Download: Paper, PDF Slides, PPTX Slides, Video.
“Using Logic Programming to Recover C++ Classes and Methods from Compiled Executables” by Edward J. Schwartz, Cory F. Cohen, Michael Duggan, Jeffrey Gennari, Jeffrey S. Havrilla, and Charles Hines. In Proceedings of the ACM Conference on Computer and Communications Security, 2018.
High-level C++ source code abstractions such as classes and methods greatly assist human analysts and automated algorithms alike when analyzing C++ programs. Unfortunately, these abstractions are lost when compiling C++ source code, which impedes the understanding of C++ executables. In this paper, we propose a system, OOAnalyzer, that uses an innovative new design to statically recover detailed C++ abstractions from executables in a scalable manner.
OOAnalyzer's design is motivated by the observation that many human analysts reason about C++ programs by recognizing simple patterns in binary code and then combining these findings using logical inference, domain knowledge, and intuition. We codify this approach by combining a lightweight symbolic analysis with a flexible Prolog-based reasoning system. Unlike most existing work, OOAnalyzer is able to recover both polymorphic and non-polymorphic C++ classes. We show in our evaluation that OOAnalyzer assigns over 78% of methods to the correct class on our test corpus, which includes both malware and real-world software such as Firefox and MySQL. These recovered abstractions can help analysts understand the behavior of C++ malware and cleanware, and can also improve the precision of program analyses on C++ executables.
Download: Paper, PDF Slides, PPTX Slides, Video.
BibTeX entry:
@inproceedings{schwartz:2018:ooanalyzer,
author = {Edward J. Schwartz and Cory F. Cohen and Michael Duggan and
Jeffrey Gennari and Jeffrey S. Havrilla and Charles Hines},
title = {Using Logic Programming to Recover {C++} Classes and Methods
from Compiled Executables},
booktitle = {Proceedings of the {ACM} Conference on Computer and
Communications Security},
year = {2018}
}
(This webpage was created with bibtex2web.)
Back to publications.