Dynamic Binary Instrumentation (DBI)

What are they?

DBI system is an application virtual machine that interprets the ISA of a specific platform.

  • Usually (but not always) coinciding with the one where the system runs.

  • Offer instrumentation capabilities to monitor and alter instructions and data from an analysis tool component.

  • Up to the level of a single instruction.

DBI systems expand standard Dynamic Binary Analysis tasks by:

  • Fine-grained monitoring capabilities.

  • Full control over data and instructions, potentially increasing Reverse Engineering Scope.

Uses:

  • Measure performance,

  • Detect vulnerabilities,

  • Force code execution,

  • Fuzz binary programs at the scale of a group of instructions.

Caveats

DBI is vulnerable to specific attacks targeting the emulator.

  • Purpose: avoid the use of emulators or induce incorrect results.

  • Exploit the fact that DBI tools are slow.

  • Exploit the fact that the system is emulated and differs from a real system.

Some approaches.

  • Extensive loops Timing measurements.

  • Timing measurements.

  • Testing for system-specific behavior.

Instrumentation.

  • Insert code.

Dynamic Binary Instrumentation.

  • "Running" Code.

How do they work?

Rebuild a program binary code using some JIT technique.

  • Insert trace points and hooks for inspection.

  • Divert execution to additional user-specified functions.

  • Monitor access to memory regions.

    • Potentially triggering callbacks on access.

  • May reimplement access to IOs or even syscalls and interrupts.

  • May create a fully Emulated Execution Environment.

    • Can be combined with an Emulation platform such as QEMU or Unicorn (a fork from QEMU).

Popular tools: valgrind, DynamoRIO, Intel PIN, DynInst, Qiling, Frida.

Last updated