research-article

Make it work, make it right, make it fast: building a platform-neutral whole-system dynamic binary analysis platform

Authors:

Andrew Henderson,

Aravind Prakash,

Heng YinAuthors Info & Claims

ISSTA 2014: Proceedings of the 2014 International Symposium on Software Testing and Analysis

Pages 248 - 258

https://doi.org/10.1145/2610384.2610407

Published: 21 July 2014 Publication History

Abstract

Dynamic binary analysis is a prevalent and indispensable technique in program analysis. While several dynamic binary analysis tools and frameworks have been proposed, all suffer from one or more of: prohibitive performance degradation, semantic gap between the analysis code and the program being analyzed, architecture/OS specificity, being user-mode only, lacking APIs, etc. We present DECAF, a virtual machine based, multi-target, whole-system dynamic binary analysis framework built on top of QEMU. DECAF provides Just-In-Time Virtual Machine Introspection combined with a novel TCG instruction-level tainting at bit granularity, backed by a plugin based, simple-to-use event driven programming interface. DECAF exercises fine control over the TCG instructions to accomplish on-the-fly optimizations. We present 3 platform-neutral plugins - Instruction Tracer, Keylogger Detector, and API Tracer, to demonstrate the ease of use and effectiveness of DECAF in writing cross-platform and system-wide analysis tools. Implementation of DECAF consists of 9550 lines of C++ code and 10270 lines of C code and we evaluate DECAF using CPU2006 SPEC benchmarks and show average overhead of 605% for system wide tainting and 12% for VMI.

References

[1]

F. Bellard. QEMU, a fast and portable dynamic translator. In USENIX 2005 Annual Technical Conference, FREENIX Track, 2005.

Digital Library

[2]

E. Bosman, A. Slowinska, and H. Bos. Minemu: The World’s Fastest Taint Tracker. In Recent Advances in Intrustion Detection. Springer, 2011.

Digital Library

[3]

V. Chipounov, V. Kuznetsov, and G. Candea. s2e: A platform for in-vivo multi-path analysis of software systems. In Proceedings of the Sixteenth International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS XVI, 2011.

Digital Library

[4]

J. Chow, B. Pfaff, T. Garfinkel, K. Christopher, and M. Rosenblum. Understanding data lifetime via whole system simulation. In Proceedings of the 13th USENIX Security Symposium (Security’03), 2004.

Digital Library

[5]

J. Clause, W. Li, and A. Orso. Dytan: A generic dynamic taint analysis framework. In Proceedings of the 2007 International Symposium on Software Testing and Analysis (ISSTA’07), 2007.

Digital Library

[6]

J. R. Crandall and F. T. Chong. Minos: Control data attack prevention orthogonal to memory model. In Proceedings of the 37th International Symposium on Microarchitecture (MICRO’04), 2004.

Digital Library

[7]

DECAF Binary Analysis Platform - “Taking the jitters out of dynamic binary analysis”. https://code.google.com/p/decaf-platform/.

[8]

A. Dinaburg, P. Royal, M. Sharif, and W. Lee. Ether: Malware analysis via hardware virtualization extensions. In Proceedings of the 15th ACM Conference on Computer and Communications Security, 2008.

Digital Library

[9]

B. Dolan-Gavitt, T. Leek, M. Zhivich, J. Giﬃn, and W. Lee. Virtuoso: Narrowing the semantic gap in virtual machine introspection. In Proceedings of the IEEE Symposium on Security and Privacy (Oakland), 2011.

Digital Library

[10]

Y. Fu and Z. Lin. Space traveling across vm: Automatically bridging the semantic-gap in virtual machine introspection via online kernel data redirection. In Proceedings of the 2012 IEEE Symposium on Security and Privacy, 2012.

Digital Library

[11]

S. Golovanov. Analysis of tdss rootkit technologies. Technical report, Securelist, 2010.

[12]

K. Jee, G. Portokalidis, V. P. Kemerlis, S. Ghosh, D. I. August, and A. D. Keromytis. A General Approach for Eﬃciently Accelerating Software-based Dynamic Data Flow Tracking on Commodity Hardware. In Proceedings of Network and Distributed System Security Symposium (NDSS), 2012.

[13]

M. G. Kang, P. Poosankam, and H. Yin. Renovo: A hidden code extractor for packed executables. In Proceedings of the 5th ACM Workshop on Recurring Malcode (WORM), 2007.

Digital Library

[14]

V. P. Kemerlis, G. Portokalidis, K. Jee, and A. D. Keromytis. libdft: Practical dynamic data flow tracking for commodity systems. In Proceedings of the 8th ACM SIGPLAN/SIGOPS conference on Virtual Execution Environments - VEE ’12, 2012.

