Atlantis: Improving the Analysis and Visualization of Large Assembly Execution Traces

Abstract

Assembly execution trace analysis is an effective approach for discovering potential software vulnerabilities. However, the size of the execution traces and the lack of source code makes this a manual, labor-intensive process. Instead of browsing billions of instructions one by one, software security analysts need higher-level information that can provide an overview of the execution of a program to assist in the identification of patterns of interest. The tool we present in this paper, Atlantis, is our trace analysis environment for multi-gigabyte assembly traces, and it contains a number of new features that make it particularly successful in meeting this goal. The contributions of this continuous work fall into three main categories: a) the ability to efficiently reconstruct and navigate the memory state of a program at any point in a trace; b) the ability to reconstruct and navigate functions and processes; and c) a powerful search facility to query and navigate traces. These contributions are not only novel for Atlantis but also for the field of assembly trace analysis. Software is becoming increasingly complex and many applications are designed as collaborative systems or modules interacting with each other, which makes the discovery of vulnerabilities extremely difficult. With the novel features we describe in this paper, our tool extends the security analyst’s ability to investigate vulnerabilities of real-world large execution traces and can lay the groundwork for supporting trace analysis of interacting programs in the future.