Abstract
Machine-code slicing is an important primitive for building binary analysis and rewriting tools, such as taint trackers, fault localizers, and partial evaluators. However, it is not easy to create a machine-code slicer that exhibits a high level of precision. Moreover, the problem of creating such a tool is compounded by the fact that a small amount of local imprecision can be amplified via cascade effects.
Most instructions in instruction sets such as Intel's IA-32 and ARM are multi-assignments: they have several inputs and several outputs (registers, flags, and memory locations). This aspect of the instruction set introduces a granularity issue during slicing: there are often instructions at which we would like the slice to include only a subset of the instruction's semantics, whereas the slice is forced to include the entire instruction. Consequently, the slice computed by state-of-the-art tools is very imprecise, often including essentially the entire program.
This paper presents an algorithm to slice machine code more accurately. To counter the granularity issue, our algorithm performs slicing at the microcode level, instead of the instruction level, and obtains a more precise microcode slice. To reconstitute a machine-code program from a microcode slice, our algorithm uses machine-code synthesis. Our experiments on IA-32 binaries of FreeBSD utilities show that, in comparison to slices computed by a state-of-the-art tool, our algorithm reduces the size of backward slices by 33%, and forward slices by 70%.
- P. Anderson, T. Reps, and T. Teitelbaum. Design and implementation of a fine-grained software inspection tool. TSE, 29(8), 2003. Google Scholar
Digital Library
- ARM instruction-set manual. http:// infocenter.arm.com/help/topic/com. arm.doc.qrc0001m/QRC0001_UAL.pdf.Google Scholar
- M. Aung, S. Horwitz, R. Joiner, and T. Reps. Specialization slicing. TOPLAS, 36(2), 2014. Google Scholar
Digital Library
- G. Balakrishnan and T. Reps. WYSINWYX: What You See Is Not What You eXecute. TOPLAS, 32(6), 2010. Google Scholar
Digital Library
- G. Balakrishnan, R. Gruian, T. Reps, and T. Teitelbaum. Codesurfer/x86 – A platform for analyzing x86 executables, (tool demonstration paper). In CC, 2005. Google Scholar
Digital Library
- D. Binkley. Precise executable interprocedural slices. LOPLAS, 2:31–45, 1993. Google Scholar
Digital Library
- D. Binkley and K. Gallagher. Program slicing. In Advances in Computers, Vol. 43. 1996.Google Scholar
- D. Binkley, N. Gold, M. Harman, S. Islam, J. Krinke, and S. Yoo. ORBS: Language-independent program slicing. In FSE, 2014. Google Scholar
Digital Library
- E. Bosman, A. Slowinska, and H. Bos. Minemu: The world’s fastest taint tracker. In RAID, 2011. Google Scholar
Digital Library
- D. Brumley, I. Jager, T. Avgerinos, and E. Schwartz. BAP: A Binary Analysis Platform. In CAV, 2011. Google Scholar
Digital Library
- D. Brumley, I. Jager, and E. S. S. Whitman. The BAP handbook, 2014.Google Scholar
- S. Chen, J. Xu, N. Nakka, Z. Kalbarczyk, and R. Iyer. Defeating memory corruption attacks via pointer taintedness detection. In DSN, 2005. Google Scholar
Digital Library
- T. Dullien and S. Porst. REIL: A platform-independent intermediate representation of disassembled code for static code analysis. In CanSecWest, 2009.Google Scholar
- K. ElWazeer, K. Anand, A. Kotha, M. Smithson, and R. Barua. Scalable variable and data type detection in a binary rewriter. In PLDI, 2013. Google Scholar
Digital Library
- J. Ferrante, K. Ottenstein, and J. Warren. The program dependence graph and its use in optimization. TOPLAS, 9(3), 1987. Google Scholar
Digital Library
- FreeBSD utilities. http://www.opensource. apple.com/source/.Google Scholar
- S. Horwitz and T. Reps. The use of program dependence graphs in software engineering. In ICSE, 1992. Google Scholar
Digital Library
