WYSINWYX: What You See Is Not What You eXecute Seminars/Workshops
|Time:||2009-06-02 ~ 02|
|Place:||Room 308, Bldg 302, SNU|
What You See Is Not What You eXecute: computers do not execute
source-code programs; they execute machine-code programs that are
generated from source code. Not only can the WYSINWYX phenomenon
create a mismatch between what a programmer intends and what is
actually executed by the processor, it can cause analyses that are
performed on source code -- which is the approach followed by most
security-analysis tools -- to fail to detect bugs and security
vulnerabilities. Moreover, source code is not available for a lot of
programs such as viruses, worms, Commercial Off the Shelf (COTS)
In this talk, I will highlight some of the advantages of analyzing executables directly, and discuss the algorithms we have developed to recover information from stripped executables about the memory-access operations that the program performs. These algorithms are used in the CodeSurfer/x86 tool to construct intermediate representations that are used for browsing, inspecting, and analyzing stripped x86 executables. Finally, I will show the results of using CodeSurfer/x86 to find bugs in Windows Device Drivers.
Joint work with T. Reps (UW), J. Lim (UW), and T. Teitelbaum (Cornell and GrammaTech, Inc.).
[ List ]