{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,9,28]],"date-time":"2025-09-28T20:37:55Z","timestamp":1759091875571,"version":"3.41.0"},"reference-count":69,"publisher":"Association for Computing Machinery (ACM)","issue":"2","license":[{"start":{"date-parts":[[2016,4,27]],"date-time":"2016-04-27T00:00:00Z","timestamp":1461715200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Softw. Eng. Methodol."],"published-print":{"date-parts":[[2016,5,16]]},"abstract":"<jats:p>This article makes three contributions regarding reverse-engineering of executables. First, techniques are presented for recovering a precise and correct stack-memory model in executables while addressing executable-specific challenges such as indirect control transfers. Next, the enhanced memory model is employed to define a novel symbolic analysis framework for executables that can perform the same types of program analyses as source-level tools. Third, a demand-driven framework is presented to enhance the scalability of the symbolic analysis framework. Existing symbolic analysis frameworks for executables fail to simultaneously maintain the properties of correct representation, a precise stack-memory model, and scalability. Furthermore, they ignore memory-allocated variables when defining symbolic analysis mechanisms. Our methods do not use symbolic, relocation or debug information, which are usually absent in deployed binaries. We describe our framework, highlighting the novel intellectual contributions of our approach and demonstrating its efficacy and robustness. Our techniques improve the precision of existing stack-memory models by 25%, enhance scalability of our basic symbolic analysis mechanism by 10\u00d7, and successfully uncovers five previously undiscovered information-flow vulnerabilities in several widely used programs.<\/jats:p>","DOI":"10.1145\/2897511","type":"journal-article","created":{"date-parts":[[2016,4,27]],"date-time":"2016-04-27T12:10:51Z","timestamp":1461759051000},"page":"1-38","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":2,"title":["A Stack Memory Abstraction and Symbolic Analysis Framework for Executables"],"prefix":"10.1145","volume":"25","author":[{"given":"Kapil","family":"Anand","sequence":"first","affiliation":[{"name":"University of Maryland, College Park"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Khaled","family":"Elwazeer","sequence":"additional","affiliation":[{"name":"University of Maryland, College Park"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Aparna","family":"Kotha","sequence":"additional","affiliation":[{"name":"University of Maryland, College Park"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Matthew","family":"Smithson","sequence":"additional","affiliation":[{"name":"University of Maryland, College Park"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Rajeev","family":"Barua","sequence":"additional","affiliation":[{"name":"University of Maryland, College Park"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Angelos","family":"Keromytis","sequence":"additional","affiliation":[{"name":"Columbia University"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2016,4,27]]},"reference":[{"doi-asserted-by":"publisher","key":"e_1_2_1_1_1","DOI":"10.1023\/A:1007588710878"},{"doi-asserted-by":"publisher","key":"e_1_2_1_2_1","DOI":"10.1145\/2465351.2465380"},{"unstructured":"K. Anand K. Wazeer A. Kotha M. Smithson and R. Barua. 2013b. A symbolic analysis framework for analyzing executables. http:\/\/www.ece.umd.edu\/ &sim; barua\/icsm13-extended.pdf.  K. Anand K. Wazeer A. Kotha M. Smithson and R. Barua. 