Wesley Jin
ABSTRACT
Object-oriented programming complicates the already difficult task of reverse engineering software, and is being used increasingly by malware authors. Unlike traditional procedural-style code, reverse engineers must understand the complex interactions between object-oriented methods and the shared data structures with which they operate on, a tedious manual process.
In this paper, we present a static approach that uses symbolic execution and inter-procedural data flow analysis to discover object instances, data members, and methods of a common class. The key idea behind our work is to track the propagation and usage of a unique object instance reference, called a this pointer. Our goal is to help malware reverse engineers to understand how classes are laid out and to identify their methods. We have implemented our approach in a tool called ObJDIGGER, which produced encouraging results when validated on real-world malware samples.
- Aris Adamantiadis. Reversing C++ programs with IDA pro and and Hey-rays. http://blog.0xbadc0de.be/archives/67.Google Scholar
- Gogul Balakrishnan and Thomas Reps. Divine: discovering variables in executables. In Proceedings of the 8th international conference on Verification, model checking, and abstract interpretation, VMCAI'07, pages 1--28, Berlin, Heidelberg, 2007. Springer-Verlag. Google ScholarDigital Library
- Keith D. Cooper, Timothy J. Harvey, and Ken Kennedy. Iterative data-flow analysis, revisited. Technical report, Rice University, 2004.Google Scholar
- David Dewey and Jonathon T. Giffin. Static detection of C++ vtable escape vulnerabilities in binary code. In Proceedings of the 19th Annual Network and Distributed System Security Symposium, NDSS'12, http://www.internetsociety.org/static-detection-c-vtable-escape-vulnerabilitiesbinary-code, 2012.Google Scholar
- Agner Fog, Technical University of Denmark. Calling conventions for different C++ compilers and operating systems. http://www.agner.org/optimize/calling_conventions.pdf, pages 16--17, Last Updated 04-09-2013.Google Scholar
- Alexander Fokin, Katerina Troshina, and Alexander Chernov. Reconstruction of Class Hierarchies for Decompilation of C++ Programs. In Proceedings of the 14th European Conference on Software Maintenance and Reengineering (CSMR'10), IEEE, pages 240--243, 2010. Google ScholarDigital Library
- Alexander Fokin, Egor Derevenetc, Alexander Chernov, and Katerina Troshina. SmartDec: Approaching C++ Decompilation. In Proceedings of the 18th Working Conference on Reverse Engineering, WCRE'11, pages 347--356, 2011. Google ScholarDigital Library
- Jan Gray. C++: Under the Hood. http://www.openrce.org/articles/files/jangrayhood.pdf, 1994.Google Scholar
- S. Horwitz, T. Reps, and D. Binkley. Interprocedural Slicing Using Dependence Graphs. In Proceedings of the ACM SIGPLAN 1988 Conference on Programming Language Design and Implementation (PLDI'88), pages 35--46, 1988. Google ScholarDigital Library
- Harold Johnson. Data flow analysis for `intractable' system software. In SIGPLAN Symposium on Compiler Construction, pages 109--117, 1986. Google ScholarDigital Library
- James C. King. Symbolic Execution and Program Testing. Communications of the ACM (CACM), 19(7), July 1976. Google ScholarDigital Library
- Ákos Kiss, Judit Jász, and Tibor Gyimóthy. Using dynamic information in the interprocedural static slicing of binary executables. Software Quality Control, 13(3):227--245, September 2005. Google ScholarDigital Library
- JongHyup Lee, Thanassis Avgerinos, and David Brumley. Tie: Principled reverse engineering of types in binary programs. In NDSS. The Internet Society, 2011.Google Scholar
- Z. Lin, X. Zhang, and D. Xu. Automatic Reverse Engineering of Data Structures from Binary Execution. In Proceedings of the Network and Distributed System Security Symposium (NDSS'2010), March 2010.Google Scholar
- Dan Quinlan. ROSE: Compiler support for object-oriented frameworks. In Parallel Processing Letters 10, no. 02n03, pages 215--226. 2000.Google Scholar
- G. Ramalingam, John Field, and Frank Tip. Aggregate structure identification and its application to program analysis. In Proceedings of the 26th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, POPL '99, pages 119--132, New York, NY, USA, 1999. ACM. Google ScholarDigital Library
- ROSE website. http://www.rosecompiler.org.Google Scholar
- Paul Vincent Sabanal and Mark Vincent Yason. Reversing C++. http://www.blackhat.com/presentations/bh-dc-07/Sabanal_Yason/Paper/bh-\dc-07-Sabanal_Yason-WP.pdf.Google Scholar
- Asia Slowinska, Traian Stancescu, and Herbert Bos. Dde: dynamic data structure excavation. In Proceedings of the first ACM asia-pacific workshop on Workshop on systems, APSys '10, pages 13--18, New York, NY, USA, 2010. ACM. Google ScholarDigital Library
- V.K. Srinivasan and T. Reps. Software Architecture Recovery from Machine Code. Technical Report TR1781, University of Wisconsin - Madison, March 2013. http://digital.library.wisc.edu/1793/65091.Google Scholar
- Jens Tröger, and Cristina Cifuentes. Analysis of Virtual Method Invocation for Binary Translation. In Proceedings of the 9th Working Conference on Reverse Engineering (WCRE '02), IEEE Computer Society, pages 65--, 2002. Google ScholarDigital Library
Index Terms
- Recovering C++ Objects From Binaries Using Inter-Procedural Data-Flow Analysis
Recommendations
Inter-procedural data-flow analysis with IFDS/IDE and Soot
SOAP '12: Proceedings of the ACM SIGPLAN International Workshop on State of the Art in Java Program analysisThe IFDS and IDE frameworks by Reps, Horwitz and Sagiv are two general frameworks for the inter-procedural analysis of data-flow problems with distributive flow functions over finite domains. Many data-flow problems do have distributive flow functions ...
Context-, flow-, and field-sensitive data-flow analysis using synchronized Pushdown systems
Precise static analyses are context-, field- and flow-sensitive. Context- and field-sensitivity are both expressible as context-free language (CFL) reachability problems. Solving both CFL problems along the same data-flow path is undecidable, which is ...
Interprocedural data flow analysis in Soot using value contexts
SOAP '13: Proceedings of the 2nd ACM SIGPLAN International Workshop on State Of the Art in Java Program analysisAn interprocedural analysis is precise if it is flow sensitive and fully context-sensitive even in the presence of recursion. Many methods of interprocedural analysis sacrifice precision for scalability while some are precise but limited to only a ...
Comments