Digital Library

[15]

C.-K. Luk, R. Cohn, R. Muth, H. Patil, A. Klauser, G. Lowney, S. Wallace, V. J. Reddi, and K. Hazelwood. Pin: Building customized program analysis tools with dynamic instrumentation. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI), 2005.

Digital Library

[16]

N. Nethercote and J. Seward. Valgrind: a framework for heavyweight dynamic binary instrumentation. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI), 2007.

Digital Library

[17]

J. Newsome and D. Song. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In Proceedings of the 12th Annual Network and Distributed System Security Symposium (NDSS), 2005.

[18]

G. Portokalidis, A. Slowinska, and H. Bos. Argos: an emulator for fingerprinting zero-day attacks. In EuroSys 2006, 2006.

Digital Library

[19]

F. Qin, C. Wang, Z. Li, H.-s. Kim, Y. Zhou, and Y. Wu. LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks. In 2006 39th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO’06). IEEE, 2006.

Digital Library

[20]

D. Song, D. Brumley, H. Yin, J. Caballero, I. Jager, M. G. Kang, Z. Liang, J. Newsome, P. Poosankam, and P. Saxena. BitBlaze: A new approach to computer security via binary analysis. In Proceedings of the 4th International Conference on Information Systems Security, Hyderabad, India, 2008.

Digital Library

[21]

TEMU: The BitBlaze dynamic analysis component. http://bitblaze.cs.berkeley.edu/temu.html.

[22]

X. J. X. Wang and D. Xu. Stealthy malware detection through vmm-based ”out-of-the-box” semantic view reconstruction. In Proceedings of ACM Conference on Computer and Communication Security, 2007.

Digital Library

[23]

L. K. Yan, A. Henderson, X. Hu, H. Yin, and S. McCamant. On soundness and precision of dynamic taint analysis. Technical Report SYR-EECS-2014-04, Syracuse University, 2014.

[24]

L. K. Yan and H. Yin. DroidScope : Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis. In Proceedings of the 21st USENIX Security Symposium, 2012.

Digital Library

[25]

H. Yin, Z. Liang, and D. Song. HookFinder: Identifying and understanding malware hooking behavior. In 15th Annual Network and Distributed System Security Symposium, 2008.

[26]

H. Yin, D. Song, M. Egele, C. Kruegel, and E. Kirda. Panorama: Capturing system-wide information flow for malware detection and analysis. In Proceedings of ACM Conference on Computer and Communication Security, 2007.

Digital Library

Cited By

Ogawa EYamazaki TShioya RErtl MKirsch C(2024)Dynamic Possible Source Count Analysis for Data Leakage PreventionProceedings of the 21st ACM SIGPLAN International Conference on Managed Programming Languages and Runtimes10.1145/3679007.3685065(98-111)Online publication date: 13-Sep-2024
https://dl.acm.org/doi/10.1145/3679007.3685065
Jiang MZheng XChang RZhou YLuo X(2024)Examiner-Pro: Testing Arm Emulators Across Different PrivilegesIEEE Transactions on Software Engineering10.1109/TSE.2024.340690050:11(2786-2806)Online publication date: Nov-2024
https://doi.org/10.1109/TSE.2024.3406900
Tan WLi CChen YLi YZhang CWu J(2024)ROLoad-PMP: Securing Sensitive Operations for Kernels and Bare-Metal FirmwareIEEE Transactions on Computers10.1109/TC.2024.344910573:12(2722-2733)Online publication date: Dec-2024
https://doi.org/10.1109/TC.2024.3449105
Show More Cited By

Index Terms

Make it work, make it right, make it fast: building a platform-neutral whole-system dynamic binary analysis platform
1. Software and its engineering
  1. Software creation and management
    1. Software verification and validation
      1. Software defect analysis
        Software testing and debugging

Recommendations

Virtual Machine Introspection based Cloud Monitoring Platform
CompSysTech '18: Proceedings of the 19th International Conference on Computer Systems and Technologies

Virtual Machine Introspection (VMI) is an emerging family of techniques for extracting data from virtual machines without the use of active monitoring probes within the target machines themselves. In VMI based systems, the data is collected at the ...
Performance Analysis of Virtual Machine Introspection Tools in Cloud Environment
ICIA-16: Proceedings of the International Conference on Informatics and Analytics

Virtual Machine (VM) security is one of the biggest issues with a cloud environment. This issue could be solved with the help of Virtual Machine Introspection (VMI) tools. VMI tools monitor the state of Virtual machine running in the cloud environment. ...
Efficient VM Introspection in KVM and Performance Comparison with Xen
PRDC '14: Proceedings of the 2014 IEEE 20th Pacific Rim International Symposium on Dependable Computing

