15745-s15-project
15-745 Optimizing Compilers S15 Project
Project Group
Tiffany Bao, Dominic Chen, Rijnard van Tonder
Description
Although numerous debugging tools have been developed for performing static and dynamic software analysis, a large number of these require access to source code or utilization of special compile-time flags to embed debug information within the output binary. In contrast, little effort has been spent on developing static binary analysis tools which can directly analyze off-the-shelf executables without executing them. For this project, we plan to focus on a subset of common programming bugs that tend to introduce security vulnerabilities, known as memory-safety errors. Examples of these include buffer overflows, double frees, and uninitialized variables. Over the course of the project, we will develop and implement various static memory-safety analyses into our group’s Binary Analysis Platform (BAP). BAP is a pre-existing framework written in OCaml for performing analysis of binary code, and we’ll be using it primarily with the ARM architecture.
Project Location
We expect to add build instructions here once appropriate. For now, the project contents can be found at
git clone https://github.com/ddcc/15745-s15-project.gitProject Milestone
Consider the following code snippet:
#include <stdio.h>
#include <string.h>
int main(int argc, char** argv) {
char dst[10] = {0};
strcpy(dst, argv[1]);
}
1 base_436 := SP
2 mem := mem with [base_436 + 0xFFFFFFFC:32, el]:u32 <- LR
3 mem := mem with [base_436 + 0xFFFFFFF8:32, el]:u32 <- R11
4 SP := SP - 0x8:32
5 s_438 := SP
6 t_439 := 0x4:32
7 R11 := SP + 0x4:32
8 s_441 := SP
9 t_442 := 0x18:32
10 SP := SP - 0x18:32
11 mem := mem with [R11 + 0xFFFFFFE8:32, el]:u32 <- R0
12 mem := mem with [R11 + 0xFFFFFFE4:32, el]:u32 <- R1
13 s_446 := R11
14 t_447 := 0x10:32
15 R3 := R11 - 0x10:32
16 R2 := 0x0:32
17 mem := mem with [R3 + 0x0:32, el]:u32 <- R2
18 s_451 := R3
19 t_452 := 0x4:32
20 R3 := R3 + 0x4:32
21 R2 := 0x0:32
22 mem := mem with [R3 + 0x0:32, el]:u32 <- R2
23 s_456 := R3
24 t_457 := 0x4:32
25 R3 := R3 + 0x4:32
26 R2 := 0x0:32
27 t_460 := low:16[R2]
28 mem := mem with [R3 + 0x0:32, el]:u16 <- t_460
29 s_462 := R3
30 t_463 := 0x2:32
31 R3 := R3 + 0x2:32
32 R3 := mem[R11 + 0xFFFFFFE4:32, el]:u32
33 s_466 := R3
34 t_467 := 0x4:32
35 R3 := R3 + 0x4:32
36 R3 := mem[R3 + 0x0:32, el]:u32
37 s_470 := R11
38 t_471 := 0x10:32
39 R2 := R11 - 0x10:32
40 R0 := R2 ; dest
41 R1 := R3 ; src
42 LR := 0x849C:32
43 jmp 0x82E0:32 ; strcpy call
44 R0 := R3
45 s_476 := R11
46 t_477 := 0x4:32
47 SP := R11 - 0x4:32
48 base_478 := SP
49 R11 := mem[base_478 + 0x0:32, el]:u32
50 SP := SP + 0x8:32
51 jmp (mem[base_478 + 0x4:32, el]:u32)
(Click to enlarge) Note: label indices are reversed here.
This information allows us to construct an expression which encapsulates potential data transformations on the input as it originates from the start of the function.
Running Schedule
| Week | Goal |
|---|---|
| 3/16 - 3/20 | Write project proposal |
| 3/23 - 3/27 | Implement 75% goals |
| 3/30 - 4/3 | Implement 75% goals |
| 4/6 - 4/10 | Implement 100% goals |
| 4/13 - 4/17 | Implement 100% goals |
| 4/20 - 4/24 | Implement 125% goals |
| 4/27 - 4/29 | Write final report, prepare for poster session |