String analysis for x86 binaries

Information about string values at key points in a program can help program understanding, reverse engineering, and forensics. We present a static-analysis technique for recovering possible string values in an executable program, when no debug information or source code is available. The result of our analysis is a regular language that describes a superset of the string values possible at a given program point. We also impart some of the lessons learned in the process of implementing our analysis as a tool for recovering C-style strings in x86 executables.

[1]  William Landi,et al.  An extended form of must alias analysis for dynamic allocation , 1995, POPL '95.

[2]  Michael Rodeh,et al.  CSSV: towards a realistic tool for statically detecting all buffer overflows in C , 2003, PLDI '03.

[3]  Thomas W. Reps,et al.  Analyzing Memory Accesses in x86 Executables , 2004, CC.

[4]  Christian Kirkegaard,et al.  Static analysis of XML transformations in Java , 2003, IEEE Transactions on Software Engineering.

[5]  Premkumar T. Devanbu,et al.  Static checking of dynamically generated queries in database applications , 2004, Proceedings. 26th International Conference on Software Engineering.

[6]  Saumya K. Debray,et al.  Alias analysis of executable code , 1998, POPL '98.

[7]  Alan Mycroft,et al.  Type-Based Decompilation (or Program Reconstruction via Type Reconstruction) , 1999, ESOP.

[8]  Martin C. Rinard,et al.  Symbolic bounds analysis of pointers, array indices, and accessed memory regions , 2005, TOPL.

[9]  David A. Wagner,et al.  A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities , 2000, NDSS.

[10]  David Evans,et al.  Statically Detecting Likely Buffer Overflow Vulnerabilities , 2001, USENIX Security Symposium.

[11]  Arun Lakhotia,et al.  Abstract Stack Graph to Detect Obfuscated Calls in Binaries , 2004 .

[12]  C. Cifuentes,et al.  Interprocedural Data Flow Recovery of High-Level Language Code from Assembly , 1997 .

[13]  Premkumar T. Devanbu,et al.  JDBC checker: a static analysis tool for SQL/JDBC applications , 2004, Proceedings. 26th International Conference on Software Engineering.

[14]  Dawson R. Engler,et al.  ARCHER: using symbolic, path-sensitive analysis to detect memory access errors , 2003, ESEC/FSE-11.

[15]  Aske Simon Christensen,et al.  Extending Java for High-Level Web Service Construction , 2002 .

[16]  Mark-Jan Nederhof,et al.  Regular Approximation of Context-Free Grammars through Transformation , 2001 .

[17]  Somesh Jha,et al.  Buffer overrun detection using linear programming and static analysis , 2003, CCS '03.

[18]  Shinichiro Yamamoto,et al.  A CASE tool platform using an XML representation of Java source code , 2004, Source Code Analysis and Manipulation, Fourth IEEE International Workshop on.

[19]  Aske Simon Christensen,et al.  Precise Analysis of String Expressions , 2003, SAS.

[20]  Somesh Jha,et al.  Weighted pushdown systems and their application to interprocedural dataflow analysis , 2003, Sci. Comput. Program..

[21]  Doug Simon,et al.  Assembly to high-level language translation , 1998, Proceedings. International Conference on Software Maintenance (Cat. No. 98CB36272).