Marx: Uncovering Class Hierarchies in C++ Programs - (Evaluation Data)

Evaluation data of the published paper: "MARX: Un­co­ver­ing Class Hier­ar­chies in C++ Pro­grams". The paper was published at the Sym­po­si­um on Net­work and Di­stri­bu­ted Sys­tem Se­cu­ri­ty (NDSS) 2017.

The paper is available at: https://www.syssec.rub.de/research/publications/marx/

Abstract:

Re­ver­se en­gi­nee­ring of bi­na­ry exe­cu­ta­bles is a dif­fi­cult task which gets more in­vol­ved by the way com­pi­lers trans­la­te high-le­vel con­cepts used in pa­ra­digms such as ob­ject-ori­en­ted pro­gramming into na­ti­ve code, as it is the case for C++. Such code is har­der to grasp than, e. g., tra­di­tio­nal pro­ce­du­ral code, since it is ge­ne­ral­ly more ver­bo­se and adds com­ple­xi­ty through fea­tures such as po­ly­mor­phism or in­heri­t­an­ce. Hence, a deep un­der­stan­ding of in­ter­ac­tions bet­ween in­stan­tia­ted ob­jects, their cor­re­spon­ding clas­ses, and the con­nec­tion bet­ween clas­ses would vast­ly re­du­ce the time it takes an ana­lyst to un­der­stand the ap­p­li­ca­ti­on. The grow­th in com­ple­xi­ty in con­tem­pora­ry C++ ap­p­li­ca­ti­ons only am­pli­fies the ef­fect.

In this paper, we in­tro­du­ce Marx, an ana­ly­sis frame­work to re­con­struct class hier­ar­chies of C++ pro­grams and re­sol­ve vir­tu­al call­si­tes. We have eva­lua­ted the re­sults on a di­ver­se set of large, re­al-world ap­p­li­ca­ti­ons. Our ex­pe­ri­men­tal re­sults show that our ap­proach achie­ves a high pre­ci­si­on (93.2% of the hier­ar­chies re­con­struc­ted ac­cu­ra­te­ly for Node.js, 88.4% for MySQL Ser­ver) while ke­eping ana­ly­sis times prac­tical. Fur­ther­mo­re, we show that, de­s­pi­te any impre­ci­si­on in the ana­ly­sis, the de­ri­ved in­for­ma­ti­on can be re­lia­bly used in clas­sic soft­ware se­cu­ri­ty har­de­ning ap­p­li­ca­ti­ons wi­thout brea­king pro­grams. We show­ca­se this pro­per­ty for two ap­p­li­ca­ti­ons built on top of the out­put of our frame­work: vta­ble pro­tec­tion and ty­pe-safe ob­ject reuse. This de­mons­tra­tes that, in ad­di­ti­on to tra­di­tio­nal re­ver­se en­gi­nee­ring ap­p­li­ca­ti­ons, Marx can aid in im­ple­men­ting con­cre­te, va­luable tools e. g., in the do­main of ex­ploit miti­ga­ti­ons.