skip to main content
research-article

PEMU: A Pin Highly Compatible Out-of-VM Dynamic Binary Instrumentation Framework

Authors Info & Claims
Published:14 March 2015Publication History
Skip Abstract Section

Abstract

Over the past 20 years, we have witnessed a widespread adoption of dynamic binary instrumentation (DBI) for numerous program analyses and security applications including program debugging, profiling, reverse engineering, and malware analysis. To date, there are many DBI platforms, and the most popular one is Pin, which provides various instrumentation APIs for process instrumentation. However, Pin does not support the instrumentation of OS kernels. In addition, the execution of the instrumentation and analysis routine is always inside the virtual machine (VM). Consequently, it cannot support any out-of-VM introspection that requires strong isolation. Therefore, this paper presents PEMU, a new open source DBI framework that is compatible with Pin-APIs, but supports out-of-VM introspection for both user level processes and OS kernels. Unlike in-VM instrumentation in which there is no semantic gap, for out-of-VM introspection we have to bridge the semantic gap and provide abstractions (i.e., APIs) for programmers. One important feature of PEMU is its API compatibility with Pin. As such, many Pin plugins are able to execute atop PEMU without any source code modification. We have implemented PEMU, and our experimental results with the SPEC 2006 benchmarks show that PEMU introduces reasonable overhead.

