Visible to the public Using Logic Programming to Recover C++ Classes and Methods from Compiled Executables

Submitted by aekwall on Mon, 03/04/2019 - 10:50am
TitleUsing Logic Programming to Recover C++ Classes and Methods from Compiled Executables
Publication TypeConference Paper
Year of Publication2018
AuthorsSchwartz, Edward J., Cohen, Cory F., Duggan, Michael, Gennari, Jeffrey, Havrilla, Jeffrey S., Hines, Charles
Conference NameProceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security
PublisherACM
Conference LocationNew York, NY, USA
ISBN Number978-1-4503-5693-0
KeywordsAutomated Secure Software Engineering, Binary Analysis, composability, malware analysis, pubcrawl, Resiliency, software reverse engineering
AbstractHigh-level C++ source code abstractions such as classes and methods greatly assist human analysts and automated algorithms alike when analyzing C++ programs. Unfortunately, these abstractions are lost when compiling C++ source code, which impedes the understanding of C++ executables. In this paper, we propose a system, OOAnalyzer, that uses an innovative new design to statically recover detailed C++ abstractions from executables in a scalable manner. OOAnalyzer's design is motivated by the observation that many human analysts reason about C++ programs by recognizing simple patterns in binary code and then combining these findings using logical inference, domain knowledge, and intuition. We codify this approach by combining a lightweight symbolic analysis with a flexible Prolog-based reasoning system. Unlike most existing work, OOAnalyzer is able to recover both polymorphic and non-polymorphic C++ classes. We show in our evaluation that OOAnalyzer assigns over 78% of methods to the correct class on our test corpus, which includes both malware and real-world software such as Firefox and MySQL. These recovered abstractions can help analysts understand the behavior of C++ malware and cleanware, and can also improve the precision of program analyses on C++ executables.
URLhttp://doi.acm.org/10.1145/3243734.3243793
DOI10.1145/3243734.3243793
Citation Keyschwartz_using_2018
Groups: