TY - GEN
T1 - Make it work, make it right, make it fast
T2 - 23rd International Symposium on Software Testing and Analysis, ISSTA 2014
AU - Henderson, Andrew
AU - Prakash, Aravind
AU - Yan, Lok Kwong
AU - Hu, Xunchao
AU - Wang, Xujiewen
AU - Zhou, Rundong
AU - Yin, Heng
N1 - Publisher Copyright:
Copyright 2014 ACM.
PY - 2014/7/21
Y1 - 2014/7/21
N2 - Dynamic binary analysis is a prevalent and indispensable technique in program analysis. While several dynamic binary analysis tools and frameworks have been proposed, all suffer from one or more of: prohibitive performance degradation, semantic gap between the analysis code and the program being analyzed, architecture/OS specificity, being user-mode only, lacking APIs, etc. We present DECAF, a virtual machine based, multi-target, whole-system dynamic binary analysis framework built on top of QEMU. DECAF provides Just-In-Time Virtual Machine Introspection combined with a novel TCG instruction-level tainting at bit granularity, backed by a plugin based, simple-to-use event driven programming interface. DECAF exercises fine control over the TCG instructions to accomplish on-the-y optimizations. We present 3 platform-neutral plugins - Instruction Tracer, Keylogger Detector, and API Tracer, to demonstrate the ease of use and effectiveness of DECAF in writing cross-platform and system-wide analysis tools. Implementation of DECAF consists of 9550 lines of C++ code and 10270 lines of C code and we evaluate DECAF using CPU2006 SPEC benchmarks and show average overhead of 605% for system wide tainting and 12% for VMI.
AB - Dynamic binary analysis is a prevalent and indispensable technique in program analysis. While several dynamic binary analysis tools and frameworks have been proposed, all suffer from one or more of: prohibitive performance degradation, semantic gap between the analysis code and the program being analyzed, architecture/OS specificity, being user-mode only, lacking APIs, etc. We present DECAF, a virtual machine based, multi-target, whole-system dynamic binary analysis framework built on top of QEMU. DECAF provides Just-In-Time Virtual Machine Introspection combined with a novel TCG instruction-level tainting at bit granularity, backed by a plugin based, simple-to-use event driven programming interface. DECAF exercises fine control over the TCG instructions to accomplish on-the-y optimizations. We present 3 platform-neutral plugins - Instruction Tracer, Keylogger Detector, and API Tracer, to demonstrate the ease of use and effectiveness of DECAF in writing cross-platform and system-wide analysis tools. Implementation of DECAF consists of 9550 lines of C++ code and 10270 lines of C code and we evaluate DECAF using CPU2006 SPEC benchmarks and show average overhead of 605% for system wide tainting and 12% for VMI.
KW - Dynamic binary analysis
KW - Dynamic taint analysis
KW - Virtual machine introspection
UR - http://www.scopus.com/inward/record.url?scp=84942787970&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84942787970&partnerID=8YFLogxK
U2 - 10.1145/2610384.2610407
DO - 10.1145/2610384.2610407
M3 - Conference contribution
AN - SCOPUS:84942787970
T3 - 2014 International Symposium on Software Testing and Analysis, ISSTA 2014 - Proceedings
SP - 248
EP - 258
BT - 2014 International Symposium on Software Testing and Analysis, ISSTA 2014 - Proceedings
PB - Association for Computing Machinery, Inc
Y2 - 21 July 2014 through 25 July 2014
ER -