Meaningful Variable Names for Decompiled Code: A Machine Translation Approach

Size: px

Start display at page:

Download "Meaningful Variable Names for Decompiled Code: A Machine Translation Approach"

Abner Nichols
5 years ago
Views:

1 Meaningful Variable Names for Decompiled Code: A Machine Translation Approach Alan Jaffe, Jeremy Lacomis, Edward J. Schwartz*, Claire Le Goues, and Bogdan Vasilescu *

2 Problem: Obfuscated Variable Names in Code Minified JavaScript: function callback(error, response, body) { if (!error && response.statuscode == 200) { var info = JSON.parse(body); function callback(o, s, a) { if (!o && s.statuscode == 200) { var c = JSON.parse(a); 2

3 Problem: Obfuscated Variable Names in Code Minified JavaScript: function callback(error, response, body) { if (!error && response.statuscode == 200) { var info = JSON.parse(body); function callback(o, s, a) { if (!o && s.statuscode == 200) { var c = JSON.parse(a); 3

4 Problem: Obfuscated Variable Names in Code Minified JavaScript: function callback(error, response, body) { if (!error && response.statuscode == 200) { var info = JSON.parse(body); function callback(o, s, a) { if (!o && s.statuscode == 200) { var c = JSON.parse(a); Decompiled C Code: cp = buf; (void)asxtab(level + 1); for (n = asncontents(asn, buf, 512); n > 0; n--) { printf(" %02X ", *(cp++)); v14 = &v15; asxtab(a2 + 1); for (v13 = asncontents(a1, &v15, 512LL); v13 > 0; --v13) { v9 = (unsignedchar*)(v14++); printf(" %02X ", *v9); 4

5 Problem: Obfuscated Variable Names in Code Minified JavaScript: function callback(error, response, body) { if (!error && response.statuscode == 200) { var info = JSON.parse(body); function callback(o, s, a) { if (!o && s.statuscode == 200) { var c = JSON.parse(a); Decompiled C Code: cp = buf; (void)asxtab(level + 1); for (n = asncontents(asn, buf, 512); n > 0; n--) { printf(" %02X ", *(cp++)); v14 = &v15; asxtab(a2 + 1); for (v13 = asncontents(a1, &v15, 512LL); v13 > 0; --v13) { v9 = (unsignedchar*)(v14++); printf(" %02X ", *v9); 5

6 Problem: Obfuscated Variable Names in Code Minified JavaScript: function callback(error, response, body) { if (!error && response.statuscode == 200) { var info = JSON.parse(body); function callback(o, s, a) { if (!o && s.statuscode == 200) { var c = JSON.parse(a); Software is natural [Hindle et al., 2011]. 6

7 Problem: Obfuscated Variable Names in Code Minified JavaScript: function callback(error, response, body) { if (!error && response.statuscode == 200) { var info = JSON.parse(body); function callback(o, s, a) { if (!o && s.statuscode == 200) { var c = JSON.parse(a); Software is natural [Hindle et al., 2011]. Use large corpora + machine learning to predict better identifier names. Corpora are easy to generate! 7

8 Problem: Obfuscated Variable Names in Code Minified JavaScript: function callback(error, response, body) { if (!error && response.statuscode == 200) { var info = JSON.parse(body); function callback(o, s, a) { if (!o && s.statuscode == 200) { var c = JSON.parse(a); Software is natural [Hindle et al., 2011]. Use large corpora + machine learning to predict better identifier names. Corpora are easy to generate! Bavishi et al., Context2Name, 2017 Vasilescu et al., JSNaughty, 2017 Raychev et al., JSNice,

9 Problem: Obfuscated Variable Names in Code Can we use similar strategies for decompiled code? Decompiled C Code: cp = buf; (void)asxtab(level + 1); for (n = asncontents(asn, buf, 512); n > 0; n--) { printf(" %02X ", *(cp++)); v14 = &v15; asxtab(a2 + 1); for (v13 = asncontents(a1, &v15, 512LL); v13 > 0; --v13) { v9 = (unsignedchar*)(v14++); printf(" %02X ", *v9); 9

