Advertisement

On Efficiency and Effectiveness of Linear Function Detection Approaches for Memory Carving

  • Lorenz LieblerEmail author
  • Harald Baier
Conference paper
Part of the Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering book series (LNICST, volume 259)

Abstract

In the field of unstructured memory analysis, the context-unaware detection of function boundaries leads to meaningful insights. For instance, in the field of binary analysis, those structures yield further inference, e.g., identifying binaries known to be bad. However, recent publications discuss different strategies for the problem of function boundary detection and consider it to be a difficult problem. One of the reasons is that the detection process depends on a quantity of parameters including the used architecture, programming language and compiler parameters. Initially a typical memory carving approach transfers the paradigm of signature-based detection techniques from the mass storage analysis to memory analysis. To automate and generalise the signature matching, signature-based recognition approaches have been extended by machine learning algorithms. Recently a review of function detection approaches claims that the results are possibly biased by large portions of shared code between the used samples. In this work we reassess the application of recently discussed machine learning based function detection approaches. We analyse current approaches in the context of memory carving with respect to both their efficiency and their effectiveness. We show the capabilities of function start identification by reducing the features to vectorised mnemonics. In all this leads to a significant reduction of runtime by keeping a high value of accuracy and a good value of recall.

Keywords

Memory forensics Carving Disassembly Binary analysis 

Notes

Acknowledgement

This work was supported by the German Federal Ministry of Education and Research (BMBF) as well as by the Hessen State Ministry for Higher Education, Research and the Arts (HMWK) within CRISP (www.crisp-da.de).

References

  1. 1.
    Andriesse, D., Chen, X., van der Veen, V., Slowinska, A., Bos, H.: An in-depth analysis of disassembly on full-scale x86/x64 binaries. In: USENIX Security Symposium (2016)Google Scholar
  2. 2.
    Andriesse, D., Slowinska, A., Bos, H.: Compiler-agnostic function detection in binaries. In: IEEE European Symposium on Security and Privacy (2017)Google Scholar
  3. 3.
    Bao, T., Burket, J., Woo, M., Turner, R., Brumley, D.: Byteweight: learning to recognize functions in binary code. In: USENIX (2014)Google Scholar
  4. 4.
    Eagle, C.: The IDA Pro Book: The Unofficial Guide to the World’s Most Popular Disassembler. No Starch Press, San Francisco (2008). ISBN 1593271786, 9781593271787Google Scholar
  5. 5.
    Gers, F.A., Schmidhuber, J., Cummins, F.: Learning to Forget: Continual Prediction with LSTM (1999)Google Scholar
  6. 6.
    Guilfanov, I.: IDA Fast Library Identification and Recognition Technology (Flirt Technology): In-depth (2012)Google Scholar
  7. 7.
    Hinton, G.E., Srivastava, N., Krizhevsky, A., Sutskever, I., Salakhutdinov, R.R.: Improving neural networks by preventing co-adaptation of feature detectors. arXiv preprint arXiv:1207.0580 (2012)
  8. 8.
    Hochreiter, S., Schmidhuber, J.: Long short-term memory. Neural Comput. 9(8), 1735–1780 (1997)CrossRefGoogle Scholar
  9. 9.
    Jin, W., et al.: Binary function clustering using semantic hashes. In: 2012 11th International Conference on Machine Learning and Applications (ICMLA), vol. 1, pp. 386–391. IEEE (2012)Google Scholar
  10. 10.
    Liebler, L., Baier, H.: Approxis: a fast, robust, lightweight and approximate disassembler considered in the field of memory forensics. In: Matoušek, P., Schmiedecker, M. (eds.) ICDF2C 2017. LNICST, vol. 216, pp. 158–172. Springer, Cham (2018).  https://doi.org/10.1007/978-3-319-73697-6_12CrossRefGoogle Scholar
  11. 11.
    Ligh, M.H., Case, A., Levy, J., Walters, A.: The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory. Wiley, US (2014)Google Scholar
  12. 12.
    Lipton, Z.C., Berkowitz, J., Elkan, C.: A critical review of recurrent neural networks for sequence learning. arXiv preprint arXiv:1506.00019 (2015)
  13. 13.
    Potchik, B.: Architecture agnostic function detection in binaries. https://binary.ninja/2017/11/06/architecture-agnostic-function-detection-in-binaries.html
  14. 14.
    Shin, E.C.R., Song, D., Moazzezi, R.: Recognizing functions in binaries with neural networks. In: USENIX Security Symposium, pp. 611–626 (2015)Google Scholar

Copyright information

© ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2019

Authors and Affiliations

  1. 1.da/sec - Biometrics and Internet Security Research GroupUniversity of Applied SciencesDarmstadtGermany

Personalised recommendations