PwIN – Pwning Intel piN: Why DBI is Unsuitable for Security Applications

“…Supporting the first property in the presence of a dedicated adversary seems instead hard for a DBI engine: as the runtime shares the same address space of the code under analysis, the possibility of covert channels is real. Actually, by subverting isolation an attacker might in turn also foil the inspection and interposition capabilities of a DBI system [28].…”

“…There are peculiarities of DBI that could be exploited as well: for instance, the time required to dynamically load a library from user code can be two orders of magnitude larger [17] under DBI due to the image loading process. Similarly, effects of the trace compilation process can be exploited by observing fluctuations in the time required to take a branch in the program from the first time it is observed in the execution [28].…”

“…For instance, Pin and DynamoRIO miss permission violations when the virtual IP falls into code pages for which access has been disabled (PAGE_NOACCESS) or guarded (PAGE_GUARD) by the application [24]. Similarly, an engine may erroneously process and execute code from pages that were not granted execution permissions [28].…”

“…Analysis systems that base their working on binary translation are subject to implementation defects and limitations: this is true for DBI but also for full system emulators like QEMU. A popular example is the enter instruction that is not implemented in Valgrind [28]. DBI architects may decide to not support rarely used instructions; however, some instructions are intrinsically challenging for DBI systems: consider for instance far returns, which in Pin are allowed only when within the same code segment.…”

“…Among academic works, Polino et al [46] proposed countermeasures for anti-instrumentation strategies found in packers, some of which are specific to DBI. One year later Kirsch et al [28] presented a research that instead deems DBI unsuitable for security applications, presenting a case study on its most popular framework.…”

SoK

“…Supporting the first property in the presence of a dedicated adversary seems instead hard for a DBI engine: as the runtime shares the same address space of the code under analysis, the possibility of covert channels is real. Actually, by subverting isolation an attacker might in turn also foil the inspection and interposition capabilities of a DBI system [28].…”

“…There are peculiarities of DBI that could be exploited as well: for instance, the time required to dynamically load a library from user code can be two orders of magnitude larger [17] under DBI due to the image loading process. Similarly, effects of the trace compilation process can be exploited by observing fluctuations in the time required to take a branch in the program from the first time it is observed in the execution [28].…”

“…For instance, Pin and DynamoRIO miss permission violations when the virtual IP falls into code pages for which access has been disabled (PAGE_NOACCESS) or guarded (PAGE_GUARD) by the application [24]. Similarly, an engine may erroneously process and execute code from pages that were not granted execution permissions [28].…”

“…Analysis systems that base their working on binary translation are subject to implementation defects and limitations: this is true for DBI but also for full system emulators like QEMU. A popular example is the enter instruction that is not implemented in Valgrind [28]. DBI architects may decide to not support rarely used instructions; however, some instructions are intrinsically challenging for DBI systems: consider for instance far returns, which in Pin are allowed only when within the same code segment.…”

“…Among academic works, Polino et al [46] proposed countermeasures for anti-instrumentation strategies found in packers, some of which are specific to DBI. One year later Kirsch et al [28] presented a research that instead deems DBI unsuitable for security applications, presenting a case study on its most popular framework.…”

SoK

Techniques Implemented in Software Protectors: A Journey with DBI Through What Protectors Use to Detect Bad Guys

Hybrid emulation for bypassing anti-reversing techniques and analyzing malware