DeClassifier: Class-Inheritance Inference Engine for Optimized C++ Binaries

TL;DR

DeClassifier is a tool designed to accurately recover class inheritance structures from optimized C++ binaries, overcoming challenges posed by compiler optimizations like inlining, and providing crucial directionality information for security applications.

Contribution

DeClassifier introduces a novel binary analysis approach that effectively infers class inheritance hierarchies, including directionality, in optimized C++ binaries, outperforming existing solutions.

Findings

Achieves 94.5% true positive edges under O0 optimization.

Achieves 71.4% true positive edges under O2 optimization.

Combining constructor and destructor analysis improves inference accuracy.

Abstract

Recovering class inheritance from C++ binaries has several security benefits including problems such as decompilation and program hardening. Thanks to the optimization guidelines prescribed by the C++ standard, commercial C++ binaries tend to be optimized. While state-of-the-art class inheritance inference solutions are effective in dealing with unoptimized code, their efficacy is impeded by optimization. Particularly, constructor inlining--or worse exclusion--due to optimization render class inheritance recovery challenging. Further, while modern solutions such as MARX can successfully group classes within an inheritance sub-tree, they fail to establish directionality of inheritance, which is crucial for security-related applications (e.g. decompilation). We implemented a prototype of DeClassifier using Binary Analysis Platform (BAP) and evaluated DeClassifier against 16 binaries compiled using gcc under multiple optimization settings. We show that (1) DeClassifier can recover 94.5% and 71.4% true positive directed edges in the class hierarchy tree under O0 and O2 optimizations respectively, (2) a combination of ctor+dtor analysis provides much better inference than ctor only analysis.