2013b. A symbolic analysis framework for analyzing executables. http:\/\/www.ece.umd.edu\/ &sim; barua\/icsm13-extended.pdf.","key":"e_1_2_1_3_1"},{"doi-asserted-by":"publisher","key":"e_1_2_1_4_1","DOI":"10.1007\/978-3-540-24723-4_2"},{"doi-asserted-by":"publisher","key":"e_1_2_1_5_1","DOI":"10.5555\/1763048.1763050"},{"doi-asserted-by":"publisher","key":"e_1_2_1_6_1","DOI":"10.1109\/SP.2008.22"},{"unstructured":"J. Bergeron M. Debbabi J. Desharnais M. M. Erhioui Y. Lavoie and N. Tawbi. 2001. Static detection of malicious code in executable programs. International Journal of Reverse Engineering (2001).  J. Bergeron M. Debbabi J. Desharnais M. M. Erhioui Y. Lavoie and N. Tawbi. 2001. Static detection of malicious code in executable programs. International Journal of Reverse Engineering (2001).","key":"e_1_2_1_8_1"},{"doi-asserted-by":"publisher","key":"e_1_2_1_9_1","DOI":"10.5555\/645605.663081"},{"doi-asserted-by":"publisher","key":"e_1_2_1_10_1","DOI":"10.1145\/268946.268966"},{"volume-title":"Proceedings of the 23rd International Conference on Computer Aided Verification (CAV\u201911)","author":"Brumley David","unstructured":"David Brumley , Ivan Jager , Thanassis Avgerinos , and Edward J. Schwartz . 2011. BAP: A binary analysis platform . In Proceedings of the 23rd International Conference on Computer Aided Verification (CAV\u201911) . Springer-Verlag, Berlin, 463--469. David Brumley, Ivan Jager, Thanassis Avgerinos, and Edward J. Schwartz. 2011. BAP: A binary analysis platform. In Proceedings of the 23rd International Conference on Computer Aided Verification (CAV\u201911). Springer-Verlag, Berlin, 463--469.","key":"e_1_2_1_11_1"},{"key":"e_1_2_1_12_1","volume-title":"Proceedings of the 8th USENIX Symposium on Operating Systems Design and Implementation (OSDI 2008","author":"Cadar Cristian","year":"2008","unstructured":"Cristian Cadar , Daniel Dunbar , and Dawson Engler . 2008 . KLEE: Unassisted and automatic generation of high-coverage tests for complex systems programs . In Proceedings of the 8th USENIX Symposium on Operating Systems Design and Implementation (OSDI 2008 ), December 8 --10 , 2008, San Diego, California. 209--224. Cristian Cadar, Daniel Dunbar, and Dawson Engler. 2008. KLEE: Unassisted and automatic generation of high-coverage tests for complex systems programs. In Proceedings of the 8th USENIX Symposium on Operating Systems Design and Implementation (OSDI 2008), December 8--10, 2008, San Diego, California. 209--224."},{"doi-asserted-by":"publisher","key":"e_1_2_1_13_1","DOI":"10.1109\/SP.2012.31"},{"doi-asserted-by":"publisher","key":"e_1_2_1_14_1","DOI":"10.1145\/1455770.1455778"},{"doi-asserted-by":"publisher","key":"e_1_2_1_15_1","DOI":"10.1109\/2.825697"},{"doi-asserted-by":"publisher","key":"e_1_2_1_16_1","DOI":"10.1145\/512760.512770"},{"doi-asserted-by":"publisher","key":"e_1_2_1_17_1","DOI":"10.1109\/ACSAC.2006.50"},{"key":"e_1_2_1_18_1","volume-title":"Proceedings of the 10th Conference on USENIX Security Symposium (SSYM'01)","volume":"10","author":"Cowan Crispin","year":"2001","unstructured":"Crispin Cowan , Matt Barringer , Steve Beattie , Greg Kroah-Hartman , Mike Frantzen , and Jamie Lokier . 2001 . FormatGuard: Automatic protection from printf format string vulnerabilities . In Proceedings of the 10th Conference on USENIX Security Symposium (SSYM'01) . Vol. 10 . USENIX Association, Berkeley, CA, USA, 15--15. Crispin Cowan, Matt Barringer, Steve Beattie, Greg Kroah-Hartman, Mike Frantzen, and Jamie Lokier. 2001. FormatGuard: Automatic protection from printf format string vulnerabilities. In Proceedings of the 10th Conference on USENIX Security Symposium (SSYM'01). Vol. 10. USENIX Association, Berkeley, CA, USA, 15--15."