Intrusion detection system (IDS) offloading is useful for securely executing IDSes. It runs a target system in a virtual machine (VM) and enables IDSes to monitor the VM from the outside using VM introspection. Although VM introspection is well studied, ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

ISSTA 2014: Proceedings of the 2014 International Symposium on Software Testing and Analysis

July 2014

460 pages

ISBN:9781450326452

DOI:10.1145/2610384

General Chair:
Corina S. Păsăreanu
NASA Ames, USA
,
Program Chair:
Darko Marinov
University of Illinois at Urbana-Champaign, USA

Copyright © 2014 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSOFT: ACM Special Interest Group on Software Engineering

In-Cooperation

SIGPLAN: ACM Special Interest Group on Programming Languages

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 21 July 2014

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

ISSTA '14

Sponsor:

SIGSOFT

ISSTA '14: International Symposium on Software Testing and Analysis

July 21 - 25, 2014

CA, San Jose, USA

Acceptance Rates

Overall Acceptance Rate 58 of 213 submissions, 27%

Upcoming Conference

ISSTA '25

Sponsor:
sigsoft

34th ACM SIGSOFT International Symposium on Software Testing and Analysis

June 25 - 28, 2025

Trondheim , Norway

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

73
Total Citations
View Citations
985
Total Downloads

Downloads (Last 12 months)34
Downloads (Last 6 weeks)4

Reflects downloads up to 14 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Ogawa EYamazaki TShioya RErtl MKirsch C(2024)Dynamic Possible Source Count Analysis for Data Leakage PreventionProceedings of the 21st ACM SIGPLAN International Conference on Managed Programming Languages and Runtimes10.1145/3679007.3685065(98-111)Online publication date: 13-Sep-2024
https://dl.acm.org/doi/10.1145/3679007.3685065
Jiang MZheng XChang RZhou YLuo X(2024)Examiner-Pro: Testing Arm Emulators Across Different PrivilegesIEEE Transactions on Software Engineering10.1109/TSE.2024.340690050:11(2786-2806)Online publication date: Nov-2024
https://doi.org/10.1109/TSE.2024.3406900
Tan WLi CChen YLi YZhang CWu J(2024)ROLoad-PMP: Securing Sensitive Operations for Kernels and Bare-Metal FirmwareIEEE Transactions on Computers10.1109/TC.2024.344910573:12(2722-2733)Online publication date: Dec-2024
https://doi.org/10.1109/TC.2024.3449105
Hassanin MMartinovic I(2024)CipherTrace: automatic detection of ciphers from execution traces to neutralize ransomwareJournal of Cybersecurity10.1093/cybsec/tyae00810:1Online publication date: 6-Jun-2024
https://doi.org/10.1093/cybsec/tyae008
Irofti P(2024)Pinky: A Modern Malware-Oriented Dynamic Information Retrieval ToolInnovative Security Solutions for Information Technology and Communications10.1007/978-3-031-52947-4_6(65-78)Online publication date: 21-Jan-2024
https://doi.org/10.1007/978-3-031-52947-4_6
Zhou XWang PZhou LXun PLu K(2023)A Survey of the Security Analysis of Embedded DevicesSensors10.3390/s2322922123:22(9221)Online publication date: 16-Nov-2023
https://doi.org/10.3390/s23229221
Kawakoya YAkabane SIwamura MOkamoto T(2023)Xunpack: Cross-Architecture Unpacking for Linux IoT MalwareProceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3607199.3607214(471-484)Online publication date: 16-Oct-2023
https://dl.acm.org/doi/10.1145/3607199.3607214
Cheng YCheng SAlmgren MFernandes E(2023)Firmulti Fuzzer: Discovering Multi-process Vulnerabilities in IoT Devices with Full System Emulation and VMIProceedings of the 5th Workshop on CPS&IoT Security and Privacy10.1145/3605758.3623493(1-9)Online publication date: 26-Nov-2023
https://dl.acm.org/doi/10.1145/3605758.3623493
Liu XWen JChen ZLi DChen JLiu YWang HJin X(2023)FaaSLight: General Application-level Cold-start Latency Optimization for Function-as-a-Service in Serverless ComputingACM Transactions on Software Engineering and Methodology10.1145/358500732:5(1-29)Online publication date: 22-Feb-2023
https://dl.acm.org/doi/10.1145/3585007
Zhao LJiang KZhu YWang LMing J(2023)Capturing Invalid Input Manipulations for Memory Corruption DiagnosisIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2022.314502220:2(917-930)Online publication date: 1-Mar-2023
https://doi.org/10.1109/TDSC.2022.3145022
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents