Refinement-Based CFG Reconstruction from Unstructured Programs

This paper addresses the issue of recovering a both safe and precise approximation of the Control Flow Graph (CFG) of an unstructured program, typically an executable file. The problem is tackled in an original way, with a refinement-based static analysis working over finite sets of constant values. Requirement propagation allows the analysis to automatically adjust the domain precision only where it is needed, resulting in precise CFG recovery at moderate cost. First experiments, including an industrial case study, show that the method outperforms standard analyses in terms of precision, efficiency or robustness.

[1]  Philippe Herrmann,et al.  OSMOSE: automatic structural testing of executables , 2011, Softw. Test. Verification Reliab..

[2]  Olin Shivers,et al.  Control flow analysis in scheme , 1988, PLDI '88.

[3]  Reinhold Heckmann,et al.  Worst case execution time prediction by static program analysis , 2004, 18th International Parallel and Distributed Processing Symposium, 2004. Proceedings..

[4]  Thomas W. Reps,et al.  Analyzing Memory Accesses in x86 Executables , 2004, CC.

[5]  Calvin Lin,et al.  Client-Driven Pointer Analysis , 2003, SAS.

[6]  Maria Handjieva,et al.  Refining Static Analyses by Trace-Based Partitioning Using Control Flow , 1998, SAS.

[7]  Eugene W. Myers,et al.  Efficient applicative data types , 1984, POPL.

[8]  Sriram K. Rajamani,et al.  The SLAM project: debugging system software via static analysis , 2002, POPL '02.

[9]  Thomas W. Reps,et al.  CodeSurfer/x86-A Platform for Analyzing x86 Executables , 2005, CC.

[10]  Thomas A. Henzinger,et al.  Lazy abstraction , 2002, POPL '02.

[11]  Brian Campbell,et al.  Amortised Memory Analysis Using the Depth of Data Structures , 2009, ESOP.

[12]  Patrice Godefroid,et al.  Automated Whitebox Fuzz Testing , 2008, NDSS.

[13]  Nicolas Halbwachs,et al.  Dynamic Partitioning in Analyses of Numerical Properties , 1999, SAS.

[14]  Rajeev Alur,et al.  A Temporal Logic of Nested Calls and Returns , 2004, TACAS.

[15]  Xavier Rival,et al.  Trace Partitioning in Abstract Interpretation Based Static Analyzers , 2005, ESOP.

[16]  Helmut Veith,et al.  Counterexample-guided abstraction refinement for symbolic model checking , 2003, JACM.

[17]  Thomas W. Reps,et al.  DIVINE: DIscovering Variables IN Executables , 2007, VMCAI.

[18]  Thomas W. Reps,et al.  Analyzing Stripped Device-Driver Executables , 2008, TACAS.

[19]  Kousha Etessami,et al.  Analysis of Recursive Game Graphs Using Data Flow Equations , 2004, VMCAI.

[20]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[21]  Philippe Baufreton,et al.  Reliable and Precise WCET and Stack Size Determination for a Real-life Embedded Application , 2007, ISoLA.

[22]  Philippe Herrmann,et al.  Structural Testing of Executables , 2008, 2008 1st International Conference on Software Testing, Verification, and Validation.

[23]  Helmut Veith,et al.  Jakstab: A Static Analysis Platform for Binaries , 2008, CAV.

[24]  Dinakar Dhurjati,et al.  Path-Sensitive Dataflow Analysis with Iterative Refinement , 2006, SAS.

[25]  Thomas W. Reps,et al.  Directed Proof Generation for Machine Code , 2010, CAV.

[26]  Helmut Veith,et al.  An Abstract Interpretation-Based Framework for Control Flow Reconstruction from Binaries , 2008, VMCAI.