Title | ||
---|---|---|
Automatically deriving pointer reference expressions from binary code for memory dump analysis |
Abstract | ||
---|---|---|
Given a crash dump or a kernel memory snapshot, it is often desirable to have a capability that can traverse its pointers to locate the root cause of the crash, or check their integrity to detect the control flow hijacks. To achieve this, one key challenge lies in how to locate where the pointers are. While locating a pointer usually requires the data structure knowledge of the corresponding program, an important advance made by this work is that we show a technique of extracting address-independent data reference expressions for pointers through dynamic binary analysis. This novel pointer reference expression encodes how a pointer is accessed through the combination of a base address (usually a global variable) with certain offset and further pointer dereferences. We have applied our techniques to OS kernels, and our experimental results with a number of real world kernel malware show that we can correctly identify the hijacked kernel function pointers by locating them using the extracted pointer reference expressions when only given a memory snapshot. |
Year | DOI | Venue |
---|---|---|
2015 | 10.1145/2786805.2786810 | ESEC/SIGSOFT FSE |
Keywords | Field | DocType |
Kernel Integrity, taint analysis, memory forensics | Tagged pointer,Pointer (computer programming),Pointer analysis,Escape analysis,Computer science,Pointer aliasing,Real-time computing,Dangling pointer,Smart pointer,Pointer swizzling | Conference |
Citations | PageRank | References |
2 | 0.38 | 25 |
Authors | ||
3 |
Name | Order | Citations | PageRank |
---|---|---|---|
Yangchun Fu | 1 | 216 | 8.00 |
Zhiqiang Lin | 2 | 1082 | 64.49 |
David Brumley | 3 | 2940 | 142.75 |