Reverse Static Analysis Of Executable Program Guided By Sematic Analysis Of Versions

The size and complexity of software are more and more increasing. These have greatly increased the difficulty of vulnerability mining of software. People know that the update of software indicates that there exist some defects or changes in the old version. How to develop an automatic program reverse analysis tool to assist software vulnerability mining has been become an important research focus. The traditional patch comparison tools just simply compare the reversed code, by them the information provided is very limited.This paper implemented a tool prototype of executable program reverse analysis in the compiler framework of Phoenix, by using the algorithm of program reverse analysis guided by the semantic changes between the versions. It can identify the semantic changes of the different versions of IR (intermediate representation) code of the executable program of platform .Net which is raised by the architecture of Phoenix. And then the region which the semantic changes depend on is identified by using the technique of program slicing. And then the semantic interpretation of IR in the Phoenix compiler framework was implemented by using the techniques of symbolic execution and constraint solve, which can generate the test cases of input automatically. It also provides the view of control flow graph of a function, the view of call graph between functions, the view of program dependence graph of a function. And it can actively run security testing on certain-scale software using symbolic execution.Finally, we used"ReverseSA"doing experiments on two versions of client program of"Fetion", which means"integrated communication services"is provided by China Mobile. The result is the changed rate of the functions of the main executable program of the two versions named"FetionFx.exe"is 11.098%, and the added rate of new functions is 24.402%. The function number of new version is 7028. Only 10 files of 19 experiments executable files are changed, the changed rate and added rate of most files is small. The results show that"ReverseSA"can do patch analysis quickly, and provide priority start point of vulnerability mining. Further symbolic execution analysis can provide a certain automation of security testing capabilities.