Abstract
Over the past 20 years, we have witnessed a widespread adoption of dynamic binary instrumentation (DBI) for numerous program analyses and security applications including program debugging, profiling, reverse engineering, and malware analysis. To date, there are many DBI platforms, and the most popular one is Pin, which provides various instrumentation APIs for process instrumentation. However, Pin does not support the instrumentation of OS kernels. In addition, the execution of the instrumentation and analysis routine is always inside the virtual machine (VM). Consequently, it cannot support any out-of-VM introspection that requires strong isolation. Therefore, this paper presents PEMU, a new open source DBI framework that is compatible with Pin-APIs, but supports out-of-VM introspection for both user level processes and OS kernels. Unlike in-VM instrumentation in which there is no semantic gap, for out-of-VM introspection we have to bridge the semantic gap and provide abstractions (i.e., APIs) for programmers. One important feature of PEMU is its API compatibility with Pin. As such, many Pin plugins are able to execute atop PEMU without any source code modification. We have implemented PEMU, and our experimental results with the SPEC 2006 benchmarks show that PEMU introduces reasonable overhead.
- bochs: The open source ia-32 emulation project, 2001. http://bochs.sourceforge.net/.Google Scholar
- BALA, V., DUESTERWALD, E., AND BANERJIA, S. Dynamo: A transparent dynamic optimization system. In Proceedings of the ACM SIGPLAN 2000 Conference on Programming Language Design and Implementation (New York, NY, USA, 2000), PLDI '00, ACM, pp. 1--12. Google Scholar
Digital Library
- BARHAM, P., DRAGOVIC, B., FRASER, K., HAND, S., HARRIS, T., HO, A., NEUGEBAUERY, R., PRATT, I., AND WARFIELD, A. Xen and the art of virtualization. In Proceedings of the nineteenth ACM symposium on Operating systems principles (2003). Google Scholar
Digital Library
- BELLARD, F. Qemu, a fast and portable dynamic translator. In Proceedings of the annual conference on USENIX Annual Technical Conference (Berkeley, CA, USA, 2005), ATEC '05, USENIX Association. Google Scholar
Digital Library
- BHANSALI, S., CHEN, W.-K., DE JONG, S., EDWARDS, A., MURRAY, R., DRINIĆ, M., MIHOĈKA, D., AND CHAU, J. Framework for instruction-level tracing and analysis of program executions. In Proceedings of the 2Nd International Conference on Virtual Execution Environments (New York, NY, USA, 2006), VEE '06, ACM, pp. 154--163. Google Scholar
Digital Library
- BRUENING, D., ZHAO, Q., AND AMARASINGHE, S. Transparent dynamic instrumentation. In Proceedings of the 8th ACM SIGPLAN/SIGOPS Conference on Virtual Execution Environments (New York, NY, USA, 2012), VEE '12, ACM, pp. 133--144. Google Scholar
Digital Library
- BUCK, B., AND HOLLINGSWORTH, J. K. An api for runtime code patching. Int. J. High Perform. Comput. Appl. 14, 4 (Nov. 2000), 317--329. Google Scholar
Digital Library
- BUNGALE, P. P., AND LUK, C.-K. Pinos: A programmable framework for whole-system dynamic instrumentation. In Proceedings of the 3rd international conference on Virtual execution environments (2007), pp. 137--147. Google Scholar
Digital Library
- CHEN, P. M., AND NOBLE, B. D. When virtual is better than real. In Proceedings of the Eighth Workshop on Hot Topics in Operating Systems (2001), pp. 133--138. Google Scholar
Digital Library
- DEVINE, S. W., BUGNION, E., AND ROSENBLUM, M. Virtualization System Including a Virtual Machine Monitor for a Computer with a Segmented Architecture. United States Patent 6,397,242 (1998).Google Scholar
- DOLAN-GAVITT, B., LEEK, T., ZHIVICH, M., GIFFIN, J., AND LEE, W. Virtuoso: Narrowing the semantic gap in virtual machine introspection. In Proceedings of the 32nd IEEE Symposium on Security and Privacy (Oakland, CA, USA, 2011), pp. 297--312. Google Scholar
