Reachability Analysis of Pushdown Systems with an Upper Stack
Pushdown systems (PDSs) are a natural model for sequential programs, but they can fail to accurately represent the way an assembly stack actually operates. Indeed, one may want to access the part of the memory that is below the current stack or base pointer, hence the need for a model that keeps track of this part of the memory. To this end, we introduce pushdown systems with an upper stack (UPDSs), an extension of PDSs where symbols popped from the stack are not destroyed but instead remain just above its top, and may be overwritten by later push rules. We prove that the sets of successors \(post^*\) and predecessors \(pre^*\) of a regular set of configurations of such a system are not always regular, but that \(post^*\) is context-sensitive, so that we can decide whether a single configuration is forward reachable or not. In order to underapproximate \(pre^*\) in a regular fashion, we consider a bounded-phase analysis of UPDSs, where a phase is a part of a run during which either push or pop rules are forbidden. We then present a method to overapproximate \(post^*\) that relies on regular abstractions of runs of UPDSs. Finally, we show how these approximations can be used to detect stack overflows and stack pointer manipulations with malicious intent.
KeywordsPushdown systems Reachability analysis Stack pointer Finite automata
- 3.Bouajjani, A., Esparza, J., Touili, T.: A generic approach to the static analysis of concurrent programs with procedures. In: POPL 2003 (2003)Google Scholar
- 9.Pereira, F.C.N., Wright, R.N.: Finite-state approximation of phrase structure grammars. In: ACL 1991 (1991)Google Scholar
- 12.Torre, S.L., Madhusudan, P., Parlato, G.: A robust class of context-sensitive languages. In: LICS 2007 (2007)Google Scholar