Skip to main content
Disciplines
Automotive Business IT + Informatics Construction + Real Estate Electrical Engineering + Electronics Energy + Sustainability Insurance + Risk Finance + Banking Management + Leadership Marketing + Sales Mechanical Engineering + Materials
Events
DE
EN
Books
Journals
Topic Page
Marketing
Start single access now
Access for companies
EXTENDED SEARCH
Log in
Top
Published in:
Cover of the book

2019 | OriginalPaper | Chapter

On Efficiency and Effectiveness of Linear Function Detection Approaches for Memory Carving

Authors : Lorenz Liebler, Harald Baier

Published in: Digital Forensics and Cyber Crime

Publisher: Springer International Publishing

Log in

Activate our intelligent search to find suitable subject content or patents.

search-config
loading …

Abstract

In the field of unstructured memory analysis, the context-unaware detection of function boundaries leads to meaningful insights. For instance, in the field of binary analysis, those structures yield further inference, e.g., identifying binaries known to be bad. However, recent publications discuss different strategies for the problem of function boundary detection and consider it to be a difficult problem. One of the reasons is that the detection process depends on a quantity of parameters including the used architecture, programming language and compiler parameters. Initially a typical memory carving approach transfers the paradigm of signature-based detection techniques from the mass storage analysis to memory analysis. To automate and generalise the signature matching, signature-based recognition approaches have been extended by machine learning algorithms. Recently a review of function detection approaches claims that the results are possibly biased by large portions of shared code between the used samples. In this work we reassess the application of recently discussed machine learning based function detection approaches. We analyse current approaches in the context of memory carving with respect to both their efficiency and their effectiveness. We show the capabilities of function start identification by reducing the features to vectorised mnemonics. In all this leads to a significant reduction of runtime by keeping a high value of accuracy and a good value of recall.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

  • über 102.000 Bücher
  • über 537 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Maschinenbau + Werkstoffe
  • Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 390 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Maschinenbau + Werkstoffe




 

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 340 Zeitschriften

aus folgenden Fachgebieten:

  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Versicherung + Risiko




Jetzt Wissensvorsprung sichern!

inform now
next chapter fishy - A Framework for Implementing Filesystem-Based Data Hiding Techniques
Footnotes
2
https://​binary.​ninja/​ (last access 2018-04).
 
Literature
1.
Andriesse, D., Chen, X., van der Veen, V., Slowinska, A., Bos, H.: An in-depth analysis of disassembly on full-scale x86/x64 binaries. In: USENIX Security Symposium (2016)
2.
Andriesse, D., Slowinska, A., Bos, H.: Compiler-agnostic function detection in binaries. In: IEEE European Symposium on Security and Privacy (2017)
3.
Bao, T., Burket, J., Woo, M., Turner, R., Brumley, D.: Byteweight: learning to recognize functions in binary code. In: USENIX (2014)
4.
Eagle, C.: The IDA Pro Book: The Unofficial Guide to the World’s Most Popular Disassembler. No Starch Press, San Francisco (2008). ISBN 1593271786, 9781593271787
5.
Gers, F.A., Schmidhuber, J., Cummins, F.: Learning to Forget: Continual Prediction with LSTM (1999)
6.
Guilfanov, I.: IDA Fast Library Identification and Recognition Technology (Flirt Technology): In-depth (2012)
7.
Hinton, G.E., Srivastava, N., Krizhevsky, A., Sutskever, I., Salakhutdinov, R.R.: Improving neural networks by preventing co-adaptation of feature detectors. arXiv preprint arXiv:​1207.​0580 (2012)
8.
Hochreiter, S., Schmidhuber, J.: Long short-term memory. Neural Comput. 9(8), 1735–1780 (1997)CrossRef
9.
Jin, W., et al.: Binary function clustering using semantic hashes. In: 2012 11th International Conference on Machine Learning and Applications (ICMLA), vol. 1, pp. 386–391. IEEE (2012)
10.
11.
Ligh, M.H., Case, A., Levy, J., Walters, A.: The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory. Wiley, US (2014)
12.
Lipton, Z.C., Berkowitz, J., Elkan, C.: A critical review of recurrent neural networks for sequence learning. arXiv preprint arXiv:​1506.​00019 (2015)
13.
14.
Shin, E.C.R., Song, D., Moazzezi, R.: Recognizing functions in binaries with neural networks. In: USENIX Security Symposium, pp. 611–626 (2015)
Metadata
Title
On Efficiency and Effectiveness of Linear Function Detection Approaches for Memory Carving
Authors
Lorenz Liebler
Harald Baier
Copyright Year
2019
Book
Digital Forensics and Cyber Crime

Print ISBN: 978-3-030-05486-1

Electronic ISBN: 978-3-030-05487-8

Copyright Year: 2019

DOI
https://doi.org/10.1007/978-3-030-05487-8_1

Premium Partner

    Image Credits