Many reverse engineering techniques for data structures rely on the knowledge\nof memory allocation routines. Typically, they interpose on the system�s malloc and\nfree functions, and track each chunk of memory thus allocated as a data structure. However,\nmany performance-critical applications implement their own custom memory allocators. Examples\ninclude webservers, database management systems, and compilers like gcc and clang. As\na result, current binary analysis techniques for tracking data structures fail on such binaries.\nWe present MemBrush, a new tool to detect memory allocation and deallocation functions in\nstripped binaries with high accuracy.We evaluated the technique on a large number of real world\napplications that use custom memory allocators.We demonstrate that MemBrush can detect allocators/\ndeallocators with a high accuracy which is 52 out of 59 for allocators, and 29 out of 31 for\ndeallocators in SPECINT 2006. As we show, we can furnish existing reverse engineering tools\nwith detailed information about the memory management API, and as a result perform an analysis\nof the actual application specific data structures designed by the programmer. Our system\nuses dynamic analysis and detects memory allocation and deallocation routines by searching for\nfunctions that comply with a set of generic characteristics of allocators and deallocators.
Loading....