CodeSurfer/x86---A Platform for Analyzing x86 Executables

G. Balakrishnan, R. Gruian, T. Reps, and T. Teitelbaum

CodeSurfer/x86 is a prototype system for analyzing x86 executables. It uses a static-analysis algorithm called \emph{value-set analysis} (VSA) to recover intermediate representations that are similar to those that a compiler creates for a program written in a high-level language. A major challenge in building an analysis tool for executables is in providing useful information about operations involving memory. This is difficult when symbol-table and debugging information is absent or untrusted. CodeSurfer/x86 overcomes these challenges to provide an analyst with a powerful and flexible platform for investigating the properties and behaviors of potentially malicious code (such as COTS components, plugins, mobile code, worms, Trojans, and virus-infected code) using (i) CodeSurfer/x86's GUI, (ii) CodeSurfer/x86's scripting language, which provides access to all of the intermediate representations that CodeSurfer/x86 builds for the executable, and (iii) GrammaTech's Path Inspector, which is a tool that uses a sophisticated pattern-matching engine to answer questions about the flow of execution in a program.

(Click here to access the paper: PostScript, PDF.)