Detecting Custom Memory Allocators in C Binaries

[Nytro]

Detecting Custom Memory Allocators in C Binaries

Xi Chen Asia Slowinska Herbert Bos

Vrije Universiteit Amsterdam, The Netherlands

Abstract—Many reversing techniques for data structures rely

on the knowledge of memory allocation routines. Typically, they

interpose on the system’s malloc and free functions, and track

each chunk of memory thus allocated as a data structure. How-

ever, many performance-critical applications implement their

own custom memory allocators. Examples include webservers,

database management systems, and compilers like gcc and clang.

As a result, current binary analysis techniques for tracking data

structures fail on such binaries.

We present MemBrush, a new tool to detect memory allocation

and deallocation functions in stripped binaries with high accu-

racy. We evaluated the technique on a large number of real world

applications that use custom memory allocators. As we show, we

can furnish existing reversing tools with detailed information

about the memory management API, and as a result perform an

analysis of the actual application specific data structures designed

by the programmer. Our system uses dynamic analysis and

detects memory allocation and deallocation routines by searching

for functions that comply with a set of generic characteristics of

allocators and deallocators.

Download:

http://www.cs.vu.nl/~herbertb/papers/membrush_wcre13.pdf