A System for Generating Static Analyzers for Machine Instructions

This paper describes the design and implementation of a language for specifying the semantics of an instruction set, along with a run-time system to support the static analysis of executables written in that instruction set. The work advances the state of the art by creating multiple analysis phases from a specification of the concrete operational semantics of the language to be analyzed.

[1]  Bart Demoen,et al.  On the Static Analysis of Indirect Control Transfers in Binaries , 2000, PDPTA.

[2]  Cristina Cifuentes,et al.  Intraprocedural static slicing of binary executables , 1997, 1997 Proceedings International Conference on Software Maintenance.

[3]  Jack W. Davidson,et al.  Specifying Instructions' Semantics Using -RTL (Interim Report) , 1999 .

[4]  Brian Campbell,et al.  Amortised Memory Analysis Using the Depth of Data Structures , 2009, ESOP.

[5]  Xavier Rival,et al.  Trace Partitioning in Abstract Interpretation Based Static Analyzers , 2005, ESOP.

[6]  Flemming Nielson,et al.  Two-level functional languages , 1992, Cambridge tracts in theoretical computer science.

[7]  Aviral Shrivastava,et al.  Architecture description language (ADL)-driven software toolkit generation for architectural exploration of programmable SOCs , 2004, DAC '04.

[8]  Mihai Christodorescu,et al.  String analysis for x86 binaries , 2005, PASTE '05.

[9]  Paul D. Franzon,et al.  System-level specification of instruction sets , 1993, Proceedings of 1993 IEEE International Conference on Computer Design ICCD'93.

[10]  Thomas W. Reps,et al.  WYSINWYX: What you see is not what you eXecute , 2005, TOPL.

[11]  Thomas Reps,et al.  WPDS++: A C++ library for weighted pushdown systems , 2005 .

[12]  Patrick Cousot,et al.  Systematic design of program analysis frameworks , 1979, POPL.

[13]  Sorin Lerner,et al.  Automatic inference of optimizer flow functions from semantic meanings , 2007, PLDI '07.

[14]  Kousha Etessami,et al.  Analysis of Recursive Game Graphs Using Data Flow Equations , 2004, VMCAI.

[15]  Wolfram Amme,et al.  Data Dependence Analysis of Assembly Code , 2004, International Journal of Parallel Programming.

[16]  Daniel Kästner,et al.  Architecture Description Languages for Retargetable Compilation , 2002, The Compiler Design Handbook.

[17]  Thomas W. Reps,et al.  Intermediate-representation recovery from low-level code , 2006, PEPM '06.

[18]  Jianmin Pang,et al.  Parameter and Return-value Analysis of Binary Executables , 2007, 31st Annual International Computer Software and Applications Conference (COMPSAC 2007).

[19]  KennedyKen,et al.  Interprocedural side-effect analysis in linear time , 2004 .

[20]  Intel Corportation,et al.  IA-32 Intel Architecture Software Developers Manual , 2004 .

[21]  Mikael Pettersson,et al.  A Term Pattern-Match Compiler Inspired by Finite Automata Theory , 1992, CC.

[22]  Laurie Hendren,et al.  Soot---a java optimization framework , 1999 .

[23]  Thomas W. Reps,et al.  DIVINE: DIscovering Variables IN Executables , 2007, VMCAI.

[24]  Heinrich Meyr,et al.  LISA—machine description language for cycle-accurate models of programmable DSP architectures , 1999, DAC '99.

[25]  Keith Diefendorff,et al.  The PowerPC user instruction set architecture , 1994, IEEE Micro.

[26]  Neil D. Jones,et al.  Program Flow Analysis: Theory and Application , 1981 .

[27]  John Regehr,et al.  Eliminating stack overflow by abstract interpretation , 2003, TECS.

[28]  Saumya K. Debray,et al.  Alias analysis of executable code , 1998, POPL '98.

[29]  Thomas W. Reps,et al.  Analyzing Memory Accesses in x86 Executables , 2004, CC.

[30]  Peter Sestoft,et al.  Partial evaluation and automatic program generation , 1993, Prentice Hall international series in computer science.

[31]  Keith D. Cooper,et al.  Interprocedural side-effect analysis in linear time (with retrospective) , 1988, PLDI 1988.

[32]  Monica S. Lam,et al.  Using Datalog with Binary Decision Diagrams for Program Analysis , 2005, APLAS.

[33]  Ed Harcourt Jon Mauney Functional Specification and Simulation of Instruction Set Architectures , 1994 .

[34]  Flemming Nielson,et al.  Abstract interpretation: a semantics-based tool for program analysis , 1995, LICS 1995.

[35]  Helmut Seidl,et al.  Analysis of modular arithmetic , 2005, TOPL.

[36]  Alexander Aiken,et al.  Banshee: A Scalable Constraint-Based Analysis Toolkit , 2005, SAS.

[37]  Thomas W. Reps,et al.  CodeSurfer/x86-A Platform for Analyzing x86 Executables , 2005, CC.

[38]  Christopher W. Fraser,et al.  Code selection through object code optimization , 1984, TOPL.

[39]  Ken Kennedy,et al.  Interprocedural side-effect analysis in linear time , 1988, PLDI '88.