Verified Abstract Interpretation Techniques for Disassembling Low-level Self-modifying Code

Static analysis of binary code is challenging for several reasons. In particular, standard static analysis techniques operate over control-flow graphs, which are not available when dealing with self-modifying programs which can modify their own code at runtime. We formalize in the Coq proof assistant some key abstract interpretation techniques that automatically extract memory safety properties from binary code. Our analyzer is formally proved correct and has been run on several self-modifying challenges, provided by Cai et al. in their PLDI 2007 article.

[1]  David Pichardie Building Certified Static Analysers by Modular Construction of Well-founded Lattices , 2008, Electron. Notes Theor. Comput. Sci..

[2]  David Cachera,et al.  A Certified Denotational Abstract Interpreter , 2010, ITP.

[3]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[4]  Nick Benton,et al.  High-level separation logic for low-level code , 2013, POPL.

[5]  Keith Allman,et al.  About the Companion Website , 2015 .

[6]  Saumya K. Debray,et al.  On the Semantics of Self-Unpacking Malware Code ∗ , 2008 .

[7]  Joseph Tassarotti,et al.  RockSalt: better, faster, stronger SFI for the x86 , 2012, PLDI.

[8]  R. T. Gerth Formal verification of self modifying code , 1991 .

[9]  Tobias Nipkow,et al.  A machine-checked model for a Java-like language, virtual machine, and compiler , 2006, TOPL.

[10]  Xavier Leroy,et al.  A Formally-Verified Alias Analysis , 2012, CPP.

[11]  Yves Bertot Structural Abstract Interpretation: A Formal Study Using Coq , 2008, LerNet ALFA Summer School.

[12]  Benjamin Grégoire,et al.  A Structured Approach to Proving Compiler Optimizations Based on Dataflow Analysis , 2004, TYPES.

[13]  Guillaume Bonfante,et al.  A Computability Perspective on Self-Modifying Programs , 2009, 2009 Seventh IEEE International Conference on Software Engineering and Formal Methods.

[14]  Johannes Kinder Towards Static Analysis of Virtualization-Obfuscated Binaries , 2012, 2012 19th Working Conference on Reverse Engineering.

[15]  Thomas W. Reps,et al.  WYSINWYX: What you see is not what you eXecute , 2005, TOPL.

[16]  Xavier Leroy,et al.  A Formally-Verified C Static Analyzer , 2015, POPL.

[17]  Clark Thomborson,et al.  Manufacturing cheap, resilient, and stealthy opaque constructs , 1998, POPL '98.

[18]  Zhong Shao,et al.  Certified self-modifying code , 2007, PLDI '07.

[19]  Xavier Leroy,et al.  Mechanized Semantics for the Clight Subset of the C Language , 2009, Journal of Automated Reasoning.

[20]  David Pichardie Interprétation abstraite en logique intuitionniste : extraction d'analyseurs Java certifiés , 2005 .

[21]  David Cachera,et al.  Extracting a Data Flow Analyser in Constructive Logic , 2004, ESOP.

[22]  Solange Coupet-Grimal,et al.  A Uniform and Certified Approach for Two Static Analyses , 2004, TYPES.

[23]  Nick Benton,et al.  Coq: the world's best macro assembler? , 2013, PPDP.

[24]  Philippe Herrmann,et al.  Refinement-Based CFG Reconstruction from Unstructured Programs , 2011, VMCAI.

[25]  Andrew W. Appel,et al.  Verified heap theorem prover by paramodulation , 2012, ICFP.

[26]  David Pichardie,et al.  Formal Verification of a C Value Analysis Based on Abstract Interpretation , 2013, SAS.

[27]  Tobias Nipkow,et al.  Abstract Interpretation of Annotated Commands , 2012, ITP.

[28]  David Cachera,et al.  Comparing Techniques for Certified Static Analysis , 2009, NASA Formal Methods.

[29]  Peter Szor,et al.  The Art of Computer Virus Research and Defense , 2005 .

[30]  Magnus O. Myreen Verified just-in-time compiler on x86 , 2010, POPL '10.

[31]  Adam Chlipala,et al.  Mostly-automated verification of low-level programs in computational separation logic , 2011, PLDI '11.