mov ecx, ebx 12
- mov ecx 8, 17
A
??
B
??
C
??
88Why Iterate?
ebp
a
- Multi-level data structures
- struct A a
- a -gt b_ptr -gt c_ptr 17
- mov eax, ebp - 20
- mov ebx, eax 8
- mov ecx, ebx 12
- mov ecx 8, 17
A
eax
w.r.t. frame pointer
??
ebx
B
??
w.r.t. ???
ecx
C
??
17
89UW Machine-Code Analysis Projects
- CodeSurfer/x86 machine-code slicing CC04,
TOPLAS10 - tracks dependences across memory updates and
accesses - DDA/x86 device-driver verification TACAS08
- TSL analysis generator CC08
- concrete semantics abstract domain ? abstract
semantics - McVeto machine-code verification CAV10
- unrestricted machine-code programs
- including self-modifying code and instruction
aliasing - FFE/x86 file-format inference WCRE06
- Library summarization CAV07
- BCE botnet command extractor TR-1668
90Device-Driver Analysis with DDA/x86
- Device driver
- (roughly) a library that exports API for making
I/O requests - Programming conventions are complicated
- 85 of crashes in Windows due to driver bugs
- Swift et al. 2005
- DDA/x86 prototype
- extension to CodeSurfer/x86
- Balakrishnan Reps, Analyzing stripped
device-driver executables, TACAS 2008
91PendedCompletedRequested Rule
A drivers dispatch routine should not return
STATUS_PENDING on an I/O Request Packet (IRP) if
it has called IoCompleteRequest on the IRP,
unless it has also called IoMarkIrpPending.
92State-Space Exploration
93State-Space Exploration
Stripped executable
Property specification
Memory-access and property analyzer
Error report
CFG call graph memory-access info
OK
94SLAM Error Trace
DDA/x86 Error Trace
95Results For PendedCompletedRequested Rule
? A-locs from semi-naïve algorithm ? With
GMOD-based merge function ? With cross-product
automaton
96Device Extension Structure for moufiltr driver
Declaration in C source
Structure in executable
97Device Extension Structure for moufiltr driver
Declaration in C source
Structure identified by DDA/x86
98UW Machine-Code Analysis Projects
- CodeSurfer/x86 machine-code slicing CC04,
TOPLAS10 - tracks dependences across memory updates and
accesses - DDA/x86 device-driver verification TACAS08
- TSL analysis generator CC08
- concrete semantics abstract domain ? abstract
semantics - McVeto machine-code verification CAV10
- unrestricted machine-code programs
- including self-modifying code and instruction
aliasing - FFE/x86 file-format inference WCRE06
- Library summarization CAV07
- BCE botnet command extractor TR-1668
99Transformer Specification Language (TSL)
- Machine-code analyses for other instruction sets
- PowerPC, ARM, MIPS, . . .
- Easy creation of new machine-code analyses
- Provide a single unified definition of an
instruction sets concrete semantics - from one well-defined formalism, generate all
analyzers - guarantees that all analyzers work off of the
same semantics - Automatically instantiate an appropriate variant
of VSA, ASI, symbolic execution, etc. - More generally, a platform for creating
- multiple analysis components
- for multiple tools
- analyzing multiple languages
100TSL Design Principles
Client Analyzer
N Analysis Components
Analysis1
Analysis2
AnalysisN
TSL Compiler
M Instruction-Set Specifications
101TSL Design Principles
Stays the same
Client Analyzer
N Analysis Components
Analysis1
Analysis2
AnalysisN
TSL Compiler
M Instruction-Set Specifications
102TSL Design Principles
Easily add an additional analysis in a
language-independent way
Client Analyzer
N Analysis Components
Analysis1
Analysis2
AnalysisN
AnalysisN1
TSL Compiler
M Instruction-Set Specifications
103TSL Leverage
Redefine 40 TSL operations for each analysis
Client Analyzer
N Analysis Components
Analysis1
Analysis2
AnalysisN
AnalysisN1
Conventional approach Redefine gt600 x86
instructions for each analysis
TSL Compiler
M Instruction-Set Specifications
104TSL Two-Dimensional Generator
concrete semantics abstract domain1 ? abstract
semantics1 concrete semantics abstract domain2
? abstract semantics2 concrete semanticsL1
abstract domain ? abstract semanticsL1 concrete
semanticsL2 abstract domain ? abstract
semanticsL2 Tool generator abstract-semantics
generator Tool driver concrete semanticsL1
abstract domain(s) Tool driver ?
