skip to main content
research-article

Statistical Reconstruction of Class Hierarchies in Binaries

Authors Info & Claims
Published:19 March 2018Publication History
Skip Abstract Section

Abstract

We address a fundamental problem in reverse engineering of object-oriented code: the reconstruction of a program's class hierarchy from its stripped binary. Existing approaches rely heavily on structural information that is not always available, e.g., calls to parent constructors. As a result, these approaches often leave gaps in the hierarchies they construct, or fail to construct them altogether. Our main insight is that behavioral information can be used to infer subclass/superclass relations, supplementing any missing structural information. Thus, we propose the first statistical approach for static reconstruction of class hierarchies based on behavioral similarity. We capture the behavior of each type using a statistical language model (SLM), define a metric for pairwise similarity between types based on the Kullback-Leibler divergence between their SLMs, and lift it to determine the most likely class hierarchy. We implemented our approach in a tool called ROCK and used it to automatically reconstruct the class hierarchies of several real-world stripped C++ binaries. Our results demonstrate that ROCK obtained significantly more accurate class hierarchies than those obtained using structural analysis alone.

References

  1. Mart'ın Abadi, Mihai Budiu, Úlfar Erlingsson, and Jay Ligatti. Control-flow integrity. In Proceedings of the Conference on Computer and Communications Security, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. Wolfram Amme, Peter Braun, Franccois Thomasset, and Eberhard Zehendner. Data dependence analysis of assembly code. normalfont In International Journal Parallel Programming, 2000. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. Gogul Balakrishnan and Thomas Reps. Divine: Discovering variables in executables. In Proceedings of the International Conference on Verification, Model Checking, and Abstract Interpretation, 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. Gogul Balakrishnan and Thomas Reps. WYSINWYX: What you see is not what you execute. normalfont In ACM Transactions on Programming Languages and Systems, 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. Thomas Ball, Ella Bounimova, Byron Cook, Vladimir Levin, Jakob Lichtenberg, Con McGarvey, Bohus Ondrusek, Sriram K. Rajamani, and Abdullah Ustuner. Thorough static analysis of device drivers. In Proceedings of the ACM SIGOPS/EuroSys European Conference on Computer Systems, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. Tiffany Bao, Jonathan Burket, Maverick Woo, Rafael Turner, and David Brumley. Byteweight: Learning to recognize functions in binary code. In USENIX Security Symposium, 2014. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. J. Bergeron, Mourad Debbabi, M. M. Erhioui, and Béchir Ktari. Static analysis of binary code to isolate malicious behaviors. In Proceedings of the Workshop on Enabling Technologies on Infrastructure for Collaborative Enterprises, 1999. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. David Brumley, Ivan Jager, Thanassis Avgerinos, and Edward J. Schwartz. Bap: A binary analysis platform. In Proceedings of the International Conference on Computer Aided Verification, 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. Juan Caballero and Zhiqiang Lin. Type inference on executables. normalfont In ACM Computing Surveys, 2016. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. John A Capra and Mona Singh. Predicting functionally important residues from sequence conservation. normalfont In Bioinformatics, 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. Stanley F Chen and Joshua Goodman. An empirical study of smoothing techniques for language modeling. In Proceedings of the Annual Meeting on Association for Computational Linguistics, 1996. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. John G Cleary and Ian H Witten. Data compression using adaptive coding and partial string matching. normalfont In IEEE Transactions on Communications, 1984.Google ScholarGoogle Scholar
  13. Yaniv David and Eran Yahav. Tracelet-based code search in executables. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation, 2014. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. Saumya Debray, Robert Muth, and Matthew Weippert. Alias analysis of executable code. In Proceedings of the ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, 1998. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. Jack Edmonds. Optimum branchings. Journal of Research of the National Bureau of Standards B, 1967.Google ScholarGoogle ScholarCross RefCross Ref
  16. Ran El-Yaniv, Shai Fine, and Naftali Tishby. Agnostic classification of markovian sequences. In Proceedings of the Conference on Advances in Neural Information Processing Systems, 1998. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. Alexander Fokin, Egor Derevenetc, Alexander Chernov, and Katerina Troshina. Smartdec: Approaching cGoogle ScholarGoogle Scholar
  18. decompilation. In Proceedings of the Working Conference on Reverse Engineering, 2011.Google ScholarGoogle Scholar
  19. Matthew Fredrikson, Mihai Christodorescu, and Somesh Jha. Dynamic behavior matching: A complexity analysis and new approximation algorithms. In Proceedings of the International Conference on Automated Deduction, 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. Denis Gopan, Evan Driscoll, Ducson Nguyen, Dimitri Naydich, Alexey Loginov, and David Melski. Data-delineation in software binaries and its application to buffer-overrun discovery. In Proceedings of the International Conference on Software Engineering, 2015. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. S. Jha, K. Tan, and R.A. Maxion. Markov chains, classifiers, and intrusion detection. In Proceedings of the IEEE workshop on Computer Security Foundations, 2001. Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. Omer Katz, Ran El-Yaniv, and Eran Yahav. Estimating types in binaries using predictive modeling. In Proceedings of the Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, 2016. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. Slava M Katz. Estimation of probabilities from sparse data for the language model component of a speech recognizer. normalfont In IEEE Transactions on Acoustics, Speech, and Signal Processing, 1987.Google ScholarGoogle Scholar