Digital Library
- EGELE, M., KRUEGEL, C., KIRDA, E., YIN, H., AND SONG, D. Dynamic spyware analysis. In 2007 USENIX Annual Technical Conference on Proceedings of the USENIX Annual Technical Conference (Berkeley, CA, USA, 2007), ATC'07, USENIX Association, pp. 18:1--18:14. Google Scholar
Digital Library
- FRANCISCO FALCøSN, N. R. Dynamic binary instrumentation frameworks: I know you're there spying on me. In recon (2012).Google Scholar
- FU, Y., AND LIN, Z. Space traveling across vm: Automatically bridging the semantic-gap in virtual machine introspection via online kernel data redirection. In Proceedings of the 2012 IEEE Symposium on Security and Privacy (San Francisco, CA, May 2012). Google Scholar
Digital Library
- FU, Y., AND LIN, Z. Exterior: Using a dual-vm based external shell for guest-os introspection, configuration, and recovery. In Proceedings of the Ninth Annual International Conference on Virtual Execution Environments (Houston, TX, March 2013). Google Scholar
Digital Library
- GARFINKEL, T., AND ROSENBLUM, M. A virtual machine introspection based architecture for intrusion detection. In Proc. Network and Distributed Systems Security Sym. (NDSS'03) (February 2003).Google Scholar
- HENDERSON, A., PRAKASH, A., YAN, L. K., HU, X.,WANG, X., ZHOU, R., AND YIN, H. Make it work, make it right, make it fast: Building a platform-neutral whole-system dynamic binary analysis platform. In Proceedings of the 2014 International Symposium on Software Testing and Analysis (New York, NY, USA, 2014), ISSTA 2014, ACM, pp. 248--258. Google Scholar
Digital Library
- HOFMANN, O. S., DUNN, A. M., KIM, S., ROY, I., AND WITCHEL, E. Ensuring operating system kernel integrity with osck. In Proceedings of the sixteenth international conference on Architectural support for programming languages and operating systems (Newport Beach, California, USA, 2011), ASPLOS '11, pp. 279--290. Google Scholar
Digital Library
- JAIN, B., BAIG, M. B., ZHANG, D., PORTER, D. E., AND SION, R. Sok: Introspections on trust and the semantic gap. In Proceedings of the 2014 IEEE Symposium on Security and Privacy (Washington, DC, USA, 2014), SP '14, IEEE Computer Society, pp. 605--620. Google Scholar
Digital Library
- JIANG, X., WANG, X., AND XU, D. Stealthy malware detection through vmm-based out-of-the-box semantic view reconstruction. In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS'07) (Alexandria, Virginia, USA, 2007), ACM, pp. 128--138. Google Scholar
Digital Library
- JONES, S. T., ARPACI-DUSSEAU, A. C., AND ARPACIDUSSEAU, R. H. Antfarm: tracking processes in a virtual machine environment. In Proc. annual Conf. USENIX '06 Annual Technical Conf. (Boston, MA, 2006), USENIX Association. Google Scholar
Digital Library
- JONES, S. T., ARPACI-DUSSEAU, A. C., AND ARPACIDUSSEAU, R. H. Vmm-based hidden process detection and identification using lycosid. In Proc. fourth ACM SIGPLAN/SIGOPS international Conf. Virtual execution environments (Seattle, WA, USA, 2008), VEE '08, ACM, pp. 91--100. Google Scholar
Digital Library
- KIRIANSKY, V., BRUENING, D., AND AMARASINGHE, S. P. Secure execution via program shepherding. In Proceedings of the 11th USENIX Security Symposium (Berkeley, CA, USA, 2002), USENIX Association, pp. 191--206. Google Scholar
Digital Library
- LIN, Z., ZHANG, X., AND XU, D. Automatic reverse engineering of data structures from binary execution. In Proceedings of the 17th Annual Network and Distributed System Security Symposium (NDSS'10) (San Diego, CA, February 2010).Google Scholar
- LU, S., TUCEK, J., QIN, F., AND ZHOU, Y. Avio: detecting atomicity violations via access interleaving invariants. In Proceedings of the 12th international conference on Architectural support for programming languages and operating systems (New York, NY, USA, 2006), ASPLOS XII, ACM, pp. 37--48. Google Scholar
Digital Library
