Context-sensitive analysis without calling-context

  • Authors:
  • Arun Lakhotia;Davidson R. Boccardo;Anshuman Singh;Aleardo Manacero, Jr.

  • Affiliations:
  • University of Louisiana at Lafayette, Lafayette, USA 70504;Inmetro--National Institute of Metrology, Quality and Technology, Rio de Janeiro, Brazil;University of Louisiana at Lafayette, Lafayette, USA 70504;Paulista State University (UNESP), São Paulo, Brazil

  • Venue:
  • Higher-Order and Symbolic Computation
  • Year:
  • 2010

Quantified Score

Hi-index 0.00

Visualization

Abstract

Since Sharir and Pnueli, algorithms for context-sensitivity have been defined in terms of `valid' paths in an interprocedural flow graph. The definition of valid paths requires atomic call and ret statements, and encapsulated procedures. Thus, the resulting algorithms are not directly applicable when behavior similar to call and ret instructions may be realized using non-atomic statements, or when procedures do not have rigid boundaries, such as with programs in low level languages like assembly or RTL.We present a framework for context-sensitive analysis that requires neither atomic call and ret instructions, nor encapsulated procedures. The framework presented decouples the transfer of control semantics and the context manipulation semantics of statements. A new definition of context-sensitivity, called stack contexts, is developed. A stack context, which is defined using trace semantics, is more general than Sharir and Pnueli's interprocedural path based calling-context. An abstract interpretation based framework is developed to reason about stack-contexts and to derive analogues of calling-context based algorithms using stack-context.The framework presented is suitable for deriving algorithms for analyzing binary programs, such as malware, that employ obfuscations with the deliberate intent of defeating automated analysis. The framework is used to create a context-sensitive version of Venable et al.'s algorithm for analyzing x86 binaries without requiring that a binary conforms to a standard compilation model for maintaining procedures, calls, and returns. Experimental results show that a context-sensitive analysis using stack-context performs just as well for programs where the use of Sharir and Pnueli's calling-context produces correct approximations. However, if those programs are transformed to use call obfuscations, a context-sensitive analysis using stack-context still provides the same, correct results and without any additional overhead.