binaryanalysis-ng icon indicating copy to clipboard operation
binaryanalysis-ng copied to clipboard

Published 20 hours ago verified publisher icon armijnhemel

signature scanning behaviour for overlapping signatures

Open timhemel opened this issue 5 years ago • 4 comments

What is the expected behaviour for signature matching in the following situation? signature = aba string in which to search = abababc There are three possibilities: position 0 only, position 2 only, or both positions. The current code picks the first alternative, but it might miss some signatures. Some signatures might overlap, e.g. ico and truetype combined with padding.

timhemel avatar Apr 05 '19 10:04 timhemel

Changing the code to find overlapping signatures makes it run 4 times longer in my example. It finds nine fewer files, all text files recognized as base64, other files are now labeled binary while they were previously labeled text, such as lua scripts and shell scripts.

timhemel avatar Apr 05 '19 11:04 timhemel

The mislabeling had to do with a change in algorithm in IsTextComputer, not with the overlapping signatures.

timhemel avatar Apr 05 '19 11:04 timhemel

No new files where encountered in my run, in 97.239341s versus 23.592947s.

timhemel avatar Apr 05 '19 12:04 timhemel

A faster implementation for matching overlapping signatures is possible, with no performance difference compared to non-overlapping signatures, executed on a file with no overlapping signatures.

timhemel avatar Apr 05 '19 13:04 timhemel