},{"unstructured":"CVE. 2013. Directory Traversal Vulnerability in Rack. http:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name&equals;CVE-2013-0262.  CVE. 2013. Directory Traversal Vulnerability in Rack. http:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name&equals;CVE-2013-0262.","key":"e_1_2_1_19_1"},{"unstructured":"CVE-MITRE. 2015. Common Vulnerabilities and Exposures. https:\/\/cve.mitre.org\/.  CVE-MITRE. 2015. Common Vulnerabilities and Exposures. https:\/\/cve.mitre.org\/.","key":"e_1_2_1_20_1"},{"doi-asserted-by":"publisher","key":"e_1_2_1_21_1","DOI":"10.1145\/1273440.1250722"},{"unstructured":"Darpa. 2012. Announcement for Binary Executable Transforms. http:\/\/www.federalgrants.com\/Binary-Executable-Transforms-BET-30063.html.  Darpa. 2012. Announcement for Binary Executable Transforms. http:\/\/www.federalgrants.com\/Binary-Executable-Transforms-BET-30063.html.","key":"e_1_2_1_22_1"},{"doi-asserted-by":"publisher","key":"e_1_2_1_23_1","DOI":"10.1145\/1210268.1210273"},{"doi-asserted-by":"publisher","key":"e_1_2_1_24_1","DOI":"10.1145\/268946.268948"},{"key":"e_1_2_1_25_1","volume-title":"Proceedings of the Network and Distributed System Security Symposium (NDSS 2011","author":"Egele Manuel","year":"2011","unstructured":"Manuel Egele , Christopher Kruegel , Engin Kirda , and Giovanni Vigna . 2011 . PiOS: Detecting privacy leaks in iOS applications . In Proceedings of the Network and Distributed System Security Symposium (NDSS 2011 ), San Diego, California, USA, 6th February - 9th February 2011. Manuel Egele, Christopher Kruegel, Engin Kirda, and Giovanni Vigna. 2011. PiOS: Detecting privacy leaks in iOS applications. In Proceedings of the Network and Distributed System Security Symposium (NDSS 2011), San Diego, California, USA, 6th February - 9th February 2011."},{"doi-asserted-by":"publisher","key":"e_1_2_1_27_1","DOI":"10.1145\/2491956.2462165"},{"doi-asserted-by":"publisher","key":"e_1_2_1_28_1","DOI":"10.1145\/263580.263648"},{"unstructured":"FireEye. 2015. Recent Zero-Day Exploits. https:\/\/www.fireeye.com\/current-threats\/recent-zero-day-attacks.html.  FireEye. 2015. Recent Zero-Day Exploits. https:\/\/www.fireeye.com\/current-threats\/recent-zero-day-attacks.html.","key":"e_1_2_1_29_1"},{"doi-asserted-by":"publisher","key":"e_1_2_1_30_1","DOI":"10.1145\/113445.113448"},{"doi-asserted-by":"publisher","key":"e_1_2_1_31_1","DOI":"10.1109\/CGO.2005.27"},{"volume-title":"Proceedings of the 10th International Conference on Static Analysis (SAS'03)","author":"Samuel","unstructured":"Samuel Z. Guyer and Calvin Lin. 2003. Client-driven pointer analysis . In Proceedings of the 10th International Conference on Static Analysis (SAS'03) , Radhia Cousot (Ed.). Springer-Verlag, Berlin, Heidelberg, 214--236. Samuel Z. Guyer and Calvin Lin. 2003. Client-driven pointer analysis. In Proceedings of the 10th International Conference on Static Analysis (SAS'03), Radhia Cousot (Ed.). Springer-Verlag, Berlin, Heidelberg, 214--236.","key":"e_1_2_1_32_1"},{"doi-asserted-by":"publisher","key":"e_1_2_1_33_1","DOI":"10.1145\/233561.233568"},{"doi-asserted-by":"publisher","key":"e_1_2_1_34_1","DOI":"10.1145\/1075382.1075385"},{"doi-asserted-by":"publisher","key":"e_1_2_1_35_1","DOI":"10.1109\/TSE.1977.231133"},{"doi-asserted-by":"publisher","key":"e_1_2_1_36_1","DOI":"10.1145\/378795.378802"},{"unstructured":"HexBlog. 2006. Simplex method in IDA Pro. http:\/\/www.hexblog.com\/?p&equals;42.  HexBlog. 