skip to main content
research-article

A platform for secure static binary instrumentation

Published:01 March 2014Publication History
Skip Abstract Section

Abstract

Program instrumentation techniques form the basis of many recent software security defenses, including defenses against common exploits and security policy enforcement. As compared to source-code instrumentation, binary instrumentation is easier to use and more broadly applicable due to the ready availability of binary code. Two key features needed for security instrumentations are (a) it should be applied to all application code, including code contained in various system and application libraries, and (b) it should be non-bypassable. So far, dynamic binary instrumentation (DBI) techniques have provided these features, whereas static binary instrumentation (SBI) techniques have lacked them. These features, combined with ease of use, have made DBI the de facto choice for security instrumentations. However, DBI techniques can incur high overheads in several common usage scenarios, such as application startups, system-calls, and many real-world applications. We therefore develop a new platform for secure static binary instrumentation (PSI) that overcomes these drawbacks of DBI techniques, while retaining the security, robustness and ease-of-use features. We illustrate the versatility of PSI by developing several instrumentation applications: basic block counting, shadow stack defense against control-flow hijack and return-oriented programming attacks, and system call and library policy enforcement. While being competitive with the best DBI tools on CPU-intensive SPEC 2006 benchmark, PSI provides an order of magnitude reduction in overheads on a collection of real-world applications.

References

  1. Lmbench tool for performance analysis. http://lmbench.sourceforge.net/.Google ScholarGoogle Scholar
  2. M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti. Control- flow integrity principles, implementations, and applications. ACM TISSEC, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. K. Anand, M. Smithson, A. Kotha, K. Elwazeer, and R. Barua. Decompilation to compiler high IR in a binary rewriter. Technical report, University of Maryland, 2010.Google ScholarGoogle Scholar
  4. K. Anand, M. Smithson, K. Elwazeer, A. Kotha, and J. Gruen et al. A compiler-level intermediate representation based binary analysis and rewriting system. In EuroSys, 2013. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. T. Avgerinos, S. K. Cha, A. Rebert, E. J. Schwartz, and M. Woo et al. AEG: automatic exploit generation. In NDSS, 2011.Google ScholarGoogle Scholar
  6. T. Bletsch, X. Jiang, and V. Freeh. Mitigating code-reuse attacks with control-flow locking. In ACSAC, 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. E. Borin, C. Wang, Y. Wu, and G. Araujo. Software-based transparent and comprehensive control-flow error detection. In CGO, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. D. Bruening. Efficient, transparent, and comprehensive run- time code manipulation. PhD thesis, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. D. Brumley, I. Jager, T. Avgerinos, and E. Schwartz. BAP: a binary analysis platform. In CAV, 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. B. Buck and J. Hollingsworth. An API for runtime code patching. Int. J. High Perform. Comput. Appl., 2000. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. P. Chen, H. Xiao, X. Shen, X. Yin, and B. Mao et al. DROP: detecting return-oriented programming malicious code. In ICISS, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. L. Davi, A.-R. Sadeghi, and M. Winandy. ROPdefender: a detection tool to defend against return-oriented programming attacks. In ASIACCS, 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. K. ElWazeer, K. Anand, A. Kotha, M. Smithson, and R. Barua. Scalable variable and data type detection in a binary rewriter. In PLDI, 2013. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. U. Erlingsson, M. Abadi, M. Vrable, M. Budiu, and G. Necula. XFI: software guards for system address spaces. In OSDI, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. B. Ford and R. Cox. Vx32: lightweight user-level sandboxing on the x86. In USENIX ATC, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. J. Hiser, A. Nguyen-Tuong, M. Co, M. Hall, and J. Davidson. ILR: where'd my gadgets go? In S&P, 2012. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. V. Kiriansky, D. Bruening, and S. Amarasinghe. Secure exe- cution via program shepherding. In USENIX Security, 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. M. Laurenzano, M. Tikir, L. Carrington, and A. Snavely. PEBIL: efficient static binary instrumentation for Linux. InIEEE International Symposium on Performance Analysis of Systems Software (ISPASS), 2010.Google ScholarGoogle ScholarCross RefCross Ref
  19. C.-K. Luk, R. Cohn, R. Muth, H. Patil, and A. Klauser et al. Pin: building customized program analysis tools with dynamic instrumentation. In PLDI, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. S. McCamant and G. Morrisett. Evaluating SFI for a CISC architecture. USENIX Security, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. S. Nanda, W. Li, L.-C. Lam, and T.-c. Chiueh. BIRD: binary interpretation using runtime disassembly. In CGO, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. N. Nethercote and J. Seward. Valgrind: a framework for heavyweight dynamic binary instrumentation. In PLDI, 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. J. Newsome. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In NDSS, 2005.Google ScholarGoogle Scholar
  24. K. Onarlioglu, L. Bilge, A. Lanzi, D. Balzarotti, andE. Kirda. G-Free: defeating return-oriented programming through gadget-less binaries. In ACSAC, 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. V. Pappas, M. Polychronakis, and A. Keromytis. Smashing the gadgets: Hindering return-oriented programming using in- place code randomization. In S&P, 2012. Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. M. Payer and T. Gross. Fine-grained user-space security through virtualization. In VEE, 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. M. Prasad and T.-c. Chiueh. A binary rewriting defense against stack based overflow attacks. In USENIX ATC, 2003.Google ScholarGoogle Scholar
  28. F. Qin, C. Wang, Z. Li, H.-s. Kim, and Y. Zhou et al. LIFT: a low-overhead practical information flow tracking system for detecting security attacks. In MICRO, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. P. Saxena, R. Sekar, and V. Puranik. Efficient fine-grained binary instrumentation with applications to taint-tracking. In CGO, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. K. Scott, N. Kumar, S. Velusamy, B. Childers, and J. Davidson et al. Retargetable and reconfigurable software dynamic translation. In CGO, 2003. Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. D. Song, D. Brumley, H. Yin, J. Caballero, and I. Jager et al. BitBlaze: a new approach to computer security via binary analysis. In ICISS, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. R. Wahbe, S. Lucco, T. Anderson, and S. Graham. Efficient software-based fault isolation. In SOSP, 1993. Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. R. Wartell, V. Mohan, K. Hamlen, and Z. Lin. Securing untrusted code via compiler-agnostic binary rewriting. In ACSAC, 2012. Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. R. Wartell, V. Mohan, K. Hamlen, and Z. Lin. Binary stirring: self-randomizing instruction addresses of legacy x86 binary code. In CCS, 2012. Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. B. Yee, D. Sehr, G. Dardyk, J. B. Chen, and R. Muth et al. Native Client: a sandbox for portable, untrusted x86 native code. In S&P, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. C. Zhang, T. Wei, Z. Chen, L. Duan, and S. McCamant et al. Protecting function pointers in binary. In ASIACCS, 2013. Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. C. Zhang, T. Wei, Z. Chen, L. Duan, and L. Szekeres et al. Practical control flow integrity & randomization for binary executables. In S&P, 2013. Google ScholarGoogle ScholarDigital LibraryDigital Library
  38. M. Zhang and R. Sekar. Control flow integrity for COTS binaries. In USENIX Security, 2013 Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. A platform for secure static binary instrumentation

      Recommendations

      Comments

      Login options

      Check if you have access through your login credentials or your institution to get full access on this article.

      Sign in

      Full Access

      PDF Format

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader
      About Cookies On This Site

      We use cookies to ensure that we give you the best experience on our website.

      Learn more

      Got it!