Context-sensitive analysis without calling-context
| Autor(a) principal: | |
|---|---|
| Data de Publicação: | 2010 |
| Outros Autores: | , , |
| Tipo de documento: | Artigo de conferência |
| Idioma: | eng |
| Título da fonte: | Repositório Institucional da UNESP |
| Texto Completo: | http://dx.doi.org/10.1007/s10990-011-9080-1 http://hdl.handle.net/11449/71846 |
Resumo: | Since Sharir and Pnueli, algorithms for context-sensitivity have been defined in terms of 'valid' paths in an interprocedural flow graph. The definition of valid paths requires atomic call and ret statements, and encapsulated procedures. Thus, the resulting algorithms are not directly applicable when behavior similar to call and ret instructions may be realized using non-atomic statements, or when procedures do not have rigid boundaries, such as with programs in low level languages like assembly or RTL. We present a framework for context-sensitive analysis that requires neither atomic call and ret instructions, nor encapsulated procedures. The framework presented decouples the transfer of control semantics and the context manipulation semantics of statements. A new definition of context-sensitivity, called stack contexts, is developed. A stack context, which is defined using trace semantics, is more general than Sharir and Pnueli's interprocedural path based calling-context. An abstract interpretation based framework is developed to reason about stack-contexts and to derive analogues of calling-context based algorithms using stack-context. The framework presented is suitable for deriving algorithms for analyzing binary programs, such as malware, that employ obfuscations with the deliberate intent of defeating automated analysis. The framework is used to create a context-sensitive version of Venable et al.'s algorithm for analyzing x86 binaries without requiring that a binary conforms to a standard compilation model for maintaining procedures, calls, and returns. Experimental results show that a context-sensitive analysis using stack-context performs just as well for programs where the use of Sharir and Pnueli's calling-context produces correct approximations. However, if those programs are transformed to use call obfuscations, a contextsensitive analysis using stack-context still provides the same, correct results and without any additional overhead. © Springer Science+Business Media, LLC 2011. |
| id |
UNSP_b048ecdf7be798f53c864e7e6707593e |
|---|---|
| oai_identifier_str |
oai:repositorio.unesp.br:11449/71846 |
| network_acronym_str |
UNSP |
| network_name_str |
Repositório Institucional da UNESP |
| repository_id_str |
2946 |
| spelling |
Context-sensitive analysis without calling-contextAnalysis of binariesContext-sensitive analysisDeobfuscationObfuscationAbstract interpretationsAutomated analysisBinary programsContext sensitivityContext-sensitiveFlow graphInter-proceduralMalwaresPath-basedRigid boundariesTrace semanticsAbstractingAlgorithmsAtomsSemanticsJava programming languageSince Sharir and Pnueli, algorithms for context-sensitivity have been defined in terms of 'valid' paths in an interprocedural flow graph. The definition of valid paths requires atomic call and ret statements, and encapsulated procedures. Thus, the resulting algorithms are not directly applicable when behavior similar to call and ret instructions may be realized using non-atomic statements, or when procedures do not have rigid boundaries, such as with programs in low level languages like assembly or RTL. We present a framework for context-sensitive analysis that requires neither atomic call and ret instructions, nor encapsulated procedures. The framework presented decouples the transfer of control semantics and the context manipulation semantics of statements. A new definition of context-sensitivity, called stack contexts, is developed. A stack context, which is defined using trace semantics, is more general than Sharir and Pnueli's interprocedural path based calling-context. An abstract interpretation