Make it work, make it right, make it fast: Building a platform-neutral whole-system dynamic binary analysis platform

Andrew Henderson, Aravind Prakash, Lok Kwong Yan, Xunchao Hu, Xujiewen Wang, Rundong Zhou, Heng Yin

Research output: Chapter in Book/Entry/PoemConference contribution

90 Scopus citations

Abstract

Dynamic binary analysis is a prevalent and indispensable technique in program analysis. While several dynamic binary analysis tools and frameworks have been proposed, all suffer from one or more of: prohibitive performance degradation, semantic gap between the analysis code and the program being analyzed, architecture/OS specificity, being user-mode only, lacking APIs, etc. We present DECAF, a virtual machine based, multi-target, whole-system dynamic binary analysis framework built on top of QEMU. DECAF provides Just-In-Time Virtual Machine Introspection combined with a novel TCG instruction-level tainting at bit granularity, backed by a plugin based, simple-to-use event driven programming interface. DECAF exercises fine control over the TCG instructions to accomplish on-the-y optimizations. We present 3 platform-neutral plugins - Instruction Tracer, Keylogger Detector, and API Tracer, to demonstrate the ease of use and effectiveness of DECAF in writing cross-platform and system-wide analysis tools. Implementation of DECAF consists of 9550 lines of C++ code and 10270 lines of C code and we evaluate DECAF using CPU2006 SPEC benchmarks and show average overhead of 605% for system wide tainting and 12% for VMI.

Original languageEnglish (US)
Title of host publication2014 International Symposium on Software Testing and Analysis, ISSTA 2014 - Proceedings
PublisherAssociation for Computing Machinery, Inc
Pages248-258
Number of pages11
ISBN (Electronic)9781450326452
DOIs
StatePublished - Jul 21 2014
Event23rd International Symposium on Software Testing and Analysis, ISSTA 2014 - San Jose, United States
Duration: Jul 21 2014Jul 25 2014

Publication series

Name2014 International Symposium on Software Testing and Analysis, ISSTA 2014 - Proceedings

Other

Other23rd International Symposium on Software Testing and Analysis, ISSTA 2014
Country/TerritoryUnited States
CitySan Jose
Period7/21/147/25/14

Keywords

  • Dynamic binary analysis
  • Dynamic taint analysis
  • Virtual machine introspection

ASJC Scopus subject areas

  • Software

Fingerprint

Dive into the research topics of 'Make it work, make it right, make it fast: Building a platform-neutral whole-system dynamic binary analysis platform'. Together they form a unique fingerprint.

Cite this