A Next-Generation Platform for Analyzing Executables Seminars/Workshops
Speaker: | Junghee Lim |
---|---|
Time: | 2006-01-06 13:00:00 |
Place: | Room 421, Bldg 301, SNU |
Abstract
In recent years, there has been a growing need for tools that an analyst can use to understand the workings of COTS components, plugins, mobile code, and DLLs, as well as memory snapshots of worms and virus-infected code. Static analysis provides techniques that can help with such problems; however, there are several obstacles that must be overcome:
- For many kinds of potentially malicious programs, symbol-table and debugging information is entirely absent. Even if it is present, it cannot be relied upon.
-
To understand memory-access operations, it is necessary to determine
the set of addresses accessed by each operation. This is difficult because
- While some memory operations use explicit memory addresses in the instruction (easy), others use indirect addressing via address expressions (difficult).
- Arithmetic on addresses is pervasive. For instance, even when the value of a local variable is loaded from its slot in an activation record, address arithmetic is performed.
- There is no notion of type at the hardware level, so address values cannot be distinguished from integer values.
- Memory accesses do not have to be aligned, so word-sized address values could potentially be cobbled together from misaligned reads and writes.
[ List ]