Skip to main content
SpringerLink
Log in

Beware of Unknown Areas to Notify Adversaries: Detecting Dynamic Binary Instrumentation Runtimes with Low-Level Memory Scanning

  • Conference paper
  • First Online:
Intelligent Computing

Part of the book series: Lecture Notes in Networks and Systems ((LNNS,volume 285))

  • 1725 Accesses

Abstract

Dynamic Binary Instrumentation (DBI) systems are being used more and more widely in different research fields, thanks to the advantages they offer compared to their ease of use. The possibility of monitoring and modifying the behavior of generic software during its execution, by writing a few lines of analysis code, is a great advantage especially if combined with the ability to operate without the target subject being aware of it, that is, in a transparent manner. This last peculiarity is the target of this work: we investigate how DBI systems may try to hide discernible artifacts from the software being analyzed by hiding in the shadows. We present a memory scanning technique that seeks for the trail the DBI engine leaves in the program address space.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 259.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 329.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    We remark that the technique is independent of the OS version.

  2. 2.

    These functions assist the DBI runtime in its operation and can potentially be manipulated by a malicious program to subvert an analysis based on DBI, breaking also the efficacy of the interposition property that we defined in Sect. 3.2.

References

  1. Angelini, M., et al.: ROPMate: visually assisting the creation of ROP-based exploits. In: 2018 IEEE Symposium on Visualization for Cyber Security, VizSec 2018, pp. 1–8 (Oct 2018)

    Google Scholar 

  2. Arnold, M., Fink, S.J., Grove, D., Hind, M., Sweeney, P.F.: A survey of adaptive optimization in virtual machines. Proc. IEEE 93(2), 449–466 (2005)

    Article  Google Scholar 

  3. Aycock, J.: A brief history of just-in-time. ACM Comput. Surv. 35(2), 97–113 (2003)

    Article  Google Scholar 

  4. Bebenita, M., et al.: SPUR: a trace-based JIT compiler for CIL. In: Proceedings of the ACM International Conference on Object Oriented Programming Systems Languages and Applications, OOPSLA 2010, pp. 708–725. ACM (2010)

    Google Scholar 

  5. Bernat, A.R., Miller, B.P.: Anywhere, any-time binary instrumentation. In: PASTE 2011 (2011)

    Google Scholar 

  6. Biondo, A., Conti, M., Lain, D.: Back to the epilogue: evading control flow guard via unaligned targets. In: 25th Annual Network and Distributed System Security Symposium, NDSS 2018 (2018)

    Google Scholar 

  7. Blackthorne, J., Bulazel, A., Fasano, A., Biernat, P., Yener, B.: Avleak: fingerprinting antivirus emulators through black-box testing. In: 10th USENIX Workshop on Offensive Technologies, WOOT 2016, (2016)

    Google Scholar 

  8. Borrello, P., Coppa, E., D’Elia, D.C., Demetrescu, C.: The ROP needle: hiding trigger-based injection vectors via code reuse. In: Proceedings of the 34th ACM/SIGAPP Symposium on Applied Computing, SAC 2019, pp. 1962–1970, New York, NY, USA. Association for Computing Machinery (2019)

    Google Scholar 

  9. Bruening, D., Amarasinghe, S.: Maintaining consistency and bounding capacity of software code caches. In: International Symposium on Code Generation and Optimization, pp. 74–85 (2005)

    Google Scholar 

  10. Bruening, D., Garnett, T., Amarasinghe, S.: An infrastructure for adaptive dynamic optimization. In: International Symposium on Code Generation and Optimization, 2003. CGO 2003, pp. 265–275 (2003)

    Google Scholar 

  11. Bruening, D.: Efficient, transparent, and comprehensive runtime code manipulation (2004)

    Google Scholar 

  12. Bruening, D., Zhao, Q., Amarasinghe, S.: Transparent dynamic instrumentation. In: VEE 2012. ACM (2012)

    Google Scholar 

  13. Brumley, D., Hartwig, C., Liang, Z., Newsome, J., Song, D., Yin, H.: Automatically identifying trigger-based behavior in malware. In: Lee, W., Wang, C., Dagon, D. (eds.) Botnet Detection: Countering the Largest Security Threat, pp. 65–88. Springer, Boston (2008). https://doi.org/10.1007/978-0-387-68768-1_4

  14. Buck, B., Hollingsworth, J.K.: An API for runtime code patching. Int. J. High Perform. Comput. Appl. 14(4), 317–329 (2000)

    Article  Google Scholar 

  15. Bulazel, A., Yener, B.: A survey on automated dynamic malware analysis evasion and counter-evasion: PC, mobile, and web. In: Proceedings of the 1st Reversing and Offensive-Oriented Trends Symposium, ROOTS, pp. 2:1–2:21. ACM (2017)

    Google Scholar 

  16. Conti, M., et al.: Losing control: on the effectiveness of control-flow integrity under stack attacks. In: Proceedings of the 22nd ACM Conference on Computer and Communications Security, CCS 2015, pp. 952–963 (2015)

    Google Scholar 

  17. Dang, T.H.Y., Maniatis, P., Wagner, D.: The performance cost of shadow stacks and stack canaries. In: Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, ASIA CCS 2015, pp. 555–566. ACM (2015)

    Google Scholar 

  18. Dasgupta, S., Park, D., Kasampalis, T., Adve, V.S., Roşu, G.: A complete formal semantics of x86-64 user-level instruction set architecture. In: Proceedings of the 40th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2019, pp. 1133–1148. Association for Computing Machinery (2019)

    Google Scholar 

  19. Degenbaev, U.: Formal specification of the x86 instruction set architecture. PhD thesis (2012)

    Google Scholar 

  20. D’Elia, D.C., Coppa, E., Nicchi, S., Palmaro, F., Cavallaro, L.: SoK: using dynamic binary instrumentation for security (and how you may get caught red handed). In: Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security, Asia CCS 2019, pp. 15–27. ACM (2019)

    Google Scholar 

  21. D’Elia, D.C., Coppa, E., Palmaro, F., Cavallaro, L.: On the dissection of evasive malware. IEEE Trans. Inf. Forensics Secur. 15, 2750–2765 (2020)

    Article  Google Scholar 

  22. D’Elia, D.C., Coppa, E., Salvati, A., Demetrescu, C.: Static analysis of ROP code. In: Proceedings of the 12th European Workshop on Systems Security, EuroSec 2019. Association for Computing Machinery (2019)

    Google Scholar 

  23. D’Elia, D.C., Demetrescu, C.: Flexible on-stack replacement in LLVM. In: Proceedings of the 2016 International Symposium on Code Generation and Optimization, CGO 2016, pp. 250–260. Association for Computing Machinery (2016)

    Google Scholar 

  24. D’Elia, D.C., Demetrescu, C.: On-stack replacement, distilled. In: Proceedings of the 39th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2018, pp. 166–180, New York, NY, USA. Association for Computing Machinery (2018)

    Google Scholar 

  25. D’Elia, D.C., Demetrescu, C., Finocchi, I.: Mining hot calling contexts in small space. Softw. Pract. Exp. 46, 1131–1152 (2016)

    Article  Google Scholar 

  26. D’Elia, D.C., Nicchi, S., Mariani, M., Marini, M., Palmaro, F.: Design robust API monitoring solutions (2020). https://arxiv.org/abs/2005.00323

  27. Dinaburg, A., Royal, P., Sharif, M., Lee, W.: Ether: malware analysis via hardware virtualization extensions. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, CCS 2008, pp. 51–62. ACM (2008)

    Google Scholar 

  28. Egele, M., Scholte, T., Kirda, E., Kruegel, C.: A survey on automated dynamic malware-analysis techniques and tools. ACM Comput. Surv. 44(2), 6:1–6:42 (2008)

    Google Scholar 

  29. Filho, A.S., Rodríguez, R.J., Feitosa, E.L.: Reducing the attack surface of dynamic binary instrumentation frameworks. In: Rocha, Á, Pereira, R.P. (eds.) Developments and Advances in Defense and Security, vol. 152, pp. 3–13. Springer, Singapore (2020). https://doi.org/10.1007/978-981-13-9155-2_1

  30. Fioraldi, A., D’Elia, D.C., Querzoni, L.: Fuzzing binaries for memory safety errors with QASan. In: 2020 IEEE Secure Development Conference (SecDev) (2020)

    Google Scholar 

  31. Fioraldi, A., Maier, D., Eißfeldt, H., Heuse, M.: AFL++: combining incremental steps of fuzzing research. In: 14th USENIX Workshop on Offensive Technologies (WOOT 20). USENIX Association (Aug 2020)

    Google Scholar 

  32. Garfinkel, T., Rosenblum, M.: A virtual machine introspection based architecture for intrusion detection. In: NDSS 2003 (2003)

    Google Scholar 

  33. Jung, J., Hu, H., Solodukhin, D., Pagan, D., Lee, K.H., Kim, T.: Fuzzification: anti-fuzzing techniques. In: 28th USENIX Security Symposium (USENIX Security 19), pp. 1913–1930, Santa Clara, CA. USENIX Association (Aug 2019)

    Google Scholar 

  34. Lengyel, T.K., Maresca, S., Payne, B.D., Webster, G.D., Vogl, S., Kiayias, A.: Scalability, fidelity and stealth in the DRAKVUF dynamic malware analysis system. In: Proceedings of the 30th Annual Computer Security Applications Conference, ACSAC 2014, pp. 386–395. ACM (2014)

    Google Scholar 

  35. Lueck, G., Patil, H., Pereira, C.: PinADX: an interface for customizable debugging with dynamic instrumentation. In: Proceedings of the Tenth International Symposium on Code Generation and Optimization, CGO 2012, pp. 114–123. ACM (2012)

    Google Scholar 

  36. Luk, C.K., et al.: Pin: building customized program analysis tools with dynamic instrumentation. In: Proceedings of the 2005 ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2005, pp. 190–200. ACM (2005)

    Google Scholar 

  37. Miramirkhani, N., Appini, M.P., Nikiforakis, N., Polychronakis, M.: Spotless sandboxes: evading malware analysis systems using wear-and-tear artifacts. In: 2017 IEEE Symposium on Security and Privacy (SP) (2017)

    Google Scholar 

  38. Nethercote, N., Seward, J.: Valgrind: a framework for heavyweight dynamic binary instrumentation. In: PLDI 2007. ACM (2007)

    Google Scholar 

  39. Ntantogian, C., Poulios, G., Karopoulos, G., Xenakis, C.: Transforming malicious code to ROP gadgets for antivirus evasion. IET Inf. Secur. 13(6), 570–578 (2019)

    Article  Google Scholar 

  40. Oyama, Y.: How does malware use RDTSC? a study on operations executed by malware with CPU cycle measurement. In: Detection of Intrusions and Malware, and Vulnerability Assessment, pp. 197–218, Springer International Publishing, Cham (2019). https://doi.org/10.1007/978-3-030-22038-9_10

  41. Patil, H., Pereira, C., Stallcup, M., Lueck, G., Cownie, J.: Pinplay: a framework for deterministic replay and reproducible analysis of parallel programs. In: Proceedings of the 8th Annual IEEE/ACM International Symposium on Code Generation and Optimization, CGO 2010, pap. 2–11. ACM (2010)

    Google Scholar 

  42. Polino, M.: Hiding pin’s artifacts to defeat evasive malware. In: BlackHat Europe (2017). https://www.blackhat.com/eu-17/briefings.html#hiding-pins-artifacts-to-defeat-evasive-malware

  43. Shacham, H.: The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In: Proceedings of the 14th ACM Conference on Computer and Communications Security, CCS 2007, pp. 552–561, New York, NY, USA. Association for Computing Machinery (2007)