Tool/L1 concrete semanticsL2 abstract domain(s)
Tool driver ? Tool/L2
105TSL Basics
- Meta-language for specifying an instruction sets
concrete semantics - Pure functional language ( first-order ML)
- instruction lt. . . an appropriate tree data
type . . . gt - state (INT32-gtINT8, reg-gtINT32, flag-gtBool)
- Write an interpreter state interpInstr(instructio
n I, state S) . . . - Interface for implementing analyses
- supply an abstract interpretation for each TSL
operator - , , mapAccess, mapUpdate, . . .
- interpret interpInstr under semantics
generates interpInstr - for an instruction at address m, the analysis
transformer is - interpInstr(decodeInstrAt(m), _ )
106TSL Leverage
Client Analyzer
N Analysis Components
M Instruction-Set Specifications
107TSL Leverage
Client Analyzer
N Analysis Components
TSL Compiler
- Greatly reduced effort ? enables
- building more ambitious tools
- Separation of concerns provides
- greater confidence in correctness
M Instruction-Set Specifications
108Static-Analysis Components
Analysis of memory contents (numeric values
addresses) Variable-identification analysis
Affine-relation analysis (affine equalities)
Global-modification analysis (GMOD) Live-flag
analysis Reaching-flag analysis
Available-register analysis
Symbolic-Analysis Components
Symbolic execution (quantifier-free bit-vector
arithmetic) Precondition generation
Dynamic-Analysis Components
Emulate the specified processor interpret each
operator concretely
109Case Study
Instruction-set specifiers work x86 (3200
lines of TSL) 10-20 man-days to write the
TSL specification TSL generates about
27,000 lines of C PowerPC32 (1600 lines of
TSL) 4 man-days to write the TSL
specification
Analysis developers work 166
basetype-operators - This number covers four
kinds of operand sizes for each basic
operation Add8, Add16, Add32, Add64 166/4
40 operations 2 map-operators (access/update)
for each map type
110Leverage Provided by TSL
Hand-written
TSL-based
CodeSurfer/SWYXx86
15 days to write the x86 spec
1 man month to implement all analyses
111Leverage Provided by TSL
Hand-written
TSL-based
Affine Relation Analysis
542 instruction instances
112Leverage Provided by TSL
Hand-written
TSL-based
Affine Relation Analysis
Equivalent in 324 cases out of 542
TSL generated transformers were more precise in
218 cases
Better!
113UW Machine-Code Analysis Projects
- CodeSurfer/x86 machine-code slicing CC04,
TOPLAS10 - tracks dependences across memory updates and
accesses - DDA/x86 device-driver verification TACAS08
- TSL analysis generator CC08
- concrete semantics abstract domain ? abstract
semantics - McVeto machine-code verification CAV10
- unrestricted machine-code programs
- including self-modifying code and instruction
aliasing - FFE/x86 file-format inference WCRE06
- Library summarization CAV07
- BCE botnet command extractor TR-1668
114Two Points in the Design Space
- CodeSurfer/x86, DDA/x86
- Stripped executables
- IR recovery property checking (DDA/x86)
- Account only for behaviors expected from a
standard compilation model - Report evidence of possible deviations from such
behaviors
- McVeto/x86 PPC32
- Stripped executables
- Check reachability properties
- Account for deviant behaviors
- self-modifying code
- instruction aliasing
- report definite instances of stack corruption
115But How to Obtain Leverage on the Problem?
