Abstract
In the field of unstructured memory analysis, the context-unaware detection of function boundaries leads to meaningful insights. For instance, in the field of binary analysis, those structures yield further inference, e.g., identifying binaries known to be bad. However, recent publications discuss different strategies for the problem of function boundary detection and consider it to be a difficult problem. One of the reasons is that the detection process depends on a quantity of parameters including the used architecture, programming language and compiler parameters. Initially a typical memory carving approach transfers the paradigm of signature-based detection techniques from the mass storage analysis to memory analysis. To automate and generalise the signature matching, signature-based recognition approaches have been extended by machine learning algorithms. Recently a review of function detection approaches claims that the results are possibly biased by large portions of shared code between the used samples. In this work we reassess the application of recently discussed machine learning based function detection approaches. We analyse current approaches in the context of memory carving with respect to both their efficiency and their effectiveness. We show the capabilities of function start identification by reducing the features to vectorised mnemonics. In all this leads to a significant reduction of runtime by keeping a high value of accuracy and a good value of recall.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
https://github.com/BinaryAnalysisPlatform/bap (last access 2018-04).
- 2.
https://binary.ninja/ (last access 2018-04).
- 3.
https://github.com/Vector35/function_detection_test_suite (last access 2018-04).
- 4.
https://github.com/trailofbits/cb-multios (last access 2018-04).
- 5.
http://security.ece.cmu.edu/byteweight/ (last access 2018-04).
- 6.
https://software.intel.com/en-us/articles/intel-sdm (last access 2018-04).
References
Andriesse, D., Chen, X., van der Veen, V., Slowinska, A., Bos, H.: An in-depth analysis of disassembly on full-scale x86/x64 binaries. In: USENIX Security Symposium (2016)
Andriesse, D., Slowinska, A., Bos, H.: Compiler-agnostic function detection in binaries. In: IEEE European Symposium on Security and Privacy (2017)
Bao, T., Burket, J., Woo, M., Turner, R., Brumley, D.: Byteweight: learning to recognize functions in binary code. In: USENIX (2014)
Eagle, C.: The IDA Pro Book: The Unofficial Guide to the World’s Most Popular Disassembler. No Starch Press, San Francisco (2008). ISBN 1593271786, 9781593271787
Gers, F.A., Schmidhuber, J., Cummins, F.: Learning to Forget: Continual Prediction with LSTM (1999)
Guilfanov, I.: IDA Fast Library Identification and Recognition Technology (Flirt Technology): In-depth (2012)
Hinton, G.E., Srivastava, N., Krizhevsky, A., Sutskever, I., Salakhutdinov, R.R.: Improving neural networks by preventing co-adaptation of feature detectors. arXiv preprint arXiv:1207.0580 (2012)
Hochreiter, S., Schmidhuber, J.: Long short-term memory. Neural Comput. 9(8), 1735–1780 (1997)
Jin, W., et al.: Binary function clustering using semantic hashes. In: 2012 11th International Conference on Machine Learning and Applications (ICMLA), vol. 1, pp. 386–391. IEEE (2012)
Liebler, L., Baier, H.: Approxis: a fast, robust, lightweight and approximate disassembler considered in the field of memory forensics. In: Matoušek, P., Schmiedecker, M. (eds.) ICDF2C 2017. LNICST, vol. 216, pp. 158–172. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-73697-6_12
Ligh, M.H., Case, A., Levy, J., Walters, A.: The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory. Wiley, US (2014)
Lipton, Z.C., Berkowitz, J., Elkan, C.: A critical review of recurrent neural networks for sequence learning. arXiv preprint arXiv:1506.00019 (2015)
Potchik, B.: Architecture agnostic function detection in binaries. https://binary.ninja/2017/11/06/architecture-agnostic-function-detection-in-binaries.html
Shin, E.C.R., Song, D., Moazzezi, R.: Recognizing functions in binaries with neural networks. In: USENIX Security Symposium, pp. 611–626 (2015)
Acknowledgement
This work was supported by the German Federal Ministry of Education and Research (BMBF) as well as by the Hessen State Ministry for Higher Education, Research and the Arts (HMWK) within CRISP (www.crisp-da.de).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Liebler, L., Baier, H. (2019). On Efficiency and Effectiveness of Linear Function Detection Approaches for Memory Carving. In: Breitinger, F., Baggili, I. (eds) Digital Forensics and Cyber Crime. ICDF2C 2018. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 259. Springer, Cham. https://doi.org/10.1007/978-3-030-05487-8_1
Download citation
DOI: https://doi.org/10.1007/978-3-030-05487-8_1
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-05486-1
Online ISBN: 978-3-030-05487-8
eBook Packages: Computer ScienceComputer Science (R0)