2006. Simplex method in IDA Pro. http:\/\/www.hexblog.com\/?p&equals;42.","key":"e_1_2_1_37_1"},{"unstructured":"IDAPro disassembler. IDAPro disassembler. http:\/\/www.hex-rays.com\/idapro\/.  IDAPro disassembler. IDAPro disassembler. http:\/\/www.hex-rays.com\/idapro\/.","key":"e_1_2_1_38_1"},{"unstructured":"Peter Kankowski. 2006. x86 Machine Code Statistics. http:\/\/www.strchr.com\/x86_machine_code_statistics.  Peter Kankowski. 2006. x86 Machine Code Statistics. http:\/\/www.strchr.com\/x86_machine_code_statistics.","key":"e_1_2_1_39_1"},{"doi-asserted-by":"publisher","key":"e_1_2_1_40_1","DOI":"10.1007\/978-3-540-70545-1_40"},{"doi-asserted-by":"publisher","key":"e_1_2_1_41_1","DOI":"10.1109\/TPDS.2014.2349501"},{"doi-asserted-by":"publisher","key":"e_1_2_1_42_1","DOI":"10.1109\/MICRO.2010.27"},{"doi-asserted-by":"publisher","key":"e_1_2_1_43_1","DOI":"10.1145\/223428.207163"},{"doi-asserted-by":"publisher","key":"e_1_2_1_44_1","DOI":"10.5555\/977395.977673"},{"doi-asserted-by":"publisher","key":"e_1_2_1_45_1","DOI":"10.1145\/948109.948149"},{"unstructured":"NAS. 2006. NAS Parallel Benchmarks. http:\/\/www.nas.nasa.gov\/publications\/npb.html\/.  NAS. 2006. NAS Parallel Benchmarks. http:\/\/www.nas.nasa.gov\/publications\/npb.html\/.","key":"e_1_2_1_46_1"},{"unstructured":"Oink. 2015. Oink Tool. http:\/\/daniel-wilkerson.appspot.com\/oink\/index.html\/\/.  Oink. 2015. Oink Tool. http:\/\/daniel-wilkerson.appspot.com\/oink\/index.html\/\/.","key":"e_1_2_1_47_1"},{"doi-asserted-by":"publisher","key":"e_1_2_1_48_1","DOI":"10.1145\/223428.207117"},{"volume-title":"Polybench: The Polyhedral Benchmark Suite","year":"2010","unstructured":"PolyBench. 2010 . Polybench: The Polyhedral Benchmark Suite . http:\/\/www-roc.inria.fr\/&sim;pouchet\/software\/polybench\/. PolyBench. 2010. Polybench: The Polyhedral Benchmark Suite. http:\/\/www-roc.inria.fr\/&sim;pouchet\/software\/polybench\/.","key":"e_1_2_1_49_1"},{"doi-asserted-by":"publisher","key":"e_1_2_1_50_1","DOI":"10.1007\/978-3-540-24622-0_21"},{"doi-asserted-by":"publisher","key":"e_1_2_1_51_1","DOI":"10.5555\/646542.696206"},{"doi-asserted-by":"publisher","key":"e_1_2_1_52_1","DOI":"10.1145\/358438.349325"},{"doi-asserted-by":"publisher","key":"e_1_2_1_53_1","DOI":"10.1109\/SP.2010.26"},{"key":"e_1_2_1_54_1","volume-title":"Proceedings of the 2001 Workshop on Binary Translation.","author":"Schwarz Benjamin","year":"2001","unstructured":"Benjamin Schwarz , Saumya Debray , Gregory Andrews , and Matthew Legendre . 2001 . PLTO: A link-time optimizer for the intel IA-32 architecture . In Proceedings of the 2001 Workshop on Binary Translation. Benjamin Schwarz, Saumya Debray, Gregory Andrews, and Matthew Legendre. 2001. PLTO: A link-time optimizer for the intel IA-32 architecture. In Proceedings of the 2001 Workshop on Binary Translation."},{"unstructured":"Setuid. Setuid: Linux Man Page. http:\/\/linux.die.net\/man\/2\/setuid.  Setuid. Setuid: Linux Man Page. http:\/\/linux.die.net\/man\/2\/setuid.","key":"e_1_2_1_55_1"},{"key":"e_1_2_1_56_1","volume-title":"Proceedings of the 10th Conference on USENIX Security Symposium (SSYM'01)","volume":"10","author":"Shankar Umesh","year":"2001","unstructured":"Umesh Shankar , Kunal Talwar , Jeffrey S. Foster , and David Wagner . 2001 . Detecting format string vulnerabilities with type qualifiers . In Proceedings of the 10th Conference on USENIX Security Symposium (SSYM'01) . Vol. 10 . USENIX Association, Berkeley, CA, USA, 201--220. Umesh Shankar, Kunal Talwar, Jeffrey S. Foster, and David Wagner. 2001. Detecting format string vulnerabilities with type qualifiers. In Proceedings of the 10th Conference on USENIX Security Symposium (SSYM'01). Vol. 10. USENIX Association, Berkeley, CA, USA, 201--220."