References

  1. bochs: The open source ia-32 emulation project, 2001. http://bochs.sourceforge.net/.Google ScholarGoogle Scholar
  2. BALA, V., DUESTERWALD, E., AND BANERJIA, S. Dynamo: A transparent dynamic optimization system. In Proceedings of the ACM SIGPLAN 2000 Conference on Programming Language Design and Implementation (New York, NY, USA, 2000), PLDI '00, ACM, pp. 1--12. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. BARHAM, P., DRAGOVIC, B., FRASER, K., HAND, S., HARRIS, T., HO, A., NEUGEBAUERY, R., PRATT, I., AND WARFIELD, A. Xen and the art of virtualization. In Proceedings of the nineteenth ACM symposium on Operating systems principles (2003). Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. BELLARD, F. Qemu, a fast and portable dynamic translator. In Proceedings of the annual conference on USENIX Annual Technical Conference (Berkeley, CA, USA, 2005), ATEC '05, USENIX Association. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. BHANSALI, S., CHEN, W.-K., DE JONG, S., EDWARDS, A., MURRAY, R., DRINIĆ, M., MIHOĈKA, D., AND CHAU, J. Framework for instruction-level tracing and analysis of program executions. In Proceedings of the 2Nd International Conference on Virtual Execution Environments (New York, NY, USA, 2006), VEE '06, ACM, pp. 154--163. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. BRUENING, D., ZHAO, Q., AND AMARASINGHE, S. Transparent dynamic instrumentation. In Proceedings of the 8th ACM SIGPLAN/SIGOPS Conference on Virtual Execution Environments (New York, NY, USA, 2012), VEE '12, ACM, pp. 133--144. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. BUCK, B., AND HOLLINGSWORTH, J. K. An api for runtime code patching. Int. J. High Perform. Comput. Appl. 14, 4 (Nov. 2000), 317--329. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. BUNGALE, P. P., AND LUK, C.-K. Pinos: A programmable framework for whole-system dynamic instrumentation. In Proceedings of the 3rd international conference on Virtual execution environments (2007), pp. 137--147. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. CHEN, P. M., AND NOBLE, B. D. When virtual is better than real. In Proceedings of the Eighth Workshop on Hot Topics in Operating Systems (2001), pp. 133--138. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. DEVINE, S. W., BUGNION, E., AND ROSENBLUM, M. Virtualization System Including a Virtual Machine Monitor for a Computer with a Segmented Architecture. United States Patent 6,397,242 (1998).Google ScholarGoogle Scholar
  11. DOLAN-GAVITT, B., LEEK, T., ZHIVICH, M., GIFFIN, J., AND LEE, W. Virtuoso: Narrowing the semantic gap in virtual machine introspection. In Proceedings of the 32nd IEEE Symposium on Security and Privacy (Oakland, CA, USA, 2011), pp. 297--312. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. EGELE, M., KRUEGEL, C., KIRDA, E., YIN, H., AND SONG, D. Dynamic spyware analysis. In 2007 USENIX Annual Technical Conference on Proceedings of the USENIX Annual Technical Conference (Berkeley, CA, USA, 2007), ATC'07, USENIX Association, pp. 18:1--18:14. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. FRANCISCO FALCøSN, N. R. Dynamic binary instrumentation frameworks: I know you're there spying on me. In recon (2012).Google ScholarGoogle Scholar
  14. FU, Y., AND LIN, Z. Space traveling across vm: Automatically bridging the semantic-gap in virtual machine introspection via online kernel data redirection. In Proceedings of the 2012 IEEE Symposium on Security and Privacy (San Francisco, CA, May 2012). Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. FU, Y., AND LIN, Z. Exterior: Using a dual-vm based external shell for guest-os introspection, configuration, and recovery. In Proceedings of the Ninth Annual International Conference on Virtual Execution Environments (Houston, TX, March 2013). Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. GARFINKEL, T., AND ROSENBLUM, M. A virtual machine introspection based architecture for intrusion detection. In Proc. Network and Distributed Systems Security Sym. (NDSS'03) (February 2003).Google ScholarGoogle Scholar
  17. HENDERSON, A., PRAKASH, A., YAN, L. K., HU, X.,WANG, X., ZHOU, R., AND YIN, H. Make it work, make it right, make it fast: Building a platform-neutral whole-system dynamic binary analysis platform. In Proceedings of the 2014 International Symposium on Software Testing and Analysis (New York, NY, USA, 2014), ISSTA 2014, ACM, pp. 248--258. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. HOFMANN, O. S., DUNN, A. M., KIM, S., ROY, I., AND WITCHEL, E. Ensuring operating system kernel integrity with osck. In Proceedings of the sixteenth international conference on Architectural support for programming languages and operating systems (Newport Beach, California, USA, 2011), ASPLOS '11, pp. 279--290. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. JAIN, B., BAIG, M. B., ZHANG, D., PORTER, D. E., AND SION, R. Sok: Introspections on trust and the semantic gap. In Proceedings of the 2014 IEEE Symposium on Security and Privacy (Washington, DC, USA, 2014), SP '14, IEEE Computer Society, pp. 605--620. