A non-convex abstract domain for the value analysis of binaries

Publikationstyp
Conference Paper
Date Issued
2015-04-08
Sprache
English
Author(s)
Mattsen, Sven  
Wichmann, Arne  
Schupp, Sibylle  
Institut
Softwaresysteme E-16  
TORE-URI
http://hdl.handle.net/11420/10836
Start Page
271
End Page
280
Article Number
7081837
Citation
IEEE 22nd International Conference on Software Analysis, Evolution, and Reengineering, SANER 2015 - Proceedings: 7081837, 271-280 (2015-04-08)
Contribution to Conference
22nd International Conference on Software Analysis, Evolution, and Reengineering, SANER 2015  
Publisher DOI
10.1109/SANER.2015.7081837
Scopus ID
2-s2.0-84928693458
Publisher
IEEE
ISBN of container
978-1-4799-8470-1
978-147998469-5
A challenge in sound reverse engineering of binary executables is to determine sets of possible targets for dynamic jumps. One technique to address this challenge is abstract interpretation, where singleton values in registers and memory locations are overapproximated to collections of possible values. With contemporary abstract interpretation techniques, convexity is usually enforced on these collections, which causes unacceptable loss of precision. We present a non-convex abstract domain, suitable for the analysis of binary executables. The domain is based on binary decision diagrams (BDD) to allow an efficient representation of non-convex sets of integers. Non-convex sets are necessary to represent the results of jump table lookups and bitwise operations, which are more frequent in executables than in high-level code because of optimizing compilers. Our domain computes abstract bitwise and arithmetic operations precisely and looses precision only for division and multiplication. Because the operations are defined on the structure of the BDDs, they remain efficient even if executed on very large sets. In executables, conditional jumps require solving formulas built with negation and conjunction. We implement a constraint solver using the fast intersection and complementation of BDD-based sets. Our domain is implemented as a plug-in, called BDDStab, and integrated with the binary analysis framework Jakstab. We use Jakstab's k-set and interval domains to discuss the increase in precision for a selection of compiler-generated executables.
DDC Class
004: Informatik
600: Technik