Dynamic Binary Instrumentation (DBI)

What are they?

DBI system is an application virtual machine that interprets the ISA of a specific platform.

• Usually (but not always) coinciding with the one where the system runs.

• Offer instrumentation capabilities to monitor and alter instructions and data from an analysis tool component.

• Up to the level of a single instruction.

DBI systems expand standard Dynamic Binary Analysis tasks by:

• Fine-grained monitoring capabilities.

• Full control over data and instructions, potentially increasing Reverse Engineering Scope.

Uses:

• Measure performance,

• Detect vulnerabilities,

• Force code execution,

• Fuzz binary programs at the scale of a group of instructions.

Caveats

DBI is vulnerable to specific attacks targeting the emulator.

• Purpose: avoid the use of emulators or induce incorrect results.

• Exploit the fact that DBI tools are slow.

• Exploit the fact that the system is emulated and differs from a real system.

Some approaches.

• Extensive loops Timing measurements.

• Timing measurements.

• Testing for system-specific behavior.

Instrumentation.

• Insert code.

Dynamic Binary Instrumentation.

• "Running" Code.

How do they work?

Rebuild a program binary code using some JIT technique.

• Insert trace points and hooks for inspection.

• Divert execution to additional user-specified functions.

• Monitor access to memory regions.

  • Potentially triggering callbacks on access.

• May reimplement access to IOs or even syscalls and interrupts.

• May create a fully Emulated Execution Environment.

  • Can be combined with an Emulation platform such as QEMU or Unicorn (a fork from QEMU).

Popular tools: valgrind, DynamoRIO, Intel PIN, DynInst, Qiling, Frida.