A System for Genera/ng Sta/c Analyzers for Machine Instruc/ons (TSL)

Transcription

1 Seminar on A System for Genera/ng Sta/c Analyzers for Machine Instruc/ons (TSL) Junghee Lim, Univ. of Wisconsin Madison, USA and Thomas Reps, GrammaTech, USA Presenter : Anand Ramkumar S Universitat des Saarlandes

2 Why Low Level Analysis? High level analysis does not account for behaviors of compiler! memset(password, \0, len); free(password);

3 Why Low Level Analysis? memset(password, \0, len); Op/miza/on free(password); Unpredicted Result! Leaving password in Memory.

4 Why Low Level Analysis? Use of libraries Not available in source code DLL Dynamic Libraries

5 Why Low Level Analysis? More than One Programming Language P C PERKLJASDKF E R L JAVA

6 Why Low Level Analysis? The en/re program can be analyzed including libraries linked to program. Source programs can be in many languages States of processor pipeline can be analyzed So[ware security issues can be iden/fied Instruc/ons inserted / removed By Op/miza/on, Instrumenta/on are handled

7 High Level Analysis Finding memory leaks Finding dereferences of dangling pointers Finding array out of bounds errors Checking type state proper/es ensuring that a file is open() before it is read() Both Low level and High Level analysis are required for comprehensive verifica/on.

8 Analysis of Executables Analysis of set of machine states Register Values Flag States Memory Contents that can be reached at each point in executable

9 Transformer Specifica/on Language TSL Widen Join Meet Update TSL ENGINE

10 Transformer Specifica/on Language TSL The TSL system provides a systema/c way to create analyzers for machine instruc/ons. Automa/cally generates analysis components from a specifica/on.

11 Analyses Overview Value Set Analysis Def Use Analysis

12 VSA (Value Set Analysis) VSA determines a safe approxima/on of set of numeric values and addresses In each register and memory loca/on at each program point

13 VSA (Value Set Analysis) To represent a set of numeric values and addresses VSA uses value set s

14 VSA (Value State Analysis) Code 1. start (0x100): 2. mov eax, 1 3. mov ebx, start 4. add eax, ebx Value Sets: 2. {eax = {1}; ebx = {*} } 3. { eax = {1}; ebx = {0x100} } 4. { eax = {0x101}; ebx = {0x100} }

15 Def Use Analysis (DUA) Match variable defini/ons (assignments) and uses. Example x = 5; if (x > 0)... def use

16 Def Use Analysis (DUA) Analyze by using def use pair. A def use pair is variable's Value and Use [x=5, x>0]

17 Problems solved by TSL Automa/cally Generates Analysis components Common Intermediate Representa/ons Transformers Supports wide range of Analysis Compa/ble with various Architectures

18 Problems solved by TSL τ 1 # τ 1 #2... τ 1 #6 Analyzers τ 2 # τ 2 #2... τ 2 #6 τ 600 # τ 600 #2... τ 600 #6 6 analyses x 600 instructions 3600 transformers

19 Problems solved by TSL Other Systems TSL System A 1 // transformer for A 1 switch(i) { case ADD:... case SUB:... ~600. } A 1 A 2 A 1 A 2 A 2... // transformer for A 2 switch(i) { case ADD:... case SUB:... ~600. } with(i) { ADD(): SUB():... } A 6 // transformer for A 6 switch(i) { case ADD:... case SUB:... ~600. } A 6 A 6

20 Problems solved by TSL ARM Power PC Intel Architecture TSL System SPARC Blackfin.

21 TSL TSL SYSTEM CIR CIR CIR CIR TSL LANGUAGE ISS ISS ISS ISS INTEL SPARC PPC ARM

22 What is in TSL? TSL Language Formal language for specifying seman/cs of machine instruc/ons. TSL System Analysis framework generated automa/cally from specifica/on.

23 Classes of Users for TSL Analysis 1 Analysis 2 Analysis 3... TSL SYSTEM ARM IS1 INTEL IS2 PowerPC IS3

24 Classes of Users for TSL Instruc/on Set Specifica/on (ISS) developers Specifying seman/cs of different instruc/on sets Analysis developers involved in extending the analysis framework

25 ISS Development TSL SYSTEM CIR CIR CIR CIR TSL LANGUAGE ISS ISS ISS ISS INTEL SPARC PPC ARM

26 Transformer Specifica/on Language TSL strongly typed has a data type defini/on mechanism allows defining recursive data types

27 Transformer Specifica/on Language Operators Bit manipula/on operators (, &,, ˆ,, ) Rela/onal operators (<, <=, >, >=, ==,!=)

28 Transformer Specifica/on Language Operators Arithme/c/logical operators (+,,, /,!, &&,, xor) Condi/onal expression operator (? : )

29 Transformer Specifica/on Language TSL base types INT8 INT16 INT32 INT64 BOOL

30 Transformer Specifica/on Language TSL Map base types MEMMAP32_8_LE : maps from 32 bit values (addresses) to 8 bit values MEMMAP32_16_LE : maps from 32 bit values (addresses) to 16 bit values VAR32MAP : 32 bit values, also similarly VAR16MAP, VAR8MAP VARBOOLMAP from var bool to Boolean values

31 ISS Development An ISS developer specifies the abstract syntax grammar by defining the constructors for a language of instruc/ons a concrete state type the concrete seman/cs of each instruc/on

32 ADD Example Intel 32A TSL SYSTEM CIR CIR CIR CIR TSL LANGUAGE ISS ISS ISS ISS INTEL SPARC PPC ARM

33 ADD Example Intel 32A add ebx, eax instruction ADD32_32 operand32 DirectReg32 operand32 DirectReg32 reg32 EBX reg32 EAX

34 ADD Example Concrete Seman/cs ADD DEST DEST + SRC SF, ZF, OF, CF, AF, PF are set according to the result

35 ISS Development Define every op/on available for instruc/on set in TSL The concrete seman/cs is specified by wri/ng a func/on named interpinstr. Abstract opera/ons are defined at the meta level

36 TSL Specifica/on Example [1] // User defined abstract syntax [2] reg32: EAX() EBX()... ; [3] flag: ZF() SF()... ; [4] operand32: Indirect32(reg32 reg32 INT8 INT32) [5] DirectReg32(reg32) Immediate32(INT32)...; [6] operand16:... ; [7]...

