On Tue, 2004-04-20 at 16:18, [EMAIL PROTECTED] wrote: > Requirement is to be able to take an executable image and > determine every reference to specific data item(s) by > simulating execution of every possible code path. In other > words, the equivalent of setting a debug watchpoint on a > variable (or small set of variables, at most a handfull) and > then forcing execution of both paths out of every conditional > branch point.
Tools like this tend to be platform specific. What platform are you looking for this to work with? (Exceptions may be Java, P-code, Teco, and the ilk). Also, keep in mind that tools of this type usually need "hints" to determine how the data addresses are computed. This information is frequently gleaned from debug symbol tables, linkers, ... Also, as Thompson was alluding to, this is very difficult, because everything that's running has to be checked - including the runtime libraries, portions of the operating system, and any shared images. And in a number of instances, this will interfere with the security mechanisms of the operating system. Also, I'm not aware of any tools (FOSS, commercial, or "private") that do this because of the enormity of the effort, and the amount of time required to exhaust all possible paths. It might as well be infinite for things like web browsers. (However, I heard about a "proving tool" for the 8051 microprocessor, but don't remember anything specific.) I wrote a tool for VAX/VMS way back in the early '80s that explored this problem, and came to the conclusion that proving programs is more cost effective (but proving software defeats Ken's assertion that software can't be trusted - even at the source level). The biggest problem came from things like index registers (and indirect addressing in general), code space contaminated with data, and "computed addresses". The current popular machine instruction sets just don't lend themselves to this kind of analysis. But I would like to know if you find anything more concrete.
signature.asc
Description: This is a digitally signed message part