Transparent dynamic instrumentation

Bruening, Derek; Zhao, Qin; Amarasinghe, Saman

doi:10.1145/2151024.2151043

Cited by 79 publications

(29 citation statements)

References 32 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Binary mutation is an example of binary rewriting, which can be performed either statically (i.e., producing a modified executable file) or dynamically (producing new code as the program executes). Tools like Pin [27] for x86 binaries and DynamoRIO [8] for x86 and ARM allow the control flow [42], [39] to be changed at runtime. Dynamic binary translation tools that use an intermediate representation (IR), such as QEMU and Valgrind, can also be modified to implement mutations, though the flexibility of an IR is less important for simple mutations, and uses of an IR tends to make the translated code less efficient.…”

Section: B Binary Rewritingmentioning

confidence: 99%

Binary Mutation Analysis of Tests Using Reassembleable Disassembly

Emamdoost¹,

Sharma²,

Byun³

et al. 2019

Proceedings 2019 Workshop on Binary Analysis Research

View full text Add to dashboard Cite

Good tests are important in software development, but it can be hard to tell whether tests will reveal future faults that are themselves unknown. Mutation analysis, which checks whether tests reveal inserted changes in a program, is a strong measure of test suite adequacy, but common source-or compilerlevel approaches to mutation testing are not applicable to software available only in binary form. We explore mutation analysis as an application of the reassembleable disassembly approach to binary rewriting, building a tool for x86 binaries on top of the previously-developed Uroboros system, and apply it to the C benchmarks from SPEC CPU 2006 and to five examples of embedded control software. The results demonstrate that our approach works effectively across these software domains: as expected, tests designed for performance benchmarking reveal fewer mutants than tests generated to achieve high code coverage, but mutation scores indicate differences in test origins and features such as code size and fault-tolerance. Our binary-level tool also achieves comparable results to source-level mutation analysis despite supporting a more limited set of mutation operators. More generally we also argue that our experience shows how reassembleable disassembly is a valuable approach for constructing novel binary rewriting tools.

show abstract

Section: B Binary Rewritingmentioning

confidence: 99%

Binary Mutation Analysis of Tests Using Reassembleable Disassembly

Emamdoost¹,

Sharma²,

Byun³

et al. 2019

Proceedings 2019 Workshop on Binary Analysis Research

View full text Add to dashboard Cite

show abstract

“…For instance, IDA Pro [24] and OllyDbg [51] are popular debuggers that run alongside malware samples. DynamoRIO [10] uses process virtualization that executes on the OS and admits user-built dynamic instrumentation tools. These options require running software inside the target OS, which is easily detected by malware.…”

Section: A Malware Analysis and Debuggingmentioning

confidence: 99%

Towards Transparent Introspection

Leach

Spensky

Weimer

et al. 2016

2016 IEEE 23rd International Conference on Software Analysis, Evolution, and Reengineering (SANER)

View full text Add to dashboard Cite

There is a growing need for the dynamic analysis of sensitive systems that do not support traditional debugging or emulation environments. Analysis can alter program behavior, necessitating transparency. For example, as the cat and mouse game between malware authors and malware analysts progresses, malicious software can increasingly detect and confound debuggers. Analysts must understand variable values, stack traces, and factors influencing dynamic behavior, but recent malware samples leverage any piece of information or artifact available that signals the presence of a debugger or emulator. In this work, we advance the state-of-the-art for transparent program analysis by introducing a low-artifact introspection technique. Our approach uses hardware-assisted live memory snapshots of process execution on native targets (e.g., x86 processors), coupled with static reasoning about programs. We produce highfidelity data and control flow information with minimal detectable artifacts that could influence benign subject behavior or be leveraged for anti-analysis. We evaluate our system using two hardware implementations (x86-supported System Management Mode and PCI-based SlotScreamer devices) and two software configurations (benign and evasive programs). We also analyze the theoretical and practical limitations of our technique. We discuss an expert case study in which we apply our technique to a malware reverse engineering task. Finally, we present results of a human study in which 30 participants performed debugging tasks using information provided by our approach; our tool was as useful as a gdb baseline, but applies transparently. Our dynamic analysis approach permits transparent introspection to access previously-unavailable information about a process's internal state with minimal instrumentation artifacts.

show abstract

“…We fix this situation by allocating space for the edge code from a separate memory pool. This allows better icache locality for frequently executed code in the 7 The cost of this synchronization is small because additions to the code cache are relatively rare in steady state. This synchronization could have been avoided by using multiple per-CPU code caches but that results in poor icache performance as also discussed in Section 4.2. code cache.…”

Section: Code Cache Layoutmentioning

confidence: 99%

“…http://dx.doi.org/10.1145/2517349.2522718 sandboxing [12], dynamic optimizations [4], and more. DBT can be implemented both at user-level [7] and at system-level [2,10]. Current system-level binary translators exhibit large performance overheads on kernelintensive workloads.…”

Section: Introductionmentioning

confidence: 99%

Fast dynamic binary translation for the kernel

Kedia

Bansal

2013

Proceedings of the Twenty-Fourth ACM Symposium on Operating Systems Principles

View full text Add to dashboard Cite

Dynamic binary translation (DBT) is a powerful technique with several important applications. System-level binary translators have been used for implementing a Virtual Machine Monitor [2] and for instrumentation in the OS kernel [10]. In current designs, the performance overhead of binary translation on kernel-intensive workloads is high. e.g., over 10x slowdowns were reported on the syscall nanobenchmark in [2], 2-5x slowdowns were reported on lmbench microbenchmarks in [10]. These overheads are primarily due to the extra work required to correctly handle kernel mechanisms like interrupts, exceptions, and physical CPU concurrency. We present a kernel-level binary translation mechanism which exhibits near-native performance even on applications with large kernel activity. Our translator relaxes transparency requirements and aggressively takes advantage of kernel invariants to eliminate sources of slowdown. We have implemented our translator as a loadable module in unmodified Linux, and present performance and scalability experiments on multiprocessor hardware. Although our implementation is Linux specific, our mechanisms are quite general; we only take advantage of typical kernel design patterns, not Linuxspecific features. For example, our translator performs 3x faster than previous kernel-level DBT implementations while running the Apache web server.

show abstract

Transparent dynamic instrumentation

Cited by 79 publications

References 32 publications

Binary Mutation Analysis of Tests Using Reassembleable Disassembly

Binary Mutation Analysis of Tests Using Reassembleable Disassembly

Towards Transparent Introspection

Fast dynamic binary translation for the kernel

Contact Info

Product

Resources

About