Low-Overhead Binary Instrumentation A Framework for Robust … · 2020-01-20 · Dynamic Binary...
Transcript of Low-Overhead Binary Instrumentation A Framework for Robust … · 2020-01-20 · Dynamic Binary...
![Page 1: Low-Overhead Binary Instrumentation A Framework for Robust … · 2020-01-20 · Dynamic Binary Rewriters Static Binary Rewriters Robustness Better Performance RL-Bin Robust but high](https://reader035.fdocuments.us/reader035/viewer/2022062603/5f50f2ea831cf3221660d442/html5/thumbnails/1.jpg)
A Framework for Robust Low-Overhead Binary Instrumentation
Amir Majlesi-Kupaei, Danny Kim, Kapil Anand,Aparna Kotha, Khaled ElWazeer, Rajeev Barua
RL-Bin
![Page 2: Low-Overhead Binary Instrumentation A Framework for Robust … · 2020-01-20 · Dynamic Binary Rewriters Static Binary Rewriters Robustness Better Performance RL-Bin Robust but high](https://reader035.fdocuments.us/reader035/viewer/2022062603/5f50f2ea831cf3221660d442/html5/thumbnails/2.jpg)
The Problem: Instrumenting programs
Program instrumentation is invaluable for following capabilities:
2
Vuln
erab
ility
Pa
tchi
ngSecurity
Enforcement Optimiza
tion
Performance Monitoring Resource
MonitoringInstrumentation
![Page 3: Low-Overhead Binary Instrumentation A Framework for Robust … · 2020-01-20 · Dynamic Binary Rewriters Static Binary Rewriters Robustness Better Performance RL-Bin Robust but high](https://reader035.fdocuments.us/reader035/viewer/2022062603/5f50f2ea831cf3221660d442/html5/thumbnails/3.jpg)
3
Instrumenting interpreted vs. binary code
Programming Languages
● Interpreted(Python, Java, …)
- Relatively easy to instrument!
● Compiled(C, C++, Fortran, …)
- Instrumentation is very complicated!
Why binary code persists?
1. IP protection
2. High performance
Need a binary rewriter to instrument binary code!
![Page 4: Low-Overhead Binary Instrumentation A Framework for Robust … · 2020-01-20 · Dynamic Binary Rewriters Static Binary Rewriters Robustness Better Performance RL-Bin Robust but high](https://reader035.fdocuments.us/reader035/viewer/2022062603/5f50f2ea831cf3221660d442/html5/thumbnails/4.jpg)
Requirements for Deployment use of a binary rewriter
● Solution must be robustIt should work for all binaries
● It must also be low-overheadHigh overhead is not tolerated in practice
4
![Page 5: Low-Overhead Binary Instrumentation A Framework for Robust … · 2020-01-20 · Dynamic Binary Rewriters Static Binary Rewriters Robustness Better Performance RL-Bin Robust but high](https://reader035.fdocuments.us/reader035/viewer/2022062603/5f50f2ea831cf3221660d442/html5/thumbnails/5.jpg)
Static binary rewriters
What is a static rewriter?What is a static rewriter?
Most commercial binaries are stripped, so they lack:
5
Limitations:Static Rewriter
Do not support obfuscation
No support for self-modifying code
Dynamically-generated code not supported
Binary file will change => Checksum mismatchDebu
g Info
Relocat
ion In
fo
Symbol
Table
Error prone for all programs
![Page 6: Low-Overhead Binary Instrumentation A Framework for Robust … · 2020-01-20 · Dynamic Binary Rewriters Static Binary Rewriters Robustness Better Performance RL-Bin Robust but high](https://reader035.fdocuments.us/reader035/viewer/2022062603/5f50f2ea831cf3221660d442/html5/thumbnails/6.jpg)
Dynamic Solutions
In-place designs(i.e. Dyninst’06 and BIRD)
● No support for obfuscation, self-modifying and dynamically generated code
Code-cache based designs(i.e. Pin and DynamoRIO)
● They are robust but have high overhead!
6
Dynamic Rewriter
Dynamic Rewriter
![Page 7: Low-Overhead Binary Instrumentation A Framework for Robust … · 2020-01-20 · Dynamic Binary Rewriters Static Binary Rewriters Robustness Better Performance RL-Bin Robust but high](https://reader035.fdocuments.us/reader035/viewer/2022062603/5f50f2ea831cf3221660d442/html5/thumbnails/7.jpg)
Why Code-Cache has High Overhead?
● Indirect CTIs are everywhere
● They need to be translated
● Address translation cannot be removed!
7
Translation Overhead
![Page 8: Low-Overhead Binary Instrumentation A Framework for Robust … · 2020-01-20 · Dynamic Binary Rewriters Static Binary Rewriters Robustness Better Performance RL-Bin Robust but high](https://reader035.fdocuments.us/reader035/viewer/2022062603/5f50f2ea831cf3221660d442/html5/thumbnails/8.jpg)
Summary of existing solutions8
Existing
Dynamic Binary
Rewriters
Static Binary
Rewriters
Robustness
Better Performance
RL-Bin
Robust but high
overhead!
Low overhead but not robust!
Where we need to be.
![Page 9: Low-Overhead Binary Instrumentation A Framework for Robust … · 2020-01-20 · Dynamic Binary Rewriters Static Binary Rewriters Robustness Better Performance RL-Bin Robust but high](https://reader035.fdocuments.us/reader035/viewer/2022062603/5f50f2ea831cf3221660d442/html5/thumbnails/9.jpg)
Our Solution (RL-Bin)
RL-Bin
(Robust Low-overhead Binary Rewriter)
RL-Bin has very low overhead,
(less than 5%)
9
● RL-Bin is robust, it supports
Obfuscation
Self-modifying code
Dynamically-generated code
![Page 10: Low-Overhead Binary Instrumentation A Framework for Robust … · 2020-01-20 · Dynamic Binary Rewriters Static Binary Rewriters Robustness Better Performance RL-Bin Robust but high](https://reader035.fdocuments.us/reader035/viewer/2022062603/5f50f2ea831cf3221660d442/html5/thumbnails/10.jpg)
RL-Bin’s Overall Approach
● Does not rely on static analysis
● Instead, it discovers code dynamically as it executes
● Conceptually, discover every CTI’s target as code when that CTI executes
10
Remove redundant instrumentation
RL-Bin
Disassemble New Code
RL-Bin
Execute Code
Program
Add instrumentation to detect new code execution
RL-Bin
.
No new code executed
New code executed
![Page 11: Low-Overhead Binary Instrumentation A Framework for Robust … · 2020-01-20 · Dynamic Binary Rewriters Static Binary Rewriters Robustness Better Performance RL-Bin Robust but high](https://reader035.fdocuments.us/reader035/viewer/2022062603/5f50f2ea831cf3221660d442/html5/thumbnails/11.jpg)
How Far Can We Disassemble New Code?
● When we arrive at a new code location, how far can we continue disassembling code?
● There are four possibilities:
○ Straight-line code (non-CTI instructions)■ The address of the next instruction is known
○ Unconditional jumps■ The address of the target is known and fixed
○ Conditional branches ■ Need run-time verification because we cannot
assume that both targets are code)
○ Indirect CTIs ■ Must be verified during run-time because targets are discovered dynamically)
11
![Page 12: Low-Overhead Binary Instrumentation A Framework for Robust … · 2020-01-20 · Dynamic Binary Rewriters Static Binary Rewriters Robustness Better Performance RL-Bin Robust but high](https://reader035.fdocuments.us/reader035/viewer/2022062603/5f50f2ea831cf3221660d442/html5/thumbnails/12.jpg)
Discovering new code: Conditional CTIs12
● Unoptimized solution for conditional CTIs
Instrumentation
Conditional CTI
Code 1 Code 2
Taken Fall Through
RL-Bin
780%
The problem with conditional branches
Conditional CTI
Code 1 Code 2
Taken Fall Through
For obfuscated code, both targets may not be code!
