Formally Verified Binary-level Pointer Analysis

TL;DR

This paper introduces a formally verified binary-level pointer analysis method that ensures correctness and adaptability across different precision levels, aiding software verification and decompilation tasks.

Contribution

It presents a generic framework for binary pointer analysis that guarantees correctness and supports customizable abstract domains for varying precision needs.

Findings

Successfully derived sound memory write designations in COTS binaries.

Supports context-sensitive interprocedural analysis.

Balances scalability and precision effectively.

Abstract

Binary-level pointer analysis can be of use in symbolic execution, testing, verification, and decompilation of software binaries. In various such contexts, it is crucial that the result is trustworthy, i.e., it can be formally established that the pointer designations are overapproximative. This paper presents an approach to formally proven correct binary-level pointer analysis. A salient property of our approach is that it first generically considers what proof obligations a generic abstract domain for pointer analysis must satisfy. This allows easy instantiation of different domains, varying in precision, while preserving the correctness of the analysis. In the trade-off between scalability and precision, such customization allows "meaningful" precision (sufficiently precise to ensure basic sanity properties, such as that relevant parts of the stack frame are not overwritten during function execution) while also allowing coarse analysis when pointer computations have become too obfuscated during compilation for sound and accurate bounds analysis. We experiment with three different abstract domains with high, medium, and low precision. Evaluation shows that our approach is able to derive designations for memory writes soundly in COTS binaries, in a context-sensitive interprocedural fashion.