based framework is developed to reason about stack-contexts and to derive analogues of calling-context based algorithms using stack-context. The framework presented is suitable for deriving algorithms for analyzing binary programs, such as malware, that employ obfuscations with the deliberate intent of defeating automated analysis. The framework is used to create a context-sensitive version of Venable et al.'s algorithm for analyzing x86 binaries without requiring that a binary conforms to a standard compilation model for maintaining procedures, calls, and returns. Experimental results show that a context-sensitive analysis using stack-context performs just as well for programs where the use of Sharir and Pnueli's calling-context produces correct approximations. However, if those programs are transformed to use call obfuscations, a contextsensitive analysis using stack-context still provides the same, correct results and without any additional overhead. © Springer Science+Business Media, LLC 2011.University of Louisiana at Lafayette, P.O. Box 44330, Lafayette, LA 70504Inmetro - National Institute of Metrology, Quality and Technology, Rio de JaneiroPaulista State University (UNESP), São PauloPaulista State University (UNESP), São PauloUniversity of Louisiana at LafayetteInmetro - National Institute of Metrology, Quality and TechnologyUniversidade Estadual Paulista (Unesp)Lakhotia, ArunBoccardo, Davidson R.Singh, AnshumanManacero Jr., Aleardo [UNESP]2014-05-27T11:24:47Z2014-05-27T11:24:47Z2010-09-01info:eu-repo/semantics/publishedVersioninfo:eu-repo/semantics/conferenceObject275-313http://dx.doi.org/10.1007/s10990-011-9080-1Higher-Order and Symbolic Computation, v. 23, n. 3, p. 275-313, 2010.1388-3690http://hdl.handle.net/11449/7184610.1007/s10990-011-9080-12-s2.0-84855665553Scopusreponame:Repositório Institucional da UNESPinstname:Universidade Estadual Paulista (UNESP)instacron:UNESPengHigher-Order and Symbolic Computationinfo:eu-repo/semantics/openAccess2021-10-23T21:37:50Zoai:repositorio.unesp.br:11449/71846Repositório InstitucionalPUBhttp://repositorio.unesp.br/oai/requestopendoar:29462024-08-05T18:21:13.434272Repositório Institucional da UNESP - Universidade Estadual Paulista (UNESP)false |
| dc.title.none.fl_str_mv |
Context-sensitive analysis without calling-context |
| title |
Context-sensitive analysis without calling-context |
| spellingShingle |
Context-sensitive analysis without calling-context Lakhotia, Arun Analysis of binaries Context-sensitive analysis Deobfuscation Obfuscation Abstract interpretations Automated analysis Binary programs Context sensitivity Context-sensitive Flow graph Inter-procedural Malwares Path-based Rigid boundaries Trace semantics Abstracting Algorithms Atoms Semantics Java programming language |
| title_short |
Context-sensitive analysis without calling-context |
| title_full |
Context-sensitive analysis without calling-context |
| title_fullStr |
Context-sensitive analysis without calling-context |
| title_full_unstemmed |
Context-sensitive analysis without calling-context |
| title_sort |
Context-sensitive analysis without calling-context |
| author |
Lakhotia, Arun |
| author_facet |
Lakhotia, Arun Boccardo, Davidson R. Singh, Anshuman Manacero Jr., Aleardo [UNESP] |
| author_role |
author |
| author2 |
Boccardo, Davidson R. Singh, Anshuman Manacero Jr., Aleardo [UNESP] |
| author2_role |
author author author |
| dc.contributor.none.fl_str_mv |
University of Louisiana at Lafayette Inmetro - National Institute of Metrology, Quality and Technology Universidade Estadual Paulista (Unesp) |
| dc.contributor.author.fl_str_mv |
Lakhotia, Arun Boccardo, Davidson R. Singh, Anshuman Manacero Jr., Aleardo [UNESP] |
| dc.subject.por.fl_str_mv |
Analysis of binaries Context-sensitive analysis Deobfuscation Obfuscation Abstract interpretations Automated analysis Binary programs Context sensitivity Context-sensitive Flow graph Inter-procedural Malwares Path-based Rigid boundaries Trace semantics Abstracting Algorithms Atoms Semantics Java programming language |