![Page 13: Low-Overhead Binary Instrumentation A Framework for Robust … · 2020-01-20 · Dynamic Binary Rewriters Static Binary Rewriters Robustness Better Performance RL-Bin Robust but high](https://reader035.fdocuments.us/reader035/viewer/2022062603/5f50f2ea831cf3221660d442/html5/thumbnails/13.jpg)
Discovering new code: Conditional CTIs13
● Optimized handling of conditional CTIs
Conditional CTI
Taken Code Fall Through Code
HW BP #1 HW BP #2
RL-Bin
Breakpoints can be removed if one or both of the targets are executed. Very low overhead!
252%
⚫ ⚫
A lower overhead solution:
● Use Hardware breakpoints instead of instrumentation
● Much lower overhead!
![Page 14: Low-Overhead Binary Instrumentation A Framework for Robust … · 2020-01-20 · Dynamic Binary Rewriters Static Binary Rewriters Robustness Better Performance RL-Bin Robust but high](https://reader035.fdocuments.us/reader035/viewer/2022062603/5f50f2ea831cf3221660d442/html5/thumbnails/14.jpg)
Discovering new code: Indirect CTIs
● Unoptimized handling of Indirect CTIs
14
● The instrumentation could be optimized and either reduced or removed!
Instrumentation
Indirect CTI
Code 1 Code 2
RL-Bin
...
Check Address
Address Handled
- Indefinite number of run-time computer targets.
Function cloning to eliminate returns49%
Branch target prediction for common case target specialization113%
14%Safe functions (i.e., those that cannot modify return address)
![Page 15: Low-Overhead Binary Instrumentation A Framework for Robust … · 2020-01-20 · Dynamic Binary Rewriters Static Binary Rewriters Robustness Better Performance RL-Bin Robust but high](https://reader035.fdocuments.us/reader035/viewer/2022062603/5f50f2ea831cf3221660d442/html5/thumbnails/15.jpg)
More Optimizations15
Whitelisting Library Modules
• Optionally not monitor Win32 or standard library DLLs
• Only possible when call back functions and call back addresses are known
Optimizing Library Calls
• Library Calls done through Import Address Table.
• An indirect call with always one destination!
• Optimize away the check by write-protecting IAT
9% 5%
![Page 16: Low-Overhead Binary Instrumentation A Framework for Robust … · 2020-01-20 · Dynamic Binary Rewriters Static Binary Rewriters Robustness Better Performance RL-Bin Robust but high](https://reader035.fdocuments.us/reader035/viewer/2022062603/5f50f2ea831cf3221660d442/html5/thumbnails/16.jpg)
Handling Self-Modifying Code
To detect self-modifying code,
○ Code segment is write-protected
○ Any change to the code segment will trigger an exception
○ Modified code will be disassembled and analyzed again
● The method can be optimized by adding instrumentation before and after
instructions that cause self-modification
(this is a best effort optimization to avoid triggering a lot of exceptions)
16
![Page 17: Low-Overhead Binary Instrumentation A Framework for Robust … · 2020-01-20 · Dynamic Binary Rewriters Static Binary Rewriters Robustness Better Performance RL-Bin Robust but high](https://reader035.fdocuments.us/reader035/viewer/2022062603/5f50f2ea831cf3221660d442/html5/thumbnails/17.jpg)
Handling Multi-Threaded Code
Handle race conditions from access to shared data structures, such as
disassembly table, etc.➢ Thread 1 is instrumenting a piece of code
➢ Thread 2 is executing the same code
➢ Thread 2 might execute from an address
that is the middle of instrumentation instruction
added by thread 1. The application will crash!
Handled by using mutually exclusive access to shared data structures
17
![Page 18: Low-Overhead Binary Instrumentation A Framework for Robust … · 2020-01-20 · Dynamic Binary Rewriters Static Binary Rewriters Robustness Better Performance RL-Bin Robust but high](https://reader035.fdocuments.us/reader035/viewer/2022062603/5f50f2ea831cf3221660d442/html5/thumbnails/18.jpg)
RL-Bin can handle any application that can be debugged by a debugger.
Benign applications are meant to be debugged, so they are supported.
