need help with tool requirement

Bruce Dawson jbd at codemeta.com
Tue Apr 20 17:37:01 EDT 2004 

On Tue, 2004-04-20 at 16:18, bmcculley at rcn.com wrote:
> Requirement is to be able to take an executable image and
> determine every reference to specific data item(s) by
> simulating execution of every possible code path.  In other
> words, the equivalent of setting a debug watchpoint on a
> variable (or small set of variables, at most a handfull) and
> then forcing execution of both paths out of every conditional
> branch point.

Tools like this tend to be platform specific. What platform are you
looking for this to work with? (Exceptions may be Java, P-code, Teco,
and the ilk).

Also, keep in mind that tools of this type usually need "hints" to
determine how the data addresses are computed. This information is
frequently gleaned from debug symbol tables, linkers, ...

Also, as Thompson was alluding to, this is very difficult, because
everything that's running has to be checked - including the runtime
libraries, portions of the operating system, and any shared images. And
in a number of instances, this will interfere with the security
mechanisms of the operating system.

Also, I'm not aware of any tools (FOSS, commercial, or "private") that
do this because of the enormity of the effort, and the amount of time
required to exhaust all possible paths. It might as well be infinite for
things like web browsers. (However, I heard about a "proving tool" for
the 8051 microprocessor, but don't remember anything specific.)

I wrote a tool for VAX/VMS way back in the early '80s that explored this
problem, and came to the conclusion that proving programs is more cost
effective (but proving software defeats Ken's assertion that software
can't be trusted - even at the source level). The biggest problem came
from things like index registers (and indirect addressing in general),
code space contaminated with data, and "computed addresses". The current
popular machine instruction sets just don't lend themselves to this kind
of analysis.

But I would like to know if you find anything more concrete.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://mail.gnhlug.org/mailman/private/gnhlug-discuss/attachments/20040420/79a03015/attachment.bin

More information about the gnhlug-discuss mailing list