10 Statistical Machine Translation (SMT) Noisy channel model 10

11 Statistical Machine Translation (SMT) Noisy channel model English à French: 11

12 Statistical Machine Translation (SMT) Noisy channel model English à French: Go do some research! Va faire de la recherche! 12

13 Statistical Machine Translation (SMT) Noisy channel model English à French: Go do some research! Va faire de la recherche!!"#$!% & ( ) *) 13

14 Statistical Machine Translation (SMT) Noisy channel model English à French: Go do some research! Va faire de la recherche! "#$%"& ' ) + *) ) * +) )(+) = "#$%"& ' )(*) = "#$%"& ' ) * +) )(+) 14

15 Statistical Machine Translation (SMT) Noisy channel model English à French: Go do some research! Va faire de la recherche! "#$%"& ' ) + *) ) * +) )(+) = "#$%"& ' )(*) = "#$%"& ' ) * +) )(+) Translation Model: Probability that f is a translation of e 15

16 Statistical Machine Translation (SMT) Noisy channel model English à French: Go do some research! Va faire de la recherche! "#$%"& ' ) + *) ) * +) )(+) = "#$%"& ' )(*) = "#$%"& ' ) * +) )(+) Language Model: Fluency of e 16

17 Statistical Machine Translation (SMT) Noisy channel model English à French: Go do some research! Va faire de la recherche! "#$%"& ' ) + *) ) * +) )(+) = "#$%"& ' )(*) = "#$%"& ' ) * +) )(+) ) * +): Translation Model )(+): Language Model MOSES SMT: 17

18 SMT Model for Natural Language Aligned French/English corpus English corpus 18

19 SMT Model for Minified JavaScript Aligned original/minified source corpus Original source corpus 19

20 Problem: Obfuscated Identifiers in Code Can we use SMT for decompiled code? Decompiled C Code: cp = buf; (void)asxtab(level + 1); for (n = asncontents(asn, buf, 512); n > 0; n--) { printf(" %02X ", *(cp++)); v14 = &v15; asxtab(a2 + 1); for (v13 = asncontents(a1, &v15, 512LL); v13 > 0; --v13) { v9 = (unsignedchar*)(v14++); printf(" %02X ", *v9); 21

21 SMT Model for Decompiled Code? Aligned original/decompiled source corpus Original source corpus 22

22 SMT Model for Decompiled Code? Nontrivial Aligned original/decompiled source corpus Original source corpus 23

23 Difficulty: Decompilation Changes Structure Original Source int cur = 0; while (cur <= 9) { printf("%d\n", cur); ++cur; return 0; Decompiled Code int v1 = 0; int v2; for (v2 = 0; v2 < 10; ++v2) printf("%d\n", v2); return v1; 24

24 Difficulty: Decompilation Changes Structure 9 Lines Original Source 8 Lines int cur = 0; while (cur <= 9) { printf("%d\n", cur); ++cur; return 0; Decompiled Code int v1 = 0; int v2; for (v2 = 0; v2 < 10; ++v2) printf("%d\n", v2); return v1; Different line count. 25

25 Difficulty: Decompilation Changes Structure Original Source int cur = 0; while (cur <= 9) { printf("%d\n", cur); ++cur; return 0; Decompiled Code int v1 = 0; int v2; for (v2 = 0; v2 < 10; ++v2) printf("%d\n", v2); return v1; Different line count. Different numbers of variables. 26

26 Difficulty: Decompilation Changes Structure Original Source int cur = 0; while (cur <= 9) { printf("%d\n", cur); ++cur; return 0; Decompiled Code int v1 = 0; int v2; for (v2 = 0; v2 < 10; ++v2) printf("%d\n", v2); return v1; Different line count. Different numbers of variables. Different types of loops. 27

27 Decompiled Code Corpus Generation Decompiled Code int v1 = 0; int v2; for (v2 = 0; v2 < 10; ++v2) printf("%d\n", v2); return v1; 28

28 Decompiled Code Corpus Generation Decompiled Code int v1 = 0; int v2; for (v2 = 0; v2 < 10; ++v2) printf("%d\n", v2); return v1; int cur = 0; while (cur <= 9) { printf("%d\n", cur); ++cur; return 0; Original Code 29

