Abstract
Dynamic Binary Instrumentation (DBI) systems are being used more and more widely in different research fields, thanks to the advantages they offer compared to their ease of use. The possibility of monitoring and modifying the behavior of generic software during its execution, by writing a few lines of analysis code, is a great advantage especially if combined with the ability to operate without the target subject being aware of it, that is, in a transparent manner. This last peculiarity is the target of this work: we investigate how DBI systems may try to hide discernible artifacts from the software being analyzed by hiding in the shadows. We present a memory scanning technique that seeks for the trail the DBI engine leaves in the program address space.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
We remark that the technique is independent of the OS version.
- 2.
These functions assist the DBI runtime in its operation and can potentially be manipulated by a malicious program to subvert an analysis based on DBI, breaking also the efficacy of the interposition property that we defined in Sect. 3.2.
References
Angelini, M., et al.: ROPMate: visually assisting the creation of ROP-based exploits. In: 2018 IEEE Symposium on Visualization for Cyber Security, VizSec 2018, pp. 1–8 (Oct 2018)
Arnold, M., Fink, S.J., Grove, D., Hind, M., Sweeney, P.F.: A survey of adaptive optimization in virtual machines. Proc. IEEE 93(2), 449–466 (2005)
Aycock, J.: A brief history of just-in-time. ACM Comput. Surv. 35(2), 97–113 (2003)
Bebenita, M., et al.: SPUR: a trace-based JIT compiler for CIL. In: Proceedings of the ACM International Conference on Object Oriented Programming Systems Languages and Applications, OOPSLA 2010, pp. 708–725. ACM (2010)
Bernat, A.R., Miller, B.P.: Anywhere, any-time binary instrumentation. In: PASTE 2011 (2011)
Biondo, A., Conti, M., Lain, D.: Back to the epilogue: evading control flow guard via unaligned targets. In: 25th Annual Network and Distributed System Security Symposium, NDSS 2018 (2018)
Blackthorne, J., Bulazel, A., Fasano, A., Biernat, P., Yener, B.: Avleak: fingerprinting antivirus emulators through black-box testing. In: 10th USENIX Workshop on Offensive Technologies, WOOT 2016, (2016)
Borrello, P., Coppa, E., D’Elia, D.C., Demetrescu, C.: The ROP needle: hiding trigger-based injection vectors via code reuse. In: Proceedings of the 34th ACM/SIGAPP Symposium on Applied Computing, SAC 2019, pp. 1962–1970, New York, NY, USA. Association for Computing Machinery (2019)
Bruening, D., Amarasinghe, S.: Maintaining consistency and bounding capacity of software code caches. In: International Symposium on Code Generation and Optimization, pp. 74–85 (2005)
Bruening, D., Garnett, T., Amarasinghe, S.: An infrastructure for adaptive dynamic optimization. In: International Symposium on Code Generation and Optimization, 2003. CGO 2003, pp. 265–275 (2003)
Bruening, D.: Efficient, transparent, and comprehensive runtime code manipulation (2004)
Bruening, D., Zhao, Q., Amarasinghe, S.: Transparent dynamic instrumentation. In: VEE 2012. ACM (2012)
Brumley, D., Hartwig, C., Liang, Z., Newsome, J., Song, D., Yin, H.: Automatically identifying trigger-based behavior in malware. In: Lee, W., Wang, C., Dagon, D. (eds.) Botnet Detection: Countering the Largest Security Threat, pp. 65–88. Springer, Boston (2008). https://doi.org/10.1007/978-0-387-68768-1_4
Buck, B., Hollingsworth, J.K.: An API for runtime code patching. Int. J. High Perform. Comput. Appl. 14(4), 317–329 (2000)
Bulazel, A., Yener, B.: A survey on automated dynamic malware analysis evasion and counter-evasion: PC, mobile, and web. In: Proceedings of the 1st Reversing and Offensive-Oriented Trends Symposium, ROOTS, pp. 2:1–2:21. ACM (2017)
Conti, M., et al.: Losing control: on the effectiveness of control-flow integrity under stack attacks. In: Proceedings of the 22nd ACM Conference on Computer and Communications Security, CCS 2015, pp. 952–963 (2015)
Dang, T.H.Y., Maniatis, P., Wagner, D.: The performance cost of shadow stacks and stack canaries. In: Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, ASIA CCS 2015, pp. 555–566. ACM (2015)