- LUK, C.-K., COHN, R., MUTH, R., PATIL, H., KLAUSER, A., LOWNEY, G., WALLACE, S., REDDI, V. J., AND HAZELWOOD, K. Pin: building customized program analysis tools with dynamic instrumentation. In Proceedings of the 2005 ACM SIGPLAN conference on Programming language design and implementation (New York, NY, USA, 2005), PLDI '05, ACM, pp. 190--200. Google Scholar
Digital Library
- MAGNUSSON, P. S., CHRISTENSSON, M., ESKILSON, J., FORSGREN, D., HÅLLBERG, G., HÖGBERG, J., LARSSON, F., MOESTEDT, A., AND WERNER, B. Simics: A full system simulation platform. Computer 35, 2 (Feb. 2002), 50--58. Google Scholar
Digital Library
- MILLER, B. P., AND BERNAT, A. R. Anywhere, any time binary instrumentation.Google Scholar
- NARAYANASAMY, S., PEREIRA, C., PATIL, H., COHN, R., AND CALDER, B. Automatic logging of operating system effects to guide application-level architecture simulation. In Proceedings of the joint international conference on Measurement and modeling of computer systems (New York, NY, USA, 2006), SIGMETRICS '06/Performance '06, ACM, pp. 216--227. Google Scholar
Digital Library
- NETHERCOTE, N., AND SEWARD, J. Valgrind: A program supervision framework. In In Third Workshop on Runtime Verification (RV'03) (2003).Google Scholar
- NETHERCOTE, N., AND SEWARD, J. Valgrind: A framework for heavyweight dynamic binary instrumentation. In Proceedings of the 2007 ACM SIGPLAN Conference on Programming Language Design and Implementation (New York, NY, USA, 2007), PLDI '07, ACM, pp. 89--100. Google Scholar
Digital Library
- NEWSOME, J., AND SONG, D. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In Proceedings of Network and Distributed Systems Security Symposium (2005).Google Scholar
- PAYNE, B. D., CARBONE, M., AND LEE, W. Secure and flexible monitoring of virtual machines. In Proceedings of the 23rd Annual Computer Security Applications Conference (ACSAC 2007) (December 2007).Google Scholar
Cross Ref
- PETER FEINER, A. D. B., AND GOEL, A. Comprehensive kernel instrumentation via dynamic binary translation. In Proceedings of the seventeenth international conference on Architectural Support for Programming Languages and Operating Systems (2012). Google Scholar
Digital Library
- PETRONI, JR., N. L., AND HICKS, M. Automated detection of persistent kernel control-flow attacks. In Proceedings of the 14th ACM conference on Computer and communications security (2007), CCS '07, pp. 103--115. Google Scholar
Digital Library
- SCHWARTZ, E. J., AVGERINOS, T., AND BRUMLEY, D. All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). In Proceedings of the 2010 IEEE Symposium on Security and Privacy (Washington, DC, USA, 2010), SP '10, IEEE Computer Society, pp. 317--331. Google Scholar
Digital Library
- SCOTT, K., KUMAR, N., VELUSAMY, S., CHILDERS, B., DAVIDSON, J. W., AND SOFFA, M. L. Retargetable and reconfigurable software dynamic translation. In Proceedings of the International Symposium on Code Generation and Optimization: Feedback-directed and Runtime Optimization (Washington, DC, USA, 2003), CGO '03, IEEE Computer Society, pp. 36--47. Google Scholar
Digital Library
- SEWARD, J., AND NETHERCOTE, N. Using valgrind to detect undefined value errors with bit-precision. In Proceedings of the Annual Conference on USENIX Annual Technical Conference (Berkeley, CA, USA, 2005), ATEC '05, USENIX Association. Google Scholar
Digital Library
- SRIDHAR, S., SHAPIRO, J. S., NORTHUP, E., AND BUNGALE, P. P. Hdtrans: An open source, low-level dynamic instrumentation system. In Proceedings of the 2Nd International Conference on Virtual Execution Environments (New York, NY, USA, 2006), VEE '06, ACM, pp. 175--185. Google Scholar
Digital Library
- SRIVASTAVA, A., AND EUSTACE, A. Atom: A system for building customized program analysis tools. In Proceedings of the ACM SIGPLAN 1994 Conference on Programming Language Design and Implementation (New York, NY, USA, 1994), PLDI '94, ACM, pp. 196--205. Google Scholar