37 TSL Specifica/on Example [8] instruc/on [9] : ADD32 32(operand32 operand32) [10] ADD16 16(operand16 operand16)... ; [11] var32: Reg32(reg32); [12] var bool: Flag(flag); [13] state: State(MEMMAP32 8 LE // memory map [14] VAR32MAP // register map [15] VARBOOLMAP); // flag map

38 [16] // User defined func/ons [17] state updateflag(state S,... ) {... } :... [23] state interpinstr(instruc/on I, state S) { [24] with(i) ( [25] ADD32 32(dstOp, srcop): [26] let dstval = interpop(s, dstop); [27] srcval = interpop(s, srcop); [28] res = dstval + srcval; [29] S2 = updateflag(s, dstval, srcval, res); [30] in ( updatestate( S2, dstop, res ) ), [31]...) [32] } TSL Specifica/on Example

39 ADD Example TSL SYSTEM ISS INTEL 32 IS2 IS3

40 Opera/on of TSL System TSL SYSTEM CIR CIR CIR CIR TSL LANGUAGE ISS ISS ISS ISS INTEL SPARC PPC ARM

41 Opera/on of TSL System Translates the TSL specifica/on of each instruc/on set to a Common Intermediate Representa/on (CIR). CIR that can be used to create mul/ple analyzers.

42 Common Intermediate Representa/on CIR is specific to a given instruc/on set CIR is common across analysis Each generated CIR is a template class

43 Common Intermediate Representa/on The user defined abstract syntax is translated to a set of abstract syntax classes. The user defined types, such as reg32, operand32, and instruc/on, are translated to abstract C++ classes

44 Common Intermediate Representa/on [1] template <typename INTERP> [2] class CIR { [3] class reg32 {... }; [4] class EAX: public reg32 {... }; [5]... [6] class operand32 {... }; [7] class Indirect32: public operand32 {... }; [8]... [9] class instruc/on {... };

45 Common Intermediate Representa/on [10] class ADD32 32: public instruc/on {... [11] enum TSL ID id; [12] operand32 op1; [13] operand32 op2; [14] }; [15]... [16] class state {... }; [17] class State: public state {...

46 Common Intermediate Representa/on [24]... [23] sta/c state interpinstr#(instruc/on I, state S) { [24] state ans; [25] switch(i.id) { [26] case ID ADD32 32: { [27] operand32 dstop = I.op1; [28] operand32 srcop = I.op2; [29] INTERP::INT32 dstval = interpop(s, dstop); [30] INTERP::INT32 srcval = interpop(s, srcop); [31] INTERP::INT32 res = INTERP::Add(dstVal,srcVal); [32] state S2 = updateflag(s, dstval, srcval, res); [33] ans = updatestate(s2, dstop, res); [34] } break; [37] return ans; [38] } [39]};

47 Analysis Developer + + 1#, + + 2#, CIR is instan/ated with interpreta/on (INTERP) by analysis developer.

48 Value Set Analysis [1] class VSA INTERP { [2] // basetype [3] typedef ValueSet32 INT32; [4]... [5] // basetype operators [6] INT32 Add(INT32 a, INT32 b) { [7] return a.addvalueset(b); [8] } [9]... [10] // map basetypes

49 Value Set Analysis Widen Join Meet Update interpinstr TSL ENGINE

50 Opera/on of TSL System INTE RP TSL SYSTEM CIR CIR CIR CIR TSL LANGUAGE ISS ISS ISS ISS INTEL SPARC PPC ARM

51 Analysis Developer 1 interpinstr # For each analysis the analysis engine shall call interpinstr #

52 Analysis Developer Analysis Engine in C++ while(worklist φ) { select an edge n->m from worklist... new_s = interpinstr # (instr(n), S)... }

53 Analysis Developer For Analysis Engine in other languages Obtains a transformer for an instruc/on being processed from TSL

54 Generated Transformers for add ebx,eax 1.VSA (Value Set Analysis) S.S[ebx S(ebx)+vsaS(eax)] [ZF (S(ebx) +vsas(eax) = 0)][more flag updates] 2.DUA [ ebx {eax, ebx}, ZF {eax, ebx},... ]

55 Value Set Analysis Transformer S.S[ebx S(ebx)+vsaS(eax)] [ZF (S(ebx) +vsas(eax) = 0)][more flag updates] VSA uses transformer evaluator to create an output abstract state. VSA returns a new abstract state in which ebx is updated with sum of ebx and eax. The flags are updated appropriately.

56 Opera/on of TSL System INTE RP TSL SYSTEM CIR CIR CIR CIR TSL LANGUAGE ISS ISS ISS ISS INTEL SPARC PPC ARM

57 Related Work Systems sharing some same goals as TSL LISAS Instruc/on set specifica/on language Lambda RTL Seman/cs of an instruc/on set and to support mul/ple analysis

58 Summary The TSL system provides a systema/c way to create analyzers for machine instruc/ons. Low Level Analysis for each processor family. It separates the abstract seman/cs of each analysis from the instruc/on sets to be analyzed. All analysis frameworks are generated from the same seman/cs.

59 Thank You!