Paper Info
Title
Automatically deriving pointer reference expressions from binary code for memory dump analysis
Abstract
Given a crash dump or a kernel memory snapshot, it is often desirable to have a capability that can traverse its pointers to locate the root cause of the crash, or check their integrity to detect the control flow hijacks. To achieve this, one key challenge lies in how to locate where the pointers are. While locating a pointer usually requires the data structure knowledge of the corresponding program, an important advance made by this work is that we show a technique of extracting address-independent data reference expressions for pointers through dynamic binary analysis. This novel pointer reference expression encodes how a pointer is accessed through the combination of a base address (usually a global variable) with certain offset and further pointer dereferences. We have applied our techniques to OS kernels, and our experimental results with a number of real world kernel malware show that we can correctly identify the hijacked kernel function pointers by locating them using the extracted pointer reference expressions when only given a memory snapshot.
Year
DOI
Venue
2015
10.1145/2786805.2786810
ESEC/SIGSOFT FSE
Keywords
Field
DocType
Kernel Integrity, taint analysis, memory forensics
Tagged pointer,Pointer (computer programming),Pointer analysis,Escape analysis,Computer science,Pointer aliasing,Real-time computing,Dangling pointer,Smart pointer,Pointer swizzling
Conference
Citations 
PageRank 
References 
2
0.38
25
Authors
3
Name
Order
Citations
PageRank
Yangchun Fu12168.00
Zhiqiang Lin2108264.49
David Brumley32940142.75