| topic |
Analysis of binaries Context-sensitive analysis Deobfuscation Obfuscation Abstract interpretations Automated analysis Binary programs Context sensitivity Context-sensitive Flow graph Inter-procedural Malwares Path-based Rigid boundaries Trace semantics Abstracting Algorithms Atoms Semantics Java programming language |
| description |
Since Sharir and Pnueli, algorithms for context-sensitivity have been defined in terms of 'valid' paths in an interprocedural flow graph. The definition of valid paths requires atomic call and ret statements, and encapsulated procedures. Thus, the resulting algorithms are not directly applicable when behavior similar to call and ret instructions may be realized using non-atomic statements, or when procedures do not have rigid boundaries, such as with programs in low level languages like assembly or RTL. We present a framework for context-sensitive analysis that requires neither atomic call and ret instructions, nor encapsulated procedures. The framework presented decouples the transfer of control semantics and the context manipulation semantics of statements. A new definition of context-sensitivity, called stack contexts, is developed. A stack context, which is defined using trace semantics, is more general than Sharir and Pnueli's interprocedural path based calling-context. An abstract interpretation based framework is developed to reason about stack-contexts and to derive analogues of calling-context based algorithms using stack-context. The framework presented is suitable for deriving algorithms for analyzing binary programs, such as malware, that employ obfuscations with the deliberate intent of defeating automated analysis. The framework is used to create a context-sensitive version of Venable et al.'s algorithm for analyzing x86 binaries without requiring that a binary conforms to a standard compilation model for maintaining procedures, calls, and returns. Experimental results show that a context-sensitive analysis using stack-context performs just as well for programs where the use of Sharir and Pnueli's calling-context produces correct approximations. However, if those programs are transformed to use call obfuscations, a contextsensitive analysis using stack-context still provides the same, correct results and without any additional overhead. © Springer Science+Business Media, LLC 2011. |
| publishDate |
2010 |
| dc.date.none.fl_str_mv |
2010-09-01 2014-05-27T11:24:47Z 2014-05-27T11:24:47Z |
| dc.type.status.fl_str_mv |
info:eu-repo/semantics/publishedVersion |
| dc.type.driver.fl_str_mv |
info:eu-repo/semantics/conferenceObject |
| format |
conferenceObject |
| status_str |
publishedVersion |
| dc.identifier.uri.fl_str_mv |
http://dx.doi.org/10.1007/s10990-011-9080-1 Higher-Order and Symbolic Computation, v. 23, n. 3, p. 275-313, 2010. 1388-3690 http://hdl.handle.net/11449/71846 10.1007/s10990-011-9080-1 2-s2.0-84855665553 |
| url |
http://dx.doi.org/10.1007/s10990-011-9080-1 http://hdl.handle.net/11449/71846 |
| identifier_str_mv |
Higher-Order and Symbolic Computation, v. 23, n. 3, p. 275-313, 2010. 1388-3690 10.1007/s10990-011-9080-1 2-s2.0-84855665553 |
| dc.language.iso.fl_str_mv |
eng |
| language |
eng |
| dc.relation.none.fl_str_mv |
Higher-Order and Symbolic Computation |
| dc.rights.driver.fl_str_mv |
info:eu-repo/semantics/openAccess |
| eu_rights_str_mv |
openAccess |
| dc.format.none.fl_str_mv |
275-313 |
| dc.source.none.fl_str_mv |
Scopus reponame:Repositório Institucional da UNESP instname:Universidade Estadual Paulista (UNESP) instacron:UNESP |
| instname_str |
Universidade Estadual Paulista (UNESP) |
| instacron_str |
UNESP |
| institution |
UNESP |
| reponame_str |
Repositório Institucional da UNESP |
| collection |
Repositório Institucional da UNESP |
| repository.name.fl_str_mv |
Repositório Institucional da UNESP - Universidade Estadual Paulista (UNESP) |
| repository.mail.fl_str_mv |
|
| _version_ |
1808128923607760896 |