Analyzing Memory Accesses in x86 Executables

Balakrishnan, Gogul; Reps, Thomas

doi:10.21236/ada449077

Cited by 89 publications

(193 citation statements)

References 12 publications

Supporting

Mentioning

193

Contrasting

Order By: Relevance

“…In such cases, recursive traversal also does not provide an accurate disassembly, and thus, an attacker could use indirect branches extensively to hinder it. Although some advanced static analysis methods can heuristically recover the targets of indirect branches, e.g., when used in jump tables, they are effective only with compiled code and well-structured binaries [36,38,41,42]. A motivated attacker can construct highly obfuscated code that abuses any assumptions about the structure of the code, including the extensive use of indirect branch instructions, which impedes both disassembly methods.…”

Section: Thwarting Disassemblymentioning

confidence: 99%

Network-level polymorphic shellcode detection using emulation

2006

View full text Add to dashboard Cite

Significant progress has been made in recent years towards preventing code injection attacks at the network level. However, as state-of-the-art attack detection technology becomes more prevalent, attackers are likely to evolve, employing techniques such as polymorphism and metamorphism to defeat these defenses. A major outstanding question in security research and engineering is thus whether we can proactively develop the tools needed to contain advanced polymorphic and metamorphic attacks. While recent results have been promising, most of the existing proposals can be defeated using only minor enhancements to the attack vector. In fact, some publicly-available polymorphic shellcode engines are currently one step ahead of the most advanced publicly-documented network-level detectors. In this paper, we present a heuristic detection method that scans network traffic streams for the presence of previously unknown polymorphic shellcode. In contrast to previous work, our approach relies on a NIDSembedded CPU emulator that executes every potential instruction sequence in the inspected traffic, aiming to identify the execution behavior of polymorphic shellcode. Our analysis demonstrates that the proposed

show abstract

Section: Thwarting Disassemblymentioning

confidence: 99%

Network-level polymorphic shellcode detection using emulation

2006

View full text Add to dashboard Cite

show abstract

“…Its target is achieved during the process of statically translating the binary code into the SSA (Static Single Assignment) form. When the symbol table and debugging information are either entirely absent, or cannot be relied upon, value-set analysis, a static analysis algorithm proposed in (Balakrishnan and Reps, 2004), first recovers the contents of the memory locations and how they are manipulated from the x86 executables. Then, it translates the x86 binary codes onto an IR which can facilitate the work of vulnerability detection and prevention.…”

Section: Related Workmentioning

confidence: 99%

Dytaint: The implementation of a novel lightweight 3-state dynamic taint analysis framework for x86 binary programs

Zhu

Feng

Zuo

et al. 2015

Computers & Security

View full text Add to dashboard Cite

“…Their method considered register values and the contents stored at memory objects at the same time, and produced accurate results. Balakrishnan and Reps [4] described a static-analysis algorithm for x86 executables that tracked the values that data objects in a program can hold. The global, local, and heap memory regions and a-locs were used to locate data objects.…”

Section: Assembly-level Alias Analysismentioning

confidence: 99%

Probabilistic Alias Analysis of Executable Code

Chen

2010

Int J Parallel Prog

View full text Add to dashboard Cite

In this paper we present a method for flow-sensitive, context-insensitive probabilistic alias analysis at the assembly level. A memory disambiguation algorithm is also developed for revealing the probability of two registers holding the same memory location. The alias analysis and memory disambiguation algorithms are implemented based on the Diablo post-link optimizer. Experimental results show that the technique can estimate the probabilities that registers refer to the same memory address in benchmark programs with an overall average error of about 6.8%. The post-link optimizer can leverage the obtained quantitative information to facilitate aggressive analyses and optimizations.

show abstract

Analyzing Memory Accesses in x86 Executables

Cited by 89 publications

References 12 publications

Network-level polymorphic shellcode detection using emulation

Network-level polymorphic shellcode detection using emulation

Dytaint: The implementation of a novel lightweight 3-state dynamic taint analysis framework for x86 binary programs

Probabilistic Alias Analysis of Executable Code

Contact Info

Product

Resources

About