Improved Memory-Access Analysis for x86 Executables
Thomas Reps and Gogul Balakrishnan
Over the last seven years, we have developed static-analysis methods
to recover a good approximation to the variables and dynamically
allocated memory objects of a stripped executable, and to track the
flow of values through them. It is relatively easy to track the
effects of an instruction operand that refers to a global address (i.e.,
an access to a global variable) or that uses a stack-frame offset (i.e.,
an access to a local scalar variable via the frame pointer or stack
pointer). In our work, our algorithms are able to provide useful
information for close to 100% of such ``direct'' uses and defs.
It is much harder for a static-analysis algorithm to
track the effects of an instruction operand that uses a
non-stack-frame register. These ``indirect'' uses and defs correspond
to accesses to an array or a dynamically allocated memory object. In
one study, our approach recovered useful information for only
29% of indirect uses and 33% of indirect defs.
However, using the technique described in this paper, the algorithm
recovered useful information for
81% of indirect uses and 90% of indirect defs.
(Click here to access the paper:
PDF.)