Dasgupta, S., Park, D., Kasampalis, T., Adve, V.S., Roşu, G.: A complete formal semantics of x86-64 user-level instruction set architecture. In: Proceedings of the 40th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2019, pp. 1133–1148. Association for Computing Machinery (2019)
Degenbaev, U.: Formal specification of the x86 instruction set architecture. PhD thesis (2012)
D’Elia, D.C., Coppa, E., Nicchi, S., Palmaro, F., Cavallaro, L.: SoK: using dynamic binary instrumentation for security (and how you may get caught red handed). In: Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security, Asia CCS 2019, pp. 15–27. ACM (2019)
D’Elia, D.C., Coppa, E., Palmaro, F., Cavallaro, L.: On the dissection of evasive malware. IEEE Trans. Inf. Forensics Secur. 15, 2750–2765 (2020)
D’Elia, D.C., Coppa, E., Salvati, A., Demetrescu, C.: Static analysis of ROP code. In: Proceedings of the 12th European Workshop on Systems Security, EuroSec 2019. Association for Computing Machinery (2019)
D’Elia, D.C., Demetrescu, C.: Flexible on-stack replacement in LLVM. In: Proceedings of the 2016 International Symposium on Code Generation and Optimization, CGO 2016, pp. 250–260. Association for Computing Machinery (2016)
D’Elia, D.C., Demetrescu, C.: On-stack replacement, distilled. In: Proceedings of the 39th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2018, pp. 166–180, New York, NY, USA. Association for Computing Machinery (2018)
D’Elia, D.C., Demetrescu, C., Finocchi, I.: Mining hot calling contexts in small space. Softw. Pract. Exp. 46, 1131–1152 (2016)
D’Elia, D.C., Nicchi, S., Mariani, M., Marini, M., Palmaro, F.: Design robust API monitoring solutions (2020). https://arxiv.org/abs/2005.00323
Dinaburg, A., Royal, P., Sharif, M., Lee, W.: Ether: malware analysis via hardware virtualization extensions. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, CCS 2008, pp. 51–62. ACM (2008)
Egele, M., Scholte, T., Kirda, E., Kruegel, C.: A survey on automated dynamic malware-analysis techniques and tools. ACM Comput. Surv. 44(2), 6:1–6:42 (2008)
Filho, A.S., Rodríguez, R.J., Feitosa, E.L.: Reducing the attack surface of dynamic binary instrumentation frameworks. In: Rocha, Á, Pereira, R.P. (eds.) Developments and Advances in Defense and Security, vol. 152, pp. 3–13. Springer, Singapore (2020). https://doi.org/10.1007/978-981-13-9155-2_1
Fioraldi, A., D’Elia, D.C., Querzoni, L.: Fuzzing binaries for memory safety errors with QASan. In: 2020 IEEE Secure Development Conference (SecDev) (2020)
Fioraldi, A., Maier, D., Eißfeldt, H., Heuse, M.: AFL++: combining incremental steps of fuzzing research. In: 14th USENIX Workshop on Offensive Technologies (WOOT 20). USENIX Association (Aug 2020)
Garfinkel, T., Rosenblum, M.: A virtual machine introspection based architecture for intrusion detection. In: NDSS 2003 (2003)
Jung, J., Hu, H., Solodukhin, D., Pagan, D., Lee, K.H., Kim, T.: Fuzzification: anti-fuzzing techniques. In: 28th USENIX Security Symposium (USENIX Security 19), pp. 1913–1930, Santa Clara, CA. USENIX Association (Aug 2019)
Lengyel, T.K., Maresca, S., Payne, B.D., Webster, G.D., Vogl, S., Kiayias, A.: Scalability, fidelity and stealth in the DRAKVUF dynamic malware analysis system. In: Proceedings of the 30th Annual Computer Security Applications Conference, ACSAC 2014, pp. 386–395. ACM (2014)
Lueck, G., Patil, H., Pereira, C.: PinADX: an interface for customizable debugging with dynamic instrumentation. In: Proceedings of the Tenth International Symposium on Code Generation and Optimization, CGO 2012, pp. 114–123. ACM (2012)
Luk, C.K., et al.: Pin: building customized program analysis tools with dynamic instrumentation. In: Proceedings of the 2005 ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2005, pp. 190–200. ACM (2005)
Miramirkhani, N., Appini, M.P., Nikiforakis, N., Polychronakis, M.: Spotless sandboxes: evading malware analysis systems using wear-and-tear artifacts. In: 2017 IEEE Symposium on Security and Privacy (SP) (2017)
Nethercote, N., Seward, J.: Valgrind: a framework for heavyweight dynamic binary instrumentation. In: PLDI 2007. ACM (2007)