29 Decompiled Code Corpus Generation Decompiled Code int v1 = 0; int v2; for (v2 = 0; v2 < 10; ++v2) printf("%d\n", v2); return v1; int cur = 0; while (cur <= 9) { printf("%d\n", cur); ++cur; return 0; Original Code int v1 = 0; int v2; for (v2 = 0; v2 < 10; ++v2) printf("%d\n", v2); return v1; 30

30 Decompiled Code Corpus Generation Decompiled Code int v1 = 0; int v2; for (v2 = 0; v2 < 10; ++v2) printf("%d\n", v2); return v1; int cur = 0; while (cur <= 9) { printf("%d\n", cur); ++cur; return 0; Original Code int v1 = 0; int v2; for (v2 = 0; v2 < 10; ++v2) printf("%d\n", v2); return v1; 31

31 Decompiled Code Corpus Generation Decompiled Code int v1 = 0; int v2; for (v2 = 0; v2 < 10; ++v2) printf("%d\n", v2); return v1; int cur = 0; while (cur <= 9) { printf("%d\n", cur); ++cur; return 0; Original Code int v1 = 0; int ; for ( = 0; < 10; ++ ) printf("%d\n", ); return v1; 32

32 Decompiled Code Corpus Generation Decompiled Code int v1 = 0; int v2; for (v2 = 0; v2 < 10; ++v2) printf("%d\n", v2); return v1; int cur = 0; while (cur <= 9) { printf("%d\n", cur); ++cur; return 0; Original Code int v1 = 0; int cur; for (cur = 0; cur < 10; ++cur) printf("%d\n", cur); return v1; Renamed Decompiled Code 33

33 Better SMT Model for Decompiled Code Aligned renamed/decompiled source corpus Renamed source corpus 36

34 Choosing Renamings Original Code int cur = 0; while (cur <= 9) { printf("%d\n", cur); ++cur; return 0; Decompiled Code int v1 = 0; int v2; for (v2 = 0; v2 < 10; ++v2) printf("%d\n", v2); return v1; 37

35 Choosing Renamings Original Code int cur = 0; while (cur <= 9) { printf("%d\n", cur); ++cur; return 0; Decompiled Code int v1 = 0; int v2; for (v2 = 0; v2 < 10; ++v2) printf("%d\n", v2); return v1; 38

36 Choosing Renamings Original Code int cur = 0; while (cur <= 9) { printf("%d\n", cur); ++cur; return 0; Decompiled Code int v1 = 0; int v2; for (v2 = 0; v2 < 10; ++v2) printf("%d\n", v2); return v1; Not used as the return value. 39

37 Choosing Renamings Original Code int cur = 0; while (cur <= 9) { printf("%d\n", cur); ++cur; return 0; Decompiled Code int v1 = 0; int v2; for (v2 = 0; v2 < 10; ++v2) printf("%d\n", v2); return v1; Not used as the return value. Used inside of a loop. 40

38 Choosing Renamings Original Code int cur = 0; while (cur <= 9) { printf("%d\n", cur); ++cur; return 0; Decompiled Code int v1 = 0; int v2; for (v2 = 0; v2 < 10; ++v2) printf("%d\n", v2); return v1; Not used as the return value. Used inside of a loop. Used in a function call. 41

39 Choosing Renamings Original Code int cur = 0; while (cur <= 9) { printf("%d\n", cur); ++cur; return 0; Decompiled Code int v1 = 0; int v2; for (v2 = 0; v2 < 10; ++v2) printf("%d\n", v2); return v1; Not used as the return value. Used inside of a loop. Used in a function call. Same operations. 42

40 Choosing Renamings Original Code int cur = 0; while (cur <= 9) { printf("%d\n", cur); ++cur; return 0; Decompiled Code int v1 = 0; int ; for ( = 0; < 10; ++ ) printf("%d\n", ); return v1; Not used as the return value. Used inside of a loop. Used in a function call. Same operations. 43