- Learn the right abstraction
- Learning a source-code abstraction
- Synergy/Dash/Smash use execution traces and
directed test generation to drive the process of
learning an abstraction - when directed test generation returns
unsatisfiable, - apply splitting-based refinement of current
abstraction - Relevant approach for machine-code verification
because we can execute machine code faithfully - McVeto insight use many forms of learning
116McVeto Insight Use Many Forms of Learning
Trace-based refinement
Speculative trace refinement
McVeto talk Saturday, July 17 at 1530
Aliasing-condition learning
Implicit summaries
Splitting-based refinement
117Goals of the Talk
- WYSINWYX . . . Gulp!
- Why is analyzing machine code important?
- What makes machine code challenging?
- what analysis techniques dont work right out of
the box - Why can it be advantageous to analyze machine
code? - A peek at what we have been able to accomplish
starting from stripped executables
118UW Machine-Code Analysis Achievements
- All start with stripped executables
- we explored two main points in design space of
machine-code-analysis tools - CodeSurfer/x86 CC04, TOPLAS10
- first machine-code slicer capable of tracking
dependences across memory updates and accesses - novel algorithms to
- recover (proxies for) variables
- discover the variables possible values
- determine the effects of memory operations
- DDA/x86 TACAS 08
- first verification tool for stripped device
drivers - TSL analysis generator CC08
- concrete semantics abstract domain ? abstract
semantics - McVeto machine-code verification CAV10
- first automatic verification tool for
machine-code programs, including self-modifying
code and instruction aliasing - FFE/x86 file-format inference WCRE06
- Summarization of library operations CAV07
- BCE botnet command extractor TR-1668
119Related Work
- Platforms ATOM, EEL, Phoenix, Vulcan, Pin, IDA
Pro, Paradyn - Improved creation of basic IRs B. Miller
Lakhotia - Dataflow analysis Debray Backes Regehr A.
King De Sutter et al. August - Software engineering/understanding Cifuentes
Amme - Verification Bergeron Debbabi Kroening
StEAM Kinder Schlich Bardin Muehlberg Chaki - Security Godefroid Song Vigna Kruegel
Martignoni Lee Giffin
Saidi Bardin - Types Mycroft
- Analysis of cache behavior Wilhelm AbsInt
- Proof-carrying code Necula Lee
- Relating source code to compiled code Kozen
Rival Pnueli - Low-level models of the semantics of high-level
code - Grossman Chambers Miné Ramalingam
120Theres Plenty of Room at the Bottom!
See paper in CAV Proceedings
McVeto talk Saturday, July 17 at 1530
Questions?
