ABSTRACT
Binary instrumentation allows users to inject new code into programs without requiring source code, symbols, or debugging information. Instrumenting a binary requires structural modifications such as moving code, adding new code, and overwriting existing code; these modifications may unintentionally change the program's semantics. Binary instrumenters attempt to preserve the intended semantics of the program by further transforming the code to compensate for these structural modifications. Current instrumenters may fail to correctly preserve program semantics or impose significant unnecessary compensation cost because they lack a formal model of the impact of their structural modifications on program semantics. These weaknesses are particularly acute when instrumenting highly optimized or malicious code, making current instrumenters less useful as tools in the security or high-performance domains. We present a formal specification of how the structural modifications used by instrumentation affect a binary's visible behavior, and have adapted the Dyninst binary instrumenter to use this specification, thereby guaranteeing correct instrumentation while greatly reducing compensation costs. When compared against the fastest widely used instrumenters our technique imposed 46% less overhead; furthermore, we can successfully instrument highly defensive binaries that are specifically looking for code patching and instrumentation.
- D. Binkley and K. Gallagher. Program slicing. Advances in Computers, 43, 1996.Google Scholar
- D. Bruening, T. Garnett, and S. Amarasinghe. An infrastructure for adaptive dynamic optimization. In Symposium on Code Generation and Optimization (CGO), San Francisco, CA, March 2003. Google ScholarDigital Library
- B. Buck and J. Hollingsworth. An API for runtime code patching. Journal of High Performance Computing Applications, 14(4):317--329, Winter 2000. Google ScholarDigital Library
- C. Cifuentes and A. Fraboulet. Intraprocedural static slicing of binary executables. In International Conference on Software Maintenance (ICSM), pages 188--195, October 1997. Google ScholarDigital Library
- P. D. Coward. Symbolic execution systems-a review. Software Engineering Journal, 3(6):229--239, Nov 1988. Google ScholarDigital Library
- B. De Bus, D. Chanet, B. D. Sutter, L. V. Put, and K. D. Bosschere. The design and implementation of fit: a flexible instrumentation toolkit. In Program Analysis for Software Tools and Engineering (PASTE), Washington, DC, June 2004. Google ScholarDigital Library
- A. Eustace and A. Srivastava. ATOM: A flexible interface for building high performance program analysis tools. In USENIX Technical Conference, New Orleans, LA, January 1995. Google ScholarDigital Library
- D. Jackson and E. J. Rollins. Chopping: A generalization of slicing. Technical report, Carnegie Mellon University, Pittsburgh, PA, 1994. Google ScholarDigital Library
- A. Kiss, J. Jasz, G. Lehotai, and T. Gyimothy. Interprocedural static slicing of binary executables. In Source Code Analysis and Manipulation (SCAM), Amsterdam, The Netherlands, September 2003.Google Scholar
- J. Larus and E. Schnarr. EEL: Machine independent executable editing. In Programming Language Design and Implementation (PLDI), La Jolla, CA, June 1995. Google ScholarDigital Library
- M. Laurenzano, M. Tikir, L. Carrington, and A. Snavely. PEBIL: Efficient static binary instrumentation for linux. In International Symposium for Performance Analysis of Systems and Software (ISPASS), White Plains, NY, 2010.Google ScholarCross Ref
- C.-K. Luk, R. Cohn, R. Muth, H. Patil, A. Klauser, G. Lowney, S. Wallace, V. J. Reddi, and K. Hazelwood. Pin: building customized program analysis tools with dynamic instrumentation. In Programming Language Design and Implementation (PLDI), pages 190--200, Chicago, IL, USA, June 2005. Google ScholarDigital Library
- J. Maebe, M. Ronsse, and K. De Bosschere. DIOTA: Dynamic instrumentation, optimization and transformation of applications. In Conference on Parallel Architectures and Compilation Techniques (PACT), Charlottesville, VA, September 2002.Google Scholar
- P. Moseley, S. Debray, and G. Andrews. Checking program profiles. In Source Code Analysis and Manipulation (SCAM), Amsterdam, The Netherlands, September 2003.Google Scholar
- S. Nanda, W. Li, L.-C. Lam, and T. cker Chiueh. Bird: Binary interpretation using runtime disassembly. In International Symposium on Code Generation and Optimization (CGO 2006), pages 358--370, New York, NY, 2006. Google ScholarDigital Library
- N. Nethercote and J. Seward. Valgrind: A framework for heavyweight dynamic binary instrumentation. In Programming Language Design and Implementation (PLDI), San Diego, CA, USA, June 2007. Google ScholarDigital Library
- S. Peiser, M. Bishop, S. Karin, and K. Marzullo. Analysis of computer intrusions using sequences of function calls. IEEE Transactions on Dependable and Secure Computing, 4(2):137--150, 2007. Google ScholarDigital Library
- D. J. Quinlan, M. Schordan, Q. Yi, and A. Saebjornsen. Classification and utilization of abstractions for optimization. In International Symposium on Leveraging Applications of Formal Methods, Paphos, Cyprus, October 2004. Google ScholarDigital Library
- K. A. Roundy and B. Miller. Hybrid analysis and control of malware binaries. In Recent Advances in Intrusion Detection (RAID), Ottawa, Canada, September 2010. Google ScholarDigital Library
- B. Schwarz, S. Debray, and G. Andrews. PLTO: A link-time optimizer for the intel IA-32 architecture. In Workshop on Binary Translation, Sep 2001.Google Scholar
- S. Shende and A. D. Malony. The TAU parallel performance system. Journal of High Performance Computing Applications, 20(2):287--311, Summer 2006. Google ScholarDigital Library
- J. Tucek, J. Newsome, S. Lu, C. Huang, S. Xanthos, D. Brumley, Y. Zhou, and D. Song. Sweeper: A lightweight end-to-end system for defending against fast worms. In EuroSys, Lisbon, Portugal, March 2007. Google ScholarDigital Library
- C. Willems, T. Holz, and F. Freiling. Toward automated dynamic malware analysis using cwsandbox. In Security and Privacy (SP), Oakland, CA, USA, March 2007. Google ScholarDigital Library
- J. Zhou and G. Vigna. Detecting attacks that exploit application-logic errors through application-level auditing. In Annual Computer Security Applications Conference (ACSAC), Tucson, AZ, USA, December 2004. Google ScholarDigital Library
Recommendations
Anywhere, any-time binary instrumentation
PASTE '11: Proceedings of the 10th ACM SIGPLAN-SIGSOFT workshop on Program analysis for software toolsThe Dyninst binary instrumentation and analysis framework distinguishes itself from other binary instrumentation tools through its abstract, machine independent interface; its emphasis on anywhere, any-time binary instrumentation; and its low overhead ...
Hybrid binary rewriting for memory access instrumentation
VEE '11: Proceedings of the 7th ACM SIGPLAN/SIGOPS international conference on Virtual execution environmentsMemory access instrumentation is fundamental to many applications such as software transactional memory systems, profiling tools and race detectors. We examine the problem of efficiently instrumenting memory accesses in x86 machine code to support ...
Hybrid binary rewriting for memory access instrumentation
VEE '11Memory access instrumentation is fundamental to many applications such as software transactional memory systems, profiling tools and race detectors. We examine the problem of efficiently instrumenting memory accesses in x86 machine code to support ...
Comments