Who allocated my memory? Detecting custom memory allocators in C binaries

2013 20th Working Conference on Reverse Engineering (WCRE) Pub Date : 2013-11-21 DOI:10.1109/WCRE.2013.6671277

X. Chen, Asia Slowinska, H. Bos

{"title":"Who allocated my memory? Detecting custom memory allocators in C binaries","authors":"X. Chen, Asia Slowinska, H. Bos","doi":"10.1109/WCRE.2013.6671277","DOIUrl":null,"url":null,"abstract":"Many reversing techniques for data structures rely on the knowledge of memory allocation routines. Typically, they interpose on the system's malloc and free functions, and track each chunk of memory thus allocated as a data structure. However, many performance-critical applications implement their own custom memory allocators. Examples include webservers, database management systems, and compilers like gcc and clang. As a result, current binary analysis techniques for tracking data structures fail on such binaries. We present MemBrush, a new tool to detect memory allocation and deallocation functions in stripped binaries with high accuracy. We evaluated the technique on a large number of real world applications that use custom memory allocators. As we show, we can furnish existing reversing tools with detailed information about the memory management API, and as a result perform an analysis of the actual application specific data structures designed by the programmer. Our system uses dynamic analysis and detects memory allocation and deallocation routines by searching for functions that comply with a set of generic characteristics of allocators and deallocators.","PeriodicalId":275092,"journal":{"name":"2013 20th Working Conference on Reverse Engineering (WCRE)","volume":"8 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2013-11-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"35","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2013 20th Working Conference on Reverse Engineering (WCRE)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/WCRE.2013.6671277","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 35

Abstract

Many reversing techniques for data structures rely on the knowledge of memory allocation routines. Typically, they interpose on the system's malloc and free functions, and track each chunk of memory thus allocated as a data structure. However, many performance-critical applications implement their own custom memory allocators. Examples include webservers, database management systems, and compilers like gcc and clang. As a result, current binary analysis techniques for tracking data structures fail on such binaries. We present MemBrush, a new tool to detect memory allocation and deallocation functions in stripped binaries with high accuracy. We evaluated the technique on a large number of real world applications that use custom memory allocators. As we show, we can furnish existing reversing tools with detailed information about the memory management API, and as a result perform an analysis of the actual application specific data structures designed by the programmer. Our system uses dynamic analysis and detects memory allocation and deallocation routines by searching for functions that comply with a set of generic characteristics of allocators and deallocators.

查看原文本刊更多论文

谁分配了我的内存?检测C二进制文件中的自定义内存分配器

许多数据结构的反转技术依赖于内存分配例程的知识。通常，它们会干预系统的malloc和free函数，并跟踪作为数据结构分配的每个内存块。但是，许多性能关键型应用程序实现了自己的自定义内存分配器。示例包括web服务器、数据库管理系统以及像gcc和clang这样的编译器。因此，当前用于跟踪数据结构的二进制分析技术无法处理此类二进制文件。MemBrush是一种新的工具，可以高精度地检测剥离二进制文件中的内存分配和释放函数。我们在大量使用自定义内存分配器的实际应用程序上评估了该技术。正如我们所展示的，我们可以为现有的反转工具提供有关内存管理API的详细信息，从而对程序员设计的特定于应用程序的实际数据结构进行分析。我们的系统使用动态分析，并通过搜索符合分配器和释放器的一组通用特征的函数来检测内存分配和释放例程。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2013 20th Working Conference on Reverse Engineering (WCRE)

自引率

0.00%

发文量