search menu icon-carat-right cmu-wordmark

Using Logic Programming to Recover C++ Classes and Methods from Compiled Executables

October 2018 Article
Edward J. Schwartz, Cory Cohen, Michael Duggan, Jeff Gennari, Jeff Havrilla, Chuck Hines

This article describes OOAnalyzer, a system that statically recovers detailed C++ abstractions from executables in a scalable manner.

Publisher:

ACM

Abstract

High-level C++ source code abstractions such as classes and methods greatly assist human analysts and automated algorithms alike when analyzing C++ programs. Unfortunately, these abstractions are lost when compiling C++ source code, which impedes the understanding of C++ executables.

In this article, we propose a system, OOAnalyzer, that uses an innovative new design to statically recover detailed C++ abstractions from executables in a scalable manner. OOAnalyzer's design is motivated by the observation that many human analysts reason about C++ programs by recognizing simple patterns in binary code and then combining these findings using logical inference, domain knowledge, and intuition.

We codify this approach by combining a lightweight symbolic analysis with a flexible Prolog-based reasoning system. Unlike most existing work, OOAnalyzer is able to recover both polymorphic and non-polymorphic C++ classes. We show in our evaluation that OOAnalyzer assigns over 78% of methods to the correct class on our test corpus, which includes both malware and real-world software such as Firefox and MySQL. These recovered abstractions can help analysts understand the behavior of C++ malware and cleanware, and can also improve the precision of program analyses on C++ executables.