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. JIANG, X., WANG, X., AND XU, D. Stealthy malware detection through vmm-based out-of-the-box semantic view reconstruction. In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS'07) (Alexandria, Virginia, USA, 2007), ACM, pp. 128--138. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. JONES, S. T., ARPACI-DUSSEAU, A. C., AND ARPACIDUSSEAU, R. H. Antfarm: tracking processes in a virtual machine environment. In Proc. annual Conf. USENIX '06 Annual Technical Conf. (Boston, MA, 2006), USENIX Association. Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. JONES, S. T., ARPACI-DUSSEAU, A. C., AND ARPACIDUSSEAU, R. H. Vmm-based hidden process detection and identification using lycosid. In Proc. fourth ACM SIGPLAN/SIGOPS international Conf. Virtual execution environments (Seattle, WA, USA, 2008), VEE '08, ACM, pp. 91--100. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. KIRIANSKY, V., BRUENING, D., AND AMARASINGHE, S. P. Secure execution via program shepherding. In Proceedings of the 11th USENIX Security Symposium (Berkeley, CA, USA, 2002), USENIX Association, pp. 191--206. Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. LIN, Z., ZHANG, X., AND XU, D. Automatic reverse engineering of data structures from binary execution. In Proceedings of the 17th Annual Network and Distributed System Security Symposium (NDSS'10) (San Diego, CA, February 2010).Google ScholarGoogle Scholar
  25. LU, S., TUCEK, J., QIN, F., AND ZHOU, Y. Avio: detecting atomicity violations via access interleaving invariants. In Proceedings of the 12th international conference on Architectural support for programming languages and operating systems (New York, NY, USA, 2006), ASPLOS XII, ACM, pp. 37--48. Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. LUK, C.-K., COHN, R., MUTH, R., PATIL, H., KLAUSER, A., LOWNEY, G., WALLACE, S., REDDI, V. J., AND HAZELWOOD, K. Pin: building customized program analysis tools with dynamic instrumentation. In Proceedings of the 2005 ACM SIGPLAN conference on Programming language design and implementation (New York, NY, USA, 2005), PLDI '05, ACM, pp. 190--200. Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. MAGNUSSON, P. S., CHRISTENSSON, M., ESKILSON, J., FORSGREN, D., HÅLLBERG, G., HÖGBERG, J., LARSSON, F., MOESTEDT, A., AND WERNER, B. Simics: A full system simulation platform. Computer 35, 2 (Feb. 2002), 50--58. Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. MILLER, B. P., AND BERNAT, A. R. Anywhere, any time binary instrumentation.Google ScholarGoogle Scholar
  29. NARAYANASAMY, S., PEREIRA, C., PATIL, H., COHN, R., AND CALDER, B. Automatic logging of operating system effects to guide application-level architecture simulation. In Proceedings of the joint international conference on Measurement and modeling of computer systems (New York, NY, USA, 2006), SIGMETRICS '06/Performance '06, ACM, pp. 216--227. Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. NETHERCOTE, N., AND SEWARD, J. Valgrind: A program supervision framework. In In Third Workshop on Runtime Verification (RV'03) (2003).Google ScholarGoogle Scholar
  31. NETHERCOTE, N., AND SEWARD, J. Valgrind: A framework for heavyweight dynamic binary instrumentation. In Proceedings of the 2007 ACM SIGPLAN Conference on Programming Language Design and Implementation (New York, NY, USA, 2007), PLDI '07, ACM, pp. 89--100. Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. NEWSOME, J., AND SONG, D. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In Proceedings of Network and Distributed Systems Security Symposium (2005).Google ScholarGoogle Scholar
  33. PAYNE, B. D., CARBONE, M., AND LEE, W. Secure and flexible monitoring of virtual machines. In Proceedings of the 23rd Annual Computer Security Applications Conference (ACSAC 2007) (December 2007).Google ScholarGoogle ScholarCross RefCross Ref
  34. PETER FEINER, A. D. B., AND GOEL, A. Comprehensive kernel instrumentation via dynamic binary translation. In Proceedings of the seventeenth international conference on Architectural Support for Programming Languages and Operating Systems (2012). Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. PETRONI, JR., N. L., AND HICKS, M. Automated detection of persistent kernel control-flow attacks. In Proceedings of the 14th ACM conference on Computer and communications security (2007), CCS '07, pp. 103--115. Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. SCHWARTZ, E. J., AVGERINOS, T., AND BRUMLEY, D. All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). In Proceedings of the 2010 IEEE Symposium on Security and Privacy (Washington, DC, USA, 2010), SP '10, IEEE Computer Society, pp. 317--331. Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. SCOTT, K., KUMAR, N., VELUSAMY, S., CHILDERS, B., DAVIDSON, J. W., AND SOFFA, M. L. Retargetable and reconfigurable software dynamic translation. In Proceedings of the International Symposium on Code Generation and Optimization: Feedback-directed and Runtime Optimization (Washington, DC, USA, 2003), CGO '03, IEEE Computer Society, pp. 36--47. Google ScholarGoogle ScholarDigital LibraryDigital Library
