What You See Is Not What You eXecute: computers do not execute source-code programs; they execute machine-code programs that are generated from source code. Not only can the WYSINWYX phenomenon create a mismatch between what a programmer intends and what is actually executed by the processor, it can cause analyses that are performed on source code – which is the approach followed by most security-analysis tools – to fail to detect bugs and security vulnerabilities. Moreover, source code is not available for a lot of programs such as viruses, worms, Commercial Off the Shelf (COTS) components, etc.

In this talk, I will highlight some of the advantages of analyzing executables directly, and discuss the algorithms we have developed to recover information from stripped executables about the memory-access operations that the program performs. These algorithms are used in the CodeSurfer/x86 tool to construct intermediate representations that are used for browsing, inspecting, and analyzing stripped x86 executables.

Finally, I will talk about our experience with using CodeSurfer/x86 to find problems in Windows device drivers.

Joint work with T. Reps (UW), J. Lim (UW), and T. Teitelbaum (Cornell and GrammaTech, Inc.).