Digital Library
- TAMCHES, A., AND MILLER, B. P. Fine-grained dynamic instrumentation of commodity operating system kernels. In Proceedings of the Third Symposium on Operating Systems Design and Implementation (Berkeley, CA, USA, 1999), OSDI '99, USENIX Association, pp. 117--130. Google Scholar
Digital Library
- WALLACE, S., AND HAZELWOOD, K. Superpin: Parallelizing dynamic instrumentation for real-time performance. In 5th Annual International Symposium on Code Generation and Optimization (San Jose, CA, March 2007), pp. 209--217. Google Scholar
Digital Library
- WANG, Z., LIU, R., CHEN, Y., WU, X., CHEN, H., ZHANG, W., AND ZANG, B. Coremu: A scalable and portable parallel full-system emulator. In Proceedings of the 16th ACM Symposium on Principles and Practice of Parallel Programming (New York, NY, USA, 2011), PPoPP '11, ACM, pp. 213--222. Google Scholar
Digital Library
- WATSON, J. Virtualbox: Bits and bytes masquerading as machines. Linux J. 2008, 166 (Feb. 2008). Google Scholar
Digital Library
- WITCHEL, E., AND ROSENBLUM, M. Embra: Fast and flexible machine simulation. In Proceedings of the 1996 ACM SIGMETRICS International Conference on Measurement and Modeling of Computer Systems (New York, NY, USA, 1996), SIGMETRICS '96, ACM, pp. 68--79. Google Scholar
Digital Library
- WU, Q., REDDI, V., WU, Y., LEE, J., CONNORS, D., BROOKS, D., MARTONOSI, M., AND CLARK, D. A dynamic compilation framework for controlling microprocessor energy and performance. In Microarchitecture, 2005. MICRO-38. Proceedings. 38th Annual IEEE/ACM International Symposium on (2005). Google Scholar
Digital Library
- YANGCHUN FU, J. Z., AND LIN, Z. Hypershell: A practical hypervisor layer guest os shell for automated in-vm management. In USENIX ATC'14 Proceedings of the 2014 USENIX conference on USENIX Annual Technical Conference (USENIX Association Berkeley, CA, USA, 2014), USENIX Association, pp. 85--96. Google Scholar
Digital Library
- YIN, H., AND SONG, D. Temu: Binary code analysis via whole-system layered annotative execution. Technical Report UCB/EECS-2010--3, EECS Department, University of California, Berkeley, Jan 2010.Google Scholar
- YIN, H., SONG, D., EGELE, M., KRUEGEL, C., AND KIRDA, E. Panorama: capturing system-wide information flow for malware detection and analysis. In Proceedings of the 14th ACM conference on Computer and communications security (New York, NY, USA, 2007), CCS '07, ACM, pp. 116--127. Google Scholar
Digital Library
Index Terms
PEMU: A Pin Highly Compatible Out-of-VM Dynamic Binary Instrumentation Framework
Recommendations
PEMU: A Pin Highly Compatible Out-of-VM Dynamic Binary Instrumentation Framework
VEE '15: Proceedings of the 11th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution EnvironmentsOver the past 20 years, we have witnessed a widespread adoption of dynamic binary instrumentation (DBI) for numerous program analyses and security applications including program debugging, profiling, reverse engineering, and malware analysis. To date, ...
Introspection-based memory de-duplication and migration
VEE '13: Proceedings of the 9th ACM SIGPLAN/SIGOPS international conference on Virtual execution environmentsMemory virtualization abstracts a physical machine's memory resource and presents to the virtual machines running on it a piece of physical memory that could be shared, compressed and moved. To optimize the memory resource utilization by fully ...
Introspect Virtual Machines Like It Is the Linux Kernel!
Detection of Intrusions and Malware, and Vulnerability AssessmentAbstractVirtual machine introspection (VMI) allows a monitoring application, usually running in a separate virtual machine on the same host, to peek into another guest virtual machine running on the same host, check and modify both registers and memory ...







Comments