Self-checksumming the memory image
Limitations of RL-Bin18
Memory layout checking
● Debuggers use breakpoints and change memory checksum
Self-referencing code● Detects changes in the code
(which debuggers change)
● Requires no change in memory layout (which debuggers do)
Troublesome feature Why debuggers would fail too
![Page 19: Low-Overhead Binary Instrumentation A Framework for Robust … · 2020-01-20 · Dynamic Binary Rewriters Static Binary Rewriters Robustness Better Performance RL-Bin Robust but high](https://reader035.fdocuments.us/reader035/viewer/2022062603/5f50f2ea831cf3221660d442/html5/thumbnails/19.jpg)
Results (Spec 2017 Integer)
● Normalized run-time overhead of rewriters without added instrumentation
19
* Pin has higher overhead than DynamoRIO according to ref. C.-K. Luk et al. ACM,2005
*
![Page 20: Low-Overhead Binary Instrumentation A Framework for Robust … · 2020-01-20 · Dynamic Binary Rewriters Static Binary Rewriters Robustness Better Performance RL-Bin Robust but high](https://reader035.fdocuments.us/reader035/viewer/2022062603/5f50f2ea831cf3221660d442/html5/thumbnails/20.jpg)
Results (Spec 2017 Floating Point)
● Normalized run-time overhead of rewriters without added instrumentation
20
![Page 21: Low-Overhead Binary Instrumentation A Framework for Robust … · 2020-01-20 · Dynamic Binary Rewriters Static Binary Rewriters Robustness Better Performance RL-Bin Robust but high](https://reader035.fdocuments.us/reader035/viewer/2022062603/5f50f2ea831cf3221660d442/html5/thumbnails/21.jpg)
Results with example heavyweight instrumentation
● Run-time overhead of rewriters with added instrumentations to count external calls● The overhead is significant because all indirect calls (which are common) must be intercepted
21
![Page 22: Low-Overhead Binary Instrumentation A Framework for Robust … · 2020-01-20 · Dynamic Binary Rewriters Static Binary Rewriters Robustness Better Performance RL-Bin Robust but high](https://reader035.fdocuments.us/reader035/viewer/2022062603/5f50f2ea831cf3221660d442/html5/thumbnails/22.jpg)
Proving Robustness
● Accuracy and Code Coverage○ Number of dynamically executed instructions
were measured and compared against DynamoRIO.
○ Matched in all cases for SPECrate 2017 benchmarks
● Commercial Applications were tested
22
Obfuscation
Self-modifying code
Dynamically-generated code
![Page 23: Low-Overhead Binary Instrumentation A Framework for Robust … · 2020-01-20 · Dynamic Binary Rewriters Static Binary Rewriters Robustness Better Performance RL-Bin Robust but high](https://reader035.fdocuments.us/reader035/viewer/2022062603/5f50f2ea831cf3221660d442/html5/thumbnails/23.jpg)
RL-Bin
Related Works23
Robustness
Better Performance
SecondWriteDyninst’06
Atom
DiabloPebil
DynamoRIOValgrind Pin
Dyninst’11Diota BIRD
2Support dynamically
generated code
4Support exception based obfuscation
No support for obfuscation and dynamic features
5
Support self modifying code
3
Support conditional obfuscation
1
2
3
4
5
1
![Page 24: Low-Overhead Binary Instrumentation A Framework for Robust … · 2020-01-20 · Dynamic Binary Rewriters Static Binary Rewriters Robustness Better Performance RL-Bin Robust but high](https://reader035.fdocuments.us/reader035/viewer/2022062603/5f50f2ea831cf3221660d442/html5/thumbnails/24.jpg)
Future Work
● Improve robustness by overcoming limitations
● Developing custom instrumentation API(User-friendly API for instrumentation)
● Plan to release RL-Bin publicly in late 2020
24
![Page 25: Low-Overhead Binary Instrumentation A Framework for Robust … · 2020-01-20 · Dynamic Binary Rewriters Static Binary Rewriters Robustness Better Performance RL-Bin Robust but high](https://reader035.fdocuments.us/reader035/viewer/2022062603/5f50f2ea831cf3221660d442/html5/thumbnails/25.jpg)
25
Thanks for your time!
RL-Bin
1 Amir Majlesi-KupaeiUniversity of Maryland, College Park [email protected]
1 Danny KimUniversity of Maryland, College Park [email protected]
1 Rajeev BaruaUniversity of Maryland, College Park [email protected]