Ntantogian, C., Poulios, G., Karopoulos, G., Xenakis, C.: Transforming malicious code to ROP gadgets for antivirus evasion. IET Inf. Secur. 13(6), 570–578 (2019)
Oyama, Y.: How does malware use RDTSC? a study on operations executed by malware with CPU cycle measurement. In: Detection of Intrusions and Malware, and Vulnerability Assessment, pp. 197–218, Springer International Publishing, Cham (2019). https://doi.org/10.1007/978-3-030-22038-9_10
Patil, H., Pereira, C., Stallcup, M., Lueck, G., Cownie, J.: Pinplay: a framework for deterministic replay and reproducible analysis of parallel programs. In: Proceedings of the 8th Annual IEEE/ACM International Symposium on Code Generation and Optimization, CGO 2010, pap. 2–11. ACM (2010)
Polino, M.: Hiding pin’s artifacts to defeat evasive malware. In: BlackHat Europe (2017). https://www.blackhat.com/eu-17/briefings.html#hiding-pins-artifacts-to-defeat-evasive-malware
Shacham, H.: The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In: Proceedings of the 14th ACM Conference on Computer and Communications Security, CCS 2007, pp. 552–561, New York, NY, USA. Association for Computing Machinery (2007)
Song, C., Zhang, C., Wang, T., Lee, W., Melski, D.: Exploiting and protecting dynamic code generation. In: NDSS 2015 (2003)
Song, Y.W., Lee, Y.: Efficient data race detection for C/C++ programs using dynamic granularity. In: 2014 IEEE 28th International Parallel and Distributed Processing Symposium, pp. 679–688 (2014)
Sullivan, G.T., Bruening, D.L., Baron, I., Garnett, T., Amarasinghe, S.: Dynamic native optimization of interpreters. In: Proceedings of the 2003 Workshop on Interpreters, Virtual Machines and Emulators, IVME 2003, pp. 50–57. Association for Computing Machinery (2003)
Ugarte-Pedrero, X., Balzarotti, D., Santos, I., Bringas, P.G.: Sok: deep packer inspection: a longitudinal study of the complexity of run-time packers. In: 2015 IEEE Symposium on Security and Privacy, pp. 659–673 (May 2015)
van der Veen, V., Andriesse, D., Stamatogiannakis, M., Chen, X., Bos, H., Giuffrida, C.: The dynamics of innocent flesh on the bone: code reuse ten years later. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, pp. 1675–1689 (2017)
Wang, T., Lu, K., Lu, L., Chung, S., Lee, W.: Jekyll on iOS: when benign apps become evil. In: Proceedings of the 22Nd USENIX Conference on Security, SEC2013, pp. 559–572 (2013)
Wang, Y., Patil, H., Pereira, C., Lueck, G., Gupta, R., Neamtiu, I.: Drdebug: deterministic replay based cyclic debugging with dynamic slicing. In: Proceedings of Annual IEEE/ACM International Symposium on Code Generation and Optimization, CGO 2014, pp. 98–108. Association for Computing Machinery (2014)
Willems, C., Holz, T., Freiling, F.: Toward automated dynamic malware analysis using CWSandbox. IEEE Secur. Priv. 5(2), 32–39 (2007)
Xu, Z., Zhang, J., Gu, G., Lin, Z.: GoldenEye: efficiently and effectively unveiling malware’s targeted environment. In: Proceedings of the 17th International Conference on Research in Attacks, Intrusions and Defenses, RAID2014, pp. 22–45. Springer International Publishing, Cham (2014). https://doi.org/10.1007/978-3-319-11379-1_2
Zhao, Q., Bruening, D., Amarasinghe, S.: Umbra: efficient and scalable memory shadowing. In: Proceedings of the 8th Annual IEEE/ACM International Symposium on Code Generation and Optimization, CGO 2010, pp. 22–31. Association for Computing Machinery (2010)
Zhao, Q., Rabbah, R., Wong, W.-F.: Dynamic memory optimization using pool allocation and prefetching. SIGARCH Comput. Archit. News 33(5), 27–32 (2005)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Palmaro, F., Franchina, L. (2021). Beware of Unknown Areas to Notify Adversaries: Detecting Dynamic Binary Instrumentation Runtimes with Low-Level Memory Scanning. In: Arai, K. (eds) Intelligent Computing. Lecture Notes in Networks and Systems, vol 285. Springer, Cham. https://doi.org/10.1007/978-3-030-80129-8_66
Download citation
DOI: https://doi.org/10.1007/978-3-030-80129-8_66
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-80128-1
Online ISBN: 978-3-030-80129-8
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)