Dynamic Binary Instrumentation (DBI)
What are they?
DBI system is an application virtual machine that interprets the ISA of a specific platform.
Usually (but not always) coinciding with the one where the system runs.
Offer instrumentation capabilities to monitor and alter instructions and data from an analysis tool component.
Up to the level of a single instruction.
DBI systems expand standard Dynamic Binary Analysis tasks by:
Fine-grained monitoring capabilities.
Full control over data and instructions, potentially increasing Reverse Engineering Scope.
Uses:
Measure performance,
Detect vulnerabilities,
Force code execution,
Fuzz binary programs at the scale of a group of instructions.
Caveats
DBI is vulnerable to specific attacks targeting the emulator.
Purpose: avoid the use of emulators or induce incorrect results.
Exploit the fact that DBI tools are slow.
Exploit the fact that the system is emulated and differs from a real system.
Some approaches.
Extensive loops Timing measurements.
Timing measurements.
Testing for system-specific behavior.
Instrumentation.
Insert code.
Dynamic Binary Instrumentation.
"Running" Code.
How do they work?
Rebuild a program binary code using some JIT technique.
Insert trace points and hooks for inspection.
Divert execution to additional user-specified functions.
Monitor access to memory regions.
Potentially triggering callbacks on access.
May reimplement access to IOs or even
syscalls
and interrupts.May create a fully Emulated Execution Environment.
Can be combined with an Emulation platform such as QEMU or Unicorn (a fork