41 Choosing Renamings Original Code int cur = 0; while (cur <= 9) { printf("%d\n", cur); ++cur; return 0; Decompiled Code int v1 = 0; int cur; for (cur = 0; cur < 10; ++cur) printf("%d\n", cur); return v1; Not used as the return value. Used inside of a loop. Used in a function call. Same operations. 44

42 System Architecture 45

43 Results and Evaluation Original my_rc base2_string(base2_handle base2_h, char* buffer, size_t buffer_size) 46

44 Results and Evaluation Original my_rc base2_string(base2_handle base2_h, char* buffer, size_t buffer_size) Decompiled my_rc base2_string(base2_handle a1, char* a2, size_t a3) 47

45 Results and Evaluation Original my_rc base2_string(base2_handle base2_h, char* buffer, size_t buffer_size) Decompiled my_rc base2_string(base2_handle a1, char* a2, size_t a3) Renamed Decompiled my_rc base2_string(base2_handle base2_h, char* buf, size_t len) 48

46 Results and Evaluation Original my_rc base2_string(base2_handle base2_h, char* buffer, size_t buffer_size) Renamed Decompiled my_rc base2_string(base2_handle base2_h, char* buf, size_t len) 49

47 Results and Evaluation Original my_rc base2_string(base2_handle base2_h, char* buffer, size_t buffer_size) Renamed Decompiled my_rc base2_string(base2_handle base2_h, char* buf, size_t len) Exact 50

48 Results and Evaluation Original my_rc base2_string(base2_handle base2_h, char* buffer, size_t buffer_size) Renamed Decompiled my_rc base2_string(base2_handle base2_h, char* buf, size_t len) Approx 51

49 Results and Evaluation Original my_rc base2_string(base2_handle base2_h, char* buffer, size_t buffer_size) Renamed Decompiled Not a match my_rc base2_string(base2_handle base2_h, char* buf, size_t len) 52

50 Results and Evaluation Original my_rc base2_string(base2_handle base2_h, char* buffer, size_t buffer_size) Renamed Decompiled my_rc base2_string(base2_handle base2_h, char* buf, size_t len) 12.7% Exact 16.2% Exact + Approx 53

51 Results and Evaluation Original my_rc base2_string(base2_handle base2_h, char* buffer, size_t buffer_size) Renamed Decompiled Not a match my_rc base2_string(base2_handle base2_h, char* buf, size_t len) 12.7% Exact 16.2% Exact + Approx 54

52 Results and Evaluation Original my_rc base2_string(base2_handle base2_h, char* buffer, size_t buffer_size) Decompiled my_rc base2_string(base2_handle a1, char* a2, size_t a3) Renamed Decompiled my_rc base2_string(base2_handle base2_h, char* buf, size_t len) 12.7% Exact 16.2% Exact + Approx 55

53 Preliminary Investigation: Human Study Presented users with short snippets (<50 lines) of decompiled code, asked to perform various maintenance tasks, graded and timed: 56

54 Preliminary Investigation: Human Study Presented users with short snippets (<50 lines) of decompiled code, asked to perform various maintenance tasks, graded and timed: 1 int x = 1; 2 int y = 0; 3 while (x <= 5) { 4 y += 2; 5 x += 1; 6 7 printf("%d", y); - What is the value of the variable y on line 7? 57

55 Preliminary Investigation: Human Study Presented users with short snippets (<50 lines) of decompiled code, asked to perform various maintenance tasks, graded and timed: 1 int x = 1; 2 int y = 0; 3 while (x <= 5) { 4 y += 2; 5 x += 1; 6 7 printf("%d", y); - What is the value of the variable y on line 7? For correct answers, the time to answer using our renamings was statistically significantly lower than when using the decompiler names. 58

56 Conclusion Questions? Suggestions? System Architecture 45 59

Meaningful Variable Names for Decompiled Code: A Machine Translation Approach

Meaningful Variable Names for Decompiled Code: A Machine Translation Approach A Machine Translation Approach Alan Jaffe Carnegie Mellon University apjaffe@andrew.cmu.edu Jeremy Lacomis Carnegie Mellon University jlacomis@cmu.edu Edward J. Schwartz Carnegie Mellon University Software