- S. Horwitz, T. Reps, and D. Binkley. Interprocedural slicing using dependence graphs. TOPLAS, 12(1), 1990. Google Scholar
Digital Library
- IA-32 instruction-set manual. http: //www.intel.com/content/www/us/en/ processors/architectures-softwaredeveloper-manuals.html.Google Scholar
- J. Lim and T. Reps. TSL: A system for generating abstract interpreters and its application to machine-code analysis. TOPLAS, 35(4), 2013. Google Scholar
Digital Library
- J. Lim, A. Lal, and T. Reps. Symbolic analysis via semantic reinterpretation. Softw. Tools for Tech. Transfer, 13(1):61–87, 2011.Google Scholar
- G. Mund and R. Mall. Program slicing. In The Compiler Design Handbook: Optimizations and Machine Code Generation, chapter 14. CRC Press, 2nd. edition, 2007.Google Scholar
Cross Ref
- J. Newsome and D. Song. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In NDSS, 2005.Google Scholar
- T. Reps and T. Turnidge. Program specialization via program slicing. In Proc. of the Dagstuhl Seminar on Partial Evaluation, pages 409–429, 1996. Google Scholar
Digital Library
- T. Reps, S. Horwitz, M. Sagiv, and G. Rosay. Speeding up slicing. In FSE, 1994. Google Scholar
Digital Library
- H. Sa¨ıdi. Logical foundation for static analysis: Application to binary static analysis for security. ACM SIGAda Ada Letters, 28(1):96–102, 2008. Google Scholar
Digital Library
- E. Schwartz, T. Avgerinos, and D. Brumley. All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). In S&P, 2010. Google Scholar
Digital Library
- A. Slowinska and H. Bos. Pointless tainting?: Evaluating the practicality of pointer tainting. In EuroSys, 2009. Google Scholar
Digital Library
- D. Song, D. Brumley, H. Yin, J. Caballero, I. Jager, M. Kang, Z. Liang, J. Newsome, P. Poosankam, and P. Saxena. BitBlaze: A new approach to computer security via binary analysis. In Int. Conf. on Information Systems Security, 2008. Google Scholar
Digital Library
- V. Srinivasan and T. Reps. Partial evaluation of machine code. In OOPSLA, 2015. Google Scholar
Digital Library
- V. Srinivasan and T. Reps. Synthesis of machine code from semantics. In PLDI, 2015. Google Scholar
Digital Library
- E. Suh, J. Lee, D. Zhang, and S. Devadas. Secure program execution via dynamic information flow tracking. In ASPLOS, 2004. Google Scholar
Digital Library
- F. Tip. A survey of program slicing techniques. JPL, 3 (3), 1995.Google Scholar
- M. Weiser. Program slicing. TSE, SE-10(4), 1984. Google Scholar
Digital Library
- W. Zhang, J. Lim, R. Olichandran, J. Scherpelz, G. Jin, S. Lu, and T. Reps. Conseq: Detecting concurrency bugs through sequential errors. In ASPLOS, 2011. Google Scholar
Digital Library
Index Terms
An improved algorithm for slicing machine code
Recommendations
An improved algorithm for slicing machine code
OOPSLA 2016: Proceedings of the 2016 ACM SIGPLAN International Conference on Object-Oriented Programming, Systems, Languages, and ApplicationsMachine-code slicing is an important primitive for building binary analysis and rewriting tools, such as taint trackers, fault localizers, and partial evaluators. However, it is not easy to create a machine-code slicer that exhibits a high level of ...
Speeding up machine-code synthesis
OOPSLA 2016: Proceedings of the 2016 ACM SIGPLAN International Conference on Object-Oriented Programming, Systems, Languages, and ApplicationsMachine-code synthesis is the problem of searching for an instruction sequence that implements a semantic specification, given as a formula in quantifier-free bit-vector logic (QFBV). Instruction sets like Intel's IA-32 have around 43,000 unique ...
Speeding up machine-code synthesis
OOPSLA '16Machine-code synthesis is the problem of searching for an instruction sequence that implements a semantic specification, given as a formula in quantifier-free bit-vector logic (QFBV). Instruction sets like Intel's IA-32 have around 43,000 unique ...







Comments