Thomas Reps, University of Wisconsin and Gramma Tech, Inc.
WYSINWYX: What You See Is Not What You eXecute
What You See Is Not What You eXecute: computers do not execute source-code programs; they execute machine-code programs that are generated from source code. Not only can the WYSINWYX phenomenon create a mismatch between what a programmer intends and what is actually executed by the processor, it can cause analyses that are performed on source code -- which is the approach followed by most security-analysis tools -- to fail to detect bugs and security vulnerabilities.
To address the WYSINWYX problem, we have developed algorithms to recover information from stripped executables about the memory-access operations that the program performs. These algorithms are used in the CodeSurfer/x86 tool to construct intermediate representations that are used for browsing, inspecting, and analyzing stripped x86 executables.
Joint work with G. Balakrishnan (UW), J. Lim (UW), and T. Teitelbaum (Cornell and GrammaTech, Inc.).