Jakstab: A Static Analysis Platform for Binaries

Kinder, Johannes; Veith, Helmut

doi:10.1007/978-3-540-70545-1_40

Cited by 108 publications

(89 citation statements)

References 7 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Earlier work [1,5,3,7,6] has shown that data flow analysis can be used to augment the results of disassembly, but no conclusive answer was given on the best way to handle states with unresolved control flow successors during data flow analysis. Further, updating the control flow graph could render previous data flow information invalid, which would require backtracking and could cause the analysis to diverge.…”

Section: Augmenting Disassembly With Data Flow Analysismentioning

confidence: 99%

“…We implemented the worklist algorithm for control flow reconstruction (Algorithm 2) in our disassembly and static analysis tool JAKSTAB [6]. JAKSTAB works on X86 executables, and translates them into an intermediate language that is similar in style but more complex than JUMP.…”

Section: Instantiation Of the Framework In The Jakstab Toolmentioning

confidence: 99%

“…Using this abstract domain, JAKSTAB has already achieved good precision in reconstructing the control flow of executables [6]. Note that in the analysis of compiled applications, there are some cases when calls cannot be resolved by our current implementation.…”

Section: Instantiation Of the Framework In The Jakstab Toolmentioning

confidence: 99%

“…We prove that the algorithm always returns the most precise overapproximation of the program's actual control flow graph with respect to the precision of the provided abstract domain used by the data flow analysis (Section 3.4). -In earlier work, we presented our disassembly tool JAKSTAB [6], which employs constant propagation for an iterative disassembly strategy. JAKSTAB uses an abstract domain which supports symbolic memory addresses to achieve constant propagation through local variables and yielded better results than the most widely used commercial disassembler IDA Pro.…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

An Abstract Interpretation-Based Framework for Control Flow Reconstruction from Binaries

Kinder

Zuleger

Veith

2008

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

Abstract. Due to indirect branch instructions, analyses on executables commonly suffer from the problem that a complete control flow graph of the program is not available. Data flow analysis has been proposed before to statically determine branch targets in many cases, yet a generic strategy without assumptions on compiler idioms or debug information is lacking. We have devised an abstract interpretation-based framework for generic low level programs with indirect jumps which safely combines a pluggable abstract domain with the notion of partial control flow graphs. Using our framework, we are able to show that the control flow reconstruction algorithm of our disassembly tool Jakstab produces the most precise overapproximation of the control flow graph with respect to the used abstract domain.

show abstract

Section: Augmenting Disassembly With Data Flow Analysismentioning

confidence: 99%

Section: Instantiation Of the Framework In The Jakstab Toolmentioning

confidence: 99%

Section: Instantiation Of the Framework In The Jakstab Toolmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

An Abstract Interpretation-Based Framework for Control Flow Reconstruction from Binaries

Kinder

Zuleger

Veith

2008

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

show abstract

“…These mostly spurious edges introduce additional imprecision into the analysis as abstract states propagate across them, in the end yielding a degenerate CFG that is unusable for analysis. In practice, existing tools [13] therefore either immediately report an error whenever they cannot resolve an indirect branch or simply turn the indirect jump into a leaf without any successors.…”

Section: Introductionmentioning

confidence: 99%

Alternating Control Flow Reconstruction

Kinder

Kravchenko

2012

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

Abstract. Unresolved indirect branch instructions are a major obstacle for statically reconstructing a control flow graph (CFG) from machine code. If static analysis cannot compute a precise set of possible targets for a branch, the necessary conservative over-approximation introduces a large amount of spurious edges, leading to even more imprecision and a degenerate CFG. In this paper, we propose to leverage under-approximation to handle this problem. We provide an abstract interpretation framework for control flow reconstruction that alternates between over-and under-approximation. Effectively, the framework imposes additional preconditions on the program on demand, allowing to avoid conservative over-approximation of indirect branches. We give an example instantiation of our framework using dynamically observed execution traces and constant propagation. We report preliminary experimental results confirming that our alternating analysis yields CFGs closer to the concrete CFG than pure over-or under-approximation.

show abstract

Parallel computational tree logic model‐checking on pushdown systems

Shi

Huang

et al. 2022

Concurrency and Computation

View full text Add to dashboard Cite

Summary Model checking and static analysis have been well studied for program verification. Because of the ability to describe the stack, the pushdown system (PDS) has become a perfect model that is able to accurately model procedure calls and mimic the program's stack. Thus, it is not only a good model for sequential programs but for malware detection as well. However, with the increase of the complexity of programs, the size of models becomes huge as well. Thus, the model‐checking problem is expensive to solve. The computational tree logic (CTL) is a widely used logic and its model checking problem of PDSs can be reduced to the emptiness analysis of an alternating Büchi pushdown system (ABPDS) by determining whether there is an accepting run. When the size of a PDS is huge, the computations can be time‐consuming. To overcome this limitation, we propose a parallel solution. We propose a parallel framework based on the Compute Unified Device Architecture and the corresponding parallel algorithms to solve the emptiness problem of ABPDSs. Moreover, in order to effectively utilize the graphics processing unit, we design a new data structure of variables and an algorithm of management of thread scheduling for the parallel model. We implement our algorithms in a tool and compare our tool to a CTL model checker for PDS as a benchmark. The comparison results indicate an encouraging performance speedup.

show abstract

Jakstab: A Static Analysis Platform for Binaries

Cited by 108 publications

References 7 publications

An Abstract Interpretation-Based Framework for Control Flow Reconstruction from Binaries

An Abstract Interpretation-Based Framework for Control Flow Reconstruction from Binaries

Alternating Control Flow Reconstruction

Parallel computational tree logic model‐checking on pushdown systems

Contact Info

Product

Resources

About