  38. SEWARD, J., AND NETHERCOTE, N. Using valgrind to detect undefined value errors with bit-precision. In Proceedings of the Annual Conference on USENIX Annual Technical Conference (Berkeley, CA, USA, 2005), ATEC '05, USENIX Association. Google ScholarGoogle ScholarDigital LibraryDigital Library
  39. SRIDHAR, S., SHAPIRO, J. S., NORTHUP, E., AND BUNGALE, P. P. Hdtrans: An open source, low-level dynamic instrumentation system. In Proceedings of the 2Nd International Conference on Virtual Execution Environments (New York, NY, USA, 2006), VEE '06, ACM, pp. 175--185. Google ScholarGoogle ScholarDigital LibraryDigital Library
  40. SRIVASTAVA, A., AND EUSTACE, A. Atom: A system for building customized program analysis tools. In Proceedings of the ACM SIGPLAN 1994 Conference on Programming Language Design and Implementation (New York, NY, USA, 1994), PLDI '94, ACM, pp. 196--205. Google ScholarGoogle ScholarDigital LibraryDigital Library
  41. TAMCHES, A., AND MILLER, B. P. Fine-grained dynamic instrumentation of commodity operating system kernels. In Proceedings of the Third Symposium on Operating Systems Design and Implementation (Berkeley, CA, USA, 1999), OSDI '99, USENIX Association, pp. 117--130. Google ScholarGoogle ScholarDigital LibraryDigital Library
  42. WALLACE, S., AND HAZELWOOD, K. Superpin: Parallelizing dynamic instrumentation for real-time performance. In 5th Annual International Symposium on Code Generation and Optimization (San Jose, CA, March 2007), pp. 209--217. Google ScholarGoogle ScholarDigital LibraryDigital Library
  43. WANG, Z., LIU, R., CHEN, Y., WU, X., CHEN, H., ZHANG, W., AND ZANG, B. Coremu: A scalable and portable parallel full-system emulator. In Proceedings of the 16th ACM Symposium on Principles and Practice of Parallel Programming (New York, NY, USA, 2011), PPoPP '11, ACM, pp. 213--222. Google ScholarGoogle ScholarDigital LibraryDigital Library
  44. WATSON, J. Virtualbox: Bits and bytes masquerading as machines. Linux J. 2008, 166 (Feb. 2008). Google ScholarGoogle ScholarDigital LibraryDigital Library
  45. WITCHEL, E., AND ROSENBLUM, M. Embra: Fast and flexible machine simulation. In Proceedings of the 1996 ACM SIGMETRICS International Conference on Measurement and Modeling of Computer Systems (New York, NY, USA, 1996), SIGMETRICS '96, ACM, pp. 68--79. Google ScholarGoogle ScholarDigital LibraryDigital Library
  46. WU, Q., REDDI, V., WU, Y., LEE, J., CONNORS, D., BROOKS, D., MARTONOSI, M., AND CLARK, D. A dynamic compilation framework for controlling microprocessor energy and performance. In Microarchitecture, 2005. MICRO-38. Proceedings. 38th Annual IEEE/ACM International Symposium on (2005). Google ScholarGoogle ScholarDigital LibraryDigital Library
  47. YANGCHUN FU, J. Z., AND LIN, Z. Hypershell: A practical hypervisor layer guest os shell for automated in-vm management. In USENIX ATC'14 Proceedings of the 2014 USENIX conference on USENIX Annual Technical Conference (USENIX Association Berkeley, CA, USA, 2014), USENIX Association, pp. 85--96. Google ScholarGoogle ScholarDigital LibraryDigital Library
  48. YIN, H., AND SONG, D. Temu: Binary code analysis via whole-system layered annotative execution. Technical Report UCB/EECS-2010--3, EECS Department, University of California, Berkeley, Jan 2010.Google ScholarGoogle Scholar
  49. YIN, H., SONG, D., EGELE, M., KRUEGEL, C., AND KIRDA, E. Panorama: capturing system-wide information flow for malware detection and analysis. In Proceedings of the 14th ACM conference on Computer and communications security (New York, NY, USA, 2007), CCS '07, ACM, pp. 116--127. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. PEMU: A Pin Highly Compatible Out-of-VM Dynamic Binary Instrumentation Framework

      Recommendations

      Comments

      Login options

      Check if you have access through your login credentials or your institution to get full access on this article.

      Sign in

      Full Access

      • Published in

        cover image ACM SIGPLAN Notices
        ACM SIGPLAN Notices  Volume 50, Issue 7
        VEE '15
        July 2015
        221 pages
        ISSN:0362-1340
        EISSN:1558-1160
        DOI:10.1145/2817817
        • Editor:
        • Andy Gill
        Issue’s Table of Contents
        • cover image ACM Conferences
          VEE '15: Proceedings of the 11th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments
          March 2015
          238 pages
          ISBN:9781450334501
          DOI:10.1145/2731186

        Copyright © 2015 ACM

        Publisher

        Association for Computing Machinery

        New York, NY, United States

        Publication History

        • Published: 14 March 2015

        Check for updates

        Qualifiers

        • research-article

      PDF Format

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader
      About Cookies On This Site

      We use cookies to ensure that we give you the best experience on our website.

      Learn more

      Got it!