},{"doi-asserted-by":"publisher","key":"e_1_2_1_57_1","DOI":"10.1109\/WCRE.2013.6671280"},{"doi-asserted-by":"publisher","key":"e_1_2_1_58_1","DOI":"10.1007\/978-3-540-89862-7_1"},{"volume-title":"Calling Conventions. http:\/\/asm.sourceforge.net\/howto\/conventions.html.","year":"2013","unstructured":"SourceForge. 2013 . Calling Conventions. http:\/\/asm.sourceforge.net\/howto\/conventions.html. SourceForge. 2013. Calling Conventions. http:\/\/asm.sourceforge.net\/howto\/conventions.html.","key":"e_1_2_1_59_1"},{"doi-asserted-by":"publisher","key":"e_1_2_1_60_1","DOI":"10.1145\/1250734.1250748"},{"unstructured":"TCMalloc. TCMalloc: Thread Caching Malloc. http:\/\/www.goog-perftools.sourceforge.net\/doc\/tcmalloc.html.  TCMalloc. TCMalloc: Thread Caching Malloc. http:\/\/www.goog-perftools.sourceforge.net\/doc\/tcmalloc.html.","key":"e_1_2_1_61_1"},{"doi-asserted-by":"publisher","key":"e_1_2_1_62_1","DOI":"10.1007\/978-3-642-14295-6_27"},{"doi-asserted-by":"publisher","key":"e_1_2_1_63_1","DOI":"10.1007\/978-3-642-31424-7_17"},{"doi-asserted-by":"publisher","key":"e_1_2_1_64_1","DOI":"10.1145\/1542476.1542486"},{"doi-asserted-by":"publisher","key":"e_1_2_1_65_1","DOI":"10.1145\/224538.224648"},{"doi-asserted-by":"publisher","key":"e_1_2_1_66_1","DOI":"10.1145\/1269843.1269853"},{"key":"e_1_2_1_67_1","volume-title":"Proceedings of the Network and Distributed System Security Symposium (NDSS).","author":"Wang Tielei","year":"2009","unstructured":"Tielei Wang , Tao Wei , Zhiqiang Lin , and Wei Zou . 2009 . IntScope: Automatically detecting integer overflow vulnerability in x86 binary using symbolic execution . In Proceedings of the Network and Distributed System Security Symposium (NDSS). Tielei Wang, Tao Wei, Zhiqiang Lin, and Wei Zou. 2009. IntScope: Automatically detecting integer overflow vulnerability in x86 binary using symbolic execution. In Proceedings of the Network and Distributed System Security Symposium (NDSS)."},{"doi-asserted-by":"publisher","key":"e_1_2_1_68_1","DOI":"10.1109\/ACSAC.2008.37"},{"volume-title":"Optimizing Supercompilers for Supercomputers","author":"Wolfe Michael Joseph","unstructured":"Michael Joseph Wolfe . 1990. Optimizing Supercompilers for Supercomputers . MIT Press , Cambridge, MA . Michael Joseph Wolfe. 1990. Optimizing Supercompilers for Supercomputers. MIT Press, Cambridge, MA.","key":"e_1_2_1_69_1"},{"doi-asserted-by":"publisher","key":"e_1_2_1_70_1","DOI":"10.1145\/1128022.1128040"},{"doi-asserted-by":"publisher","key":"e_1_2_1_71_1","DOI":"10.1109\/COMPSAC.2007.163"}],"container-title":["ACM Transactions on Software Engineering and Methodology"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/2897511","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/2897511","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T04:39:02Z","timestamp":1750221542000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/2897511"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2016,4,27]]},"references-count":69,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2016,5,16]]}},"alternative-id":["10.1145\/2897511"],"URL":"https:\/\/doi.org\/10.1145\/2897511","relation":{},"ISSN":["1049-331X","1557-7392"],"issn-type":[{"type":"print","value":"1049-331X"},{"type":"electronic","value":"1557-7392"}],"subject":[],"published":{"date-parts":[[2016,4,27]]},"assertion":[{"value":"2015-01-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2016-02-01","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2016-04-27","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}