Analysis of pointers and structures
PLDI '90 Proceedings of the ACM SIGPLAN 1990 conference on Programming language design and implementation
ESP: path-sensitive program verification in polynomial time
PLDI '02 Proceedings of the ACM SIGPLAN 2002 Conference on Programming language design and implementation
Specifying the Semantics of Machine Instructions
IWPC '98 Proceedings of the 6th International Workshop on Program Comprehension
Disassembly of Executable Code Revisited
WCRE '02 Proceedings of the Ninth Working Conference on Reverse Engineering (WCRE'02)
Using a Decompiler for Real-World Source Recovery
WCRE '04 Proceedings of the 11th Working Conference on Reverse Engineering
Thorough static analysis of device drivers
Proceedings of the 1st ACM SIGOPS/EuroSys European Conference on Computer Systems 2006
Jakstab: A Static Analysis Platform for Binaries
CAV '08 Proceedings of the 20th international conference on Computer Aided Verification
An Abstract Interpretation-Based Framework for Control Flow Reconstruction from Binaries
VMCAI '09 Proceedings of the 10th International Conference on Verification, Model Checking, and Abstract Interpretation
Program Analysis with Dynamic Precision Adjustment
ASE '08 Proceedings of the 2008 23rd IEEE/ACM International Conference on Automated Software Engineering
CAV'07 Proceedings of the 19th international conference on Computer aided verification
Analyzing stripped device-driver executables
TACAS'08/ETAPS'08 Proceedings of the Theory and practice of software, 14th international conference on Tools and algorithms for the construction and analysis of systems
Recency-Abstraction for heap-allocated storage
SAS'06 Proceedings of the 13th international conference on Static Analysis
Alternating control flow reconstruction
VMCAI'12 Proceedings of the 13th international conference on Verification, Model Checking, and Abstract Interpretation
Verification across Intellectual Property Boundaries
ACM Transactions on Software Engineering and Methodology (TOSEM)
Hi-index | 0.00 |
Most closed source drivers installed on desktop systems today have never been exposed to formal analysis. Without vendor support, the only way to make these often hastily written, yet critical programs accessible to static analysis is to directly work at the binary level. In this paper, we describe a full architecture to perform static analysis on binaries that does not rely on unsound external components such as disassemblers. To precisely calculate data and function pointers without any type information, we introduce Bounded Address Tracking, an abstract domain that is tailored towards machine code and is path sensitive up to a tunable bound assuring termination. We implemented Bounded Address Tracking in our binary analysis platform Jakstab and used it to verify API specifications on several Windows device drivers. Even without assumptions about executable layout and procedures as made by state of the art approaches [1], we achieve more precise results on a set of drivers from the Windows DDK. Since our technique does not require us to compile drivers ourselves, we also present results from analyzing over 300 closed source drivers.