Abstract
Dynamic binary instrumentation (DBI) systems are a popular solution for prototyping heterogeneous program analyses and monitoring tools. Several works from academic and practitioner venues have questioned the transparency of DBI systems, with anti-analysis detection sequences being found already in malware and executable protectors. The present Field Note details new and established detection methods and evaluates recent versions of popular DBI systems against them. It also sets out reflections on potential remediations and alternatives available to security researchers for their daily needs. We make available a large collection of implemented detections, hoping it can help the community build better DBI runtimes and tools.
Highlights
Dynamic binary instrumentation (DBI) is an execution paradigm that enables the insertion of probes and analysis callbacks in an executable program while it is running
To better understand why transparency issues arise in the first place, we provide a brief overview of how the majority of modern DBI systems work
In addition to the three sources listed above, implementation gaps are a recurrent issue for systems based on binary recompilation or translation: missing support or imprecise handling of rare instructions and constructs is common in practice and can expose the presence of a DBI system to an adversary
Summary
Dynamic binary instrumentation (DBI) is an execution paradigm that enables the insertion of probes and analysis callbacks in an executable program while it is running. In addition to the three sources listed above, implementation gaps are a recurrent issue for systems based on binary recompilation or translation: missing support or imprecise handling of rare instructions and constructs is common in practice and can expose the presence of a DBI system to an adversary Building on these considerations, we identify four aspects of program execution under DBI that are directly influenced by these sources: memory consistency, process behavior, temporal behavior, and translation defects. Software vendors want to protect their programs as much as possible from intellectual property theft or piracy attempts, which need reverse engineering work: software protectors like Obsidium and PELock, destined for vendors and abused by malware writers, insert detection sequences that target DBI (e.g., exposing the code cache in PELock).
Sign-in/Register to view highlights & summary Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
