skip to main content
research-article
Public Access

An improved algorithm for slicing machine code

Published:19 October 2016Publication History
Skip Abstract Section

Abstract

Machine-code slicing is an important primitive for building binary analysis and rewriting tools, such as taint trackers, fault localizers, and partial evaluators. However, it is not easy to create a machine-code slicer that exhibits a high level of precision. Moreover, the problem of creating such a tool is compounded by the fact that a small amount of local imprecision can be amplified via cascade effects.

Most instructions in instruction sets such as Intel's IA-32 and ARM are multi-assignments: they have several inputs and several outputs (registers, flags, and memory locations). This aspect of the instruction set introduces a granularity issue during slicing: there are often instructions at which we would like the slice to include only a subset of the instruction's semantics, whereas the slice is forced to include the entire instruction. Consequently, the slice computed by state-of-the-art tools is very imprecise, often including essentially the entire program.

This paper presents an algorithm to slice machine code more accurately. To counter the granularity issue, our algorithm performs slicing at the microcode level, instead of the instruction level, and obtains a more precise microcode slice. To reconstitute a machine-code program from a microcode slice, our algorithm uses machine-code synthesis. Our experiments on IA-32 binaries of FreeBSD utilities show that, in comparison to slices computed by a state-of-the-art tool, our algorithm reduces the size of backward slices by 33%, and forward slices by 70%.

References

  1. P. Anderson, T. Reps, and T. Teitelbaum. Design and implementation of a fine-grained software inspection tool. TSE, 29(8), 2003. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. ARM instruction-set manual. http:// infocenter.arm.com/help/topic/com. arm.doc.qrc0001m/QRC0001_UAL.pdf.Google ScholarGoogle Scholar
  3. M. Aung, S. Horwitz, R. Joiner, and T. Reps. Specialization slicing. TOPLAS, 36(2), 2014. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. G. Balakrishnan and T. Reps. WYSINWYX: What You See Is Not What You eXecute. TOPLAS, 32(6), 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. G. Balakrishnan, R. Gruian, T. Reps, and T. Teitelbaum. Codesurfer/x86 – A platform for analyzing x86 executables, (tool demonstration paper). In CC, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. D. Binkley. Precise executable interprocedural slices. LOPLAS, 2:31–45, 1993. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. D. Binkley and K. Gallagher. Program slicing. In Advances in Computers, Vol. 43. 1996.Google ScholarGoogle Scholar
  8. D. Binkley, N. Gold, M. Harman, S. Islam, J. Krinke, and S. Yoo. ORBS: Language-independent program slicing. In FSE, 2014. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. E. Bosman, A. Slowinska, and H. Bos. Minemu: The world’s fastest taint tracker. In RAID, 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. D. Brumley, I. Jager, T. Avgerinos, and E. Schwartz. BAP: A Binary Analysis Platform. In CAV, 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. D. Brumley, I. Jager, and E. S. S. Whitman. The BAP handbook, 2014.Google ScholarGoogle Scholar
  12. S. Chen, J. Xu, N. Nakka, Z. Kalbarczyk, and R. Iyer. Defeating memory corruption attacks via pointer taintedness detection. In DSN, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. T. Dullien and S. Porst. REIL: A platform-independent intermediate representation of disassembled code for static code analysis. In CanSecWest, 2009.Google ScholarGoogle Scholar
  14. K. ElWazeer, K. Anand, A. Kotha, M. Smithson, and R. Barua. Scalable variable and data type detection in a binary rewriter. In PLDI, 2013. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. J. Ferrante, K. Ottenstein, and J. Warren. The program dependence graph and its use in optimization. TOPLAS, 9(3), 1987. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. FreeBSD utilities. http://www.opensource. apple.com/source/.Google ScholarGoogle Scholar
  17. S. Horwitz and T. Reps. The use of program dependence graphs in software engineering. In ICSE, 1992. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. S. Horwitz, T. Reps, and D. Binkley. Interprocedural slicing using dependence graphs. TOPLAS, 12(1), 1990. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. IA-32 instruction-set manual. http: //www.intel.com/content/www/us/en/ processors/architectures-softwaredeveloper-manuals.html.Google ScholarGoogle Scholar
  20. J. Lim and T. Reps. TSL: A system for generating abstract interpreters and its application to machine-code analysis. TOPLAS, 35(4), 2013. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. J. Lim, A. Lal, and T. Reps. Symbolic analysis via semantic reinterpretation. Softw. Tools for Tech. Transfer, 13(1):61–87, 2011.Google ScholarGoogle Scholar
  22. G. Mund and R. Mall. Program slicing. In The Compiler Design Handbook: Optimizations and Machine Code Generation, chapter 14. CRC Press, 2nd. edition, 2007.Google ScholarGoogle ScholarCross RefCross Ref
  23. J. Newsome and D. Song. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In NDSS, 2005.Google ScholarGoogle Scholar
  24. T. Reps and T. Turnidge. Program specialization via program slicing. In Proc. of the Dagstuhl Seminar on Partial Evaluation, pages 409–429, 1996. Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. T. Reps, S. Horwitz, M. Sagiv, and G. Rosay. Speeding up slicing. In FSE, 1994. Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. H. Sa¨ıdi. Logical foundation for static analysis: Application to binary static analysis for security. ACM SIGAda Ada Letters, 28(1):96–102, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. E. Schwartz, T. Avgerinos, and D. Brumley. All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). In S&P, 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. A. Slowinska and H. Bos. Pointless tainting?: Evaluating the practicality of pointer tainting. In EuroSys, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. D. Song, D. Brumley, H. Yin, J. Caballero, I. Jager, M. Kang, Z. Liang, J. Newsome, P. Poosankam, and P. Saxena. BitBlaze: A new approach to computer security via binary analysis. In Int. Conf. on Information Systems Security, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. V. Srinivasan and T. Reps. Partial evaluation of machine code. In OOPSLA, 2015. Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. V. Srinivasan and T. Reps. Synthesis of machine code from semantics. In PLDI, 2015. Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. E. Suh, J. Lee, D. Zhang, and S. Devadas. Secure program execution via dynamic information flow tracking. In ASPLOS, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. F. Tip. A survey of program slicing techniques. JPL, 3 (3), 1995.Google ScholarGoogle Scholar
  34. M. Weiser. Program slicing. TSE, SE-10(4), 1984. Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. W. Zhang, J. Lim, R. Olichandran, J. Scherpelz, G. Jin, S. Lu, and T. Reps. Conseq: Detecting concurrency bugs through sequential errors. In ASPLOS, 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. An improved algorithm for slicing machine code

    Recommendations

    Comments

    Login options

    Check if you have access through your login credentials or your institution to get full access on this article.

    Sign in

    Full Access

    PDF Format

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader
    About Cookies On This Site

    We use cookies to ensure that we give you the best experience on our website.

    Learn more

    Got it!