WYSINWYX: What You See Is Not What You eXecute Seminars/Workshops

Abstract

What You See Is Not What You eXecute: computers do not execute source-code programs; they execute machine-code programs that are generated from source code. Not only can the WYSINWYX phenomenon create a mismatch between what a programmer intends and what is actually executed by the processor, it can cause analyses that are performed on source code -- which is the approach followed by most security-analysis tools -- to fail to detect bugs and security vulnerabilities. Moreover, source code is not available for a lot of programs such as viruses, worms, Commercial Off the Shelf (COTS) components, etc.
In this talk, I will highlight some of the advantages of analyzing executables directly, and discuss the algorithms we have developed to recover information from stripped executables about the memory-access operations that the program performs. These algorithms are used in the CodeSurfer/x86 tool to construct intermediate representations that are used for browsing, inspecting, and analyzing stripped x86 executables. Finally, I will show the results of using CodeSurfer/x86 to find bugs in Windows Device Drivers.
Joint work with T. Reps (UW), J. Lim (UW), and T. Teitelbaum (Cornell and GrammaTech, Inc.).