121(No Transcript)
122Related Work
- Cifuentes Fraboulet, Intraprocedural static
slicing of binary executables - ICSM 97
- Debray et al., Alias analysis of executable
code POPL 98 - Amme et al., Data dependence analysis of
assembly code PACT 98 - Mycroft, Type-based decompilation ESOP 99
- Linn et al., Stack analysis of x86 executables
Unpublished - De Sutter et al., On the static analysis of
indirect control transfers in binaries - PDPTA 00
- Backes, Programmanalyse des XRTL
Zwischencodes, Ph.D. thesis, - Univ. des Saarlandes, 2004
- Guo et al., Practical and accurate low-level
pointer analysis CGO 05 - Christodorescu et al., String analysis for x86
binaries PASTE 05 - Regehr et al. Eliminating stack overflow by
abstract interpretation TECS 05 - Zhang et al., Parameter and return-value
analysis of binary executables - COMPSAC 07
- Sa?di, Logical foundation for static analysis
Application to binary static analysis - for security Unpublished
123For More Information
- Balakrishnan Reps, Analyzing memory accesses
in x86 executables CC 04 - Reps, Balakrishnan, Lim, Teitelbaum, A next-
generation platform for - analyzing executables APLAS 05
- Lal, Reps, Balakrishnan, Extended weighted
pushdown systems CAV 05 - Reps, Balakrishnan, Lim, Intermediate-represen
tation recovery from - low-level code PEPM 06
- Balakrishnan Reps, Recency-abstraction for
heap-allocated storage SAS 06 - Balakrishnan Reps, DIVINE DIscovering
Variables IN Executables - VMCAI 07
- Gopan Reps, Low-level library analysis and
summarization CAV 07 - Balakrishnan, WYSINWYX What You See Is Not
What You eXecute, - Ph.D. thesis and TR-1603, CS Dept., Univ. of
Wisconsin, Aug. 2007 - Balakrishnan Reps, Analyzing stripped
device-driver executables TACAS 08 - Lim Reps, A system for generating static
analyzers for machine instructions - CC 08
124Example Value-Set Analysis
(main, 0)
ebx ? variable i ecx ? variable p sub
esp, 40 adjust stack lea edx, esp8
mov 8, edx pArray2a2 lea ecx,
esp pa0 mov edx, 4
loc_9 mov ecx, edx parrVal add
ecx, 4 p inc ebx i cmp
ebx, 10 ilt10? jl short loc_9 mov
edi, 8 mov eax, edi return
pArray2 add esp, 40 retn
(GL,12)
mem_8
main_32
(GL,8)
mem_4
(GL,4)
(main, -32)
Global Region
main_40
(main, -40)
Region for main
?
Corrupts the stack?
125Affine-Relation Analysis
- Value-sets are an independent-attribute domain
- no relations on values of different a-locs
- Imprecise results, e.g.,
- upper bound for ebx cmp ebx,10 (i lt 10?)
- but no upper bound for ecx at loc_9
- Improved by discovering affine relations
- identifies a loops induction variables
. . . loc_9 mov ecx, edx parrVal add
ecx, 4 p inc ebx i cmp
ebx, 10 ilt10? jl short loc_9 . . .
126Affine-Relation Analysis
- Obtain affine relations via static analysis
- Use affine relations to improve precision
- e.g., at loc_9
- ecxesp(4?ebx), ebx(10,9,?), esp(?,-40)
- ? ecx(?,-40)4(10,9)
- ? ecx(?,4-40,-4)
- ? upper bound for ecx at loc_9
. . . loc_9 mov ecx, edx parrVal add
ecx, 4 p inc ebx i cmp
ebx, 10 ilt10? jl short loc_9 . . .
127Affine-Relation Analysis
- Affine relation a0 ??i?1..n(ai xi) 0
- x1, x2, , xn a-locs
- a0, a1, , an int constants
- more general than
- constant propagation
- induction-variable analysis
- Idea determine affine relations on a-locs
- propagate loop-bound info to other a-locs
- ARA for modular arithmetic MOS05
128Example Value-Set Analysis
(main, 0)
ebx ? variable i ecx ? variable p sub
esp, 40 adjust stack lea edx, esp8
mov 8, edx pArray2a2 lea ecx,
esp pa0 mov edx, 4
loc_9 mov ecx, edx parrVal add
ecx, 4 p inc ebx i cmp
ebx, 10 ilt10? jl short loc_9 mov
edi, 8 mov eax, edi return
pArray2 add esp, 40 retn
(GL,12)
mem_8
main_32
(GL,8)
mem_4
(GL,4)
(main, -32)
Global Region
main_40
(main, -40)
Region for main
?
129(No Transcript)
130Questions
131Sidestepping Undecidability
Overapproximate the reachable states
Reachable States
Bad States
False positive!
Universe of States
132Outline
- Value-set analysis
- Better identification of variables
133Outline
- Value-set analysis
- Better identification of variables
134(No Transcript)