    Google Scholar 

  44. Song, C., Zhang, C., Wang, T., Lee, W., Melski, D.: Exploiting and protecting dynamic code generation. In: NDSS 2015 (2003)

    Google Scholar 

  45. Song, Y.W., Lee, Y.: Efficient data race detection for C/C++ programs using dynamic granularity. In: 2014 IEEE 28th International Parallel and Distributed Processing Symposium, pp. 679–688 (2014)

    Google Scholar 

  46. Sullivan, G.T., Bruening, D.L., Baron, I., Garnett, T., Amarasinghe, S.: Dynamic native optimization of interpreters. In: Proceedings of the 2003 Workshop on Interpreters, Virtual Machines and Emulators, IVME 2003, pp. 50–57. Association for Computing Machinery (2003)

    Google Scholar 

  47. Ugarte-Pedrero, X., Balzarotti, D., Santos, I., Bringas, P.G.: Sok: deep packer inspection: a longitudinal study of the complexity of run-time packers. In: 2015 IEEE Symposium on Security and Privacy, pp. 659–673 (May 2015)

    Google Scholar 

  48. van der Veen, V., Andriesse, D., Stamatogiannakis, M., Chen, X., Bos, H., Giuffrida, C.: The dynamics of innocent flesh on the bone: code reuse ten years later. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, pp. 1675–1689 (2017)

    Google Scholar 

  49. Wang, T., Lu, K., Lu, L., Chung, S., Lee, W.: Jekyll on iOS: when benign apps become evil. In: Proceedings of the 22Nd USENIX Conference on Security, SEC2013, pp. 559–572 (2013)

    Google Scholar 

  50. Wang, Y., Patil, H., Pereira, C., Lueck, G., Gupta, R., Neamtiu, I.: Drdebug: deterministic replay based cyclic debugging with dynamic slicing. In: Proceedings of Annual IEEE/ACM International Symposium on Code Generation and Optimization, CGO 2014, pp. 98–108. Association for Computing Machinery (2014)

    Google Scholar 

  51. Willems, C., Holz, T., Freiling, F.: Toward automated dynamic malware analysis using CWSandbox. IEEE Secur. Priv. 5(2), 32–39 (2007)

    Article  Google Scholar 

  52. Xu, Z., Zhang, J., Gu, G., Lin, Z.: GoldenEye: efficiently and effectively unveiling malware’s targeted environment. In: Proceedings of the 17th International Conference on Research in Attacks, Intrusions and Defenses, RAID2014, pp. 22–45. Springer International Publishing, Cham (2014). https://doi.org/10.1007/978-3-319-11379-1_2

  53. Zhao, Q., Bruening, D., Amarasinghe, S.: Umbra: efficient and scalable memory shadowing. In: Proceedings of the 8th Annual IEEE/ACM International Symposium on Code Generation and Optimization, CGO 2010, pp. 22–31. Association for Computing Machinery (2010)

    Google Scholar 

  54. Zhao, Q., Rabbah, R., Wong, W.-F.: Dynamic memory optimization using pool allocation and prefetching. SIGARCH Comput. Archit. News 33(5), 27–32 (2005)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Prisma, Rome, Italy

    Federico Palmaro

  2. Hermes Bay, Rome, Italy

    Luisa Franchina

Authors
  1. Federico Palmaro
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Luisa Franchina
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Federico Palmaro .

Editor information

Editors and Affiliations

  1. Faculty of Science and Engineering, Saga University, Saga, Japan

    Kohei Arai

Rights and permissions

Reprints and permissions

Copyright information

© 2021 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Palmaro, F., Franchina, L. (2021). Beware of Unknown Areas to Notify Adversaries: Detecting Dynamic Binary Instrumentation Runtimes with Low-Level Memory Scanning. In: Arai, K. (eds) Intelligent Computing. Lecture Notes in Networks and Systems, vol 285. Springer, Cham. https://doi.org/10.1007/978-3-030-80129-8_66

Download citation

Publish with us

Policies and ethics

Search

Navigation