  24. S. Kullback and R. A. Leibler. On information and sufficiency. In The Annals of Mathematical Statistics, 1951.Google ScholarGoogle ScholarCross RefCross Ref
  25. Magnus Madsen, Benjamin Livshits, and Michael Fanning. Practical static analysis of javascript applications in the presence of frameworks and libraries. In Proceedings of the Joint Meeting on Foundations of Software Engineering, 2013. Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. Geoffrey Mazeroff, Jens Gregor, Michael Thomason, and Richard Ford. Probabilistic suffix models for API sequence analysis of windows XP applications. In Pattern Recognition, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. Microsoft Corporation. Skype. https://www.skype.com/en/.Google ScholarGoogle Scholar
  28. Microsoft Corporation. Visual studio. https://www.visualstudio.com.Google ScholarGoogle Scholar
  29. Alon Mishne, Sharon Shoham, and Eran Yahav. Typestate-based semantic code search over partial programs. In Proceedings of the ACM International Conference on Object Oriented Programming Systems Languages and Applications, 2012. Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. Alistair Moffat. Implementing the ppm data compression scheme. In IEEE Transactions on Communications, 1990.Google ScholarGoogle ScholarCross RefCross Ref
  31. Andre Pawlowski, Moritz Contag, Victor van der Veen, Chris Ouwehand, Thorsten Holz, Herbert Bos, Elias Athanasopoulos, and Cristiano Giuffrida. MARX: Uncovering Class Hierarchies in CGoogle ScholarGoogle Scholar
  32. Programs. In Network and Distributed System Security Symposium, 2017.Google ScholarGoogle Scholar
  33. Mario Polino, Andrea Scorti, Federico Maggi, and Stefano Zanero. Jackdaw: Towards automatic reverse engineering of large datasets of binaries. In Proceedings of the International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, 2015. Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. Mila Dalla Preda, Mihai Christodorescu, Somesh Jha, and Saumya Debray. A semantics-based approach to malware detection. In Proceedings of the Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. Veselin Raychev, Martin Vechev, and Andreas Krause. Predicting program properties from "big code". In Proceedings of the Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, 2015. Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. Veselin Raychev, Martin Vechev, and Eran Yahav. Code completion with statistical language models. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation, 2014. Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. Thomas Reps and Gogul Balakrishnan. Improved memory-access analysis for x86 executables. In Proceedings of the International Conference on Compiler construction, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  38. Thomas Reps, Gogul Balakrishnan, and Junghee Lim. Intermediate-representation recovery from low-level code. In Proceedings of the ACM SIGPLAN Symposium on Partial Evaluation and Semantics-based Program Manipulation, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  39. Thomas Reps, Gogul Balakrishnan, Junghee Lim, and Tim Teitelbaum. A next-generation platform for analyzing executables. In Proceedings of the Third Asian conference on Programming Languages and Systems, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  40. Thomas Reps, Junghee Lim, Aditya Thakur, Gogul Balakrishnan, and Akash Lal. There's plenty of room at the bottom: analyzing and verifying machine code. In Proceedings of the International Conference on Computer Aided Verification, 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  41. Ronald Rosenfeld. Two decades of statistical language modeling: Where do we go from here? normalfont In Proceedings of the IEEE, 2000.Google ScholarGoogle Scholar
  42. Paul Vincent Sabanal and Mark Vincent Yason. Reversing c+. In BlackHat USA, 2007.Google ScholarGoogle Scholar
  43. Dominik Schnitzer. Musly: Audio music similarity. http://www.musly.org.Google ScholarGoogle Scholar
  44. Hinrich Schütze and Yoram Singer. Part-of-speech tagging using a variable memory markov model. In Proceedings of the Annual Meeting on Association for Computational Linguistics, 1994. Google ScholarGoogle ScholarDigital LibraryDigital Library
  45. Edward J Schwartz, J Lee, Maverick Woo, and David Brumley. Native x86 decompilation using semantics-preserving structural analysis and iterative control-flow structuring. normalfont In Proceedings of the USENIX Security Symposium, 2013. Google ScholarGoogle ScholarDigital LibraryDigital Library
  46. Venkatesh Srinivasan and Thomas Reps. Recovery of class hierarchies and composition relationships from machine code. In In Proceedings of the International Conference on Compiler construction, 2014.Google ScholarGoogle ScholarCross RefCross Ref
  47. Venkatesh Karthik Srinivasan and Thomas Reps. Software-architecture recovery from machine code*. https://minds.wisconsin.edu/handle/1793/65091, 2013.Google ScholarGoogle Scholar
  48. Stephen Tu. MINO: Data-driven type inference for python. http://people.csail.mit.edu/stephentu/papers/mino.pdf, 2012.Google ScholarGoogle Scholar
  49. Christina Warrender, Stephanie Forrest, and Barak Pearlmutter. Detecting intrusions using system calls: Alternative data models. In Proceedings of the IEEE Symposium on Security and Privacy, 1999.Google ScholarGoogle ScholarCross RefCross Ref
  50. Golan Yona and Michael Levitt. Within the twilight zone: a sensitive profile-profile comparison tool based on information theory. In Journal of Molecular Biology, 2002.Google ScholarGoogle ScholarCross RefCross Ref

Recommendations

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Sign in

Full Access

  • Published in

    cover image ACM SIGPLAN Notices
    ACM SIGPLAN Notices  Volume 53, Issue 2
    ASPLOS '18
    February 2018
    809 pages
    ISSN:0362-1340
    EISSN:1558-1160
    DOI:10.1145/3296957
    Issue’s Table of Contents
    • cover image ACM Conferences
      ASPLOS '18: Proceedings of the Twenty-Third International Conference on Architectural Support for Programming Languages and Operating Systems
      March 2018
      827 pages
      ISBN:9781450349116
      DOI:10.1145/3173162

    Copyright © 2018 ACM

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    • Published: 19 March 2018

    Check for updates

    Qualifiers

    • research-article

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader
About Cookies On This Site

We use cookies to ensure that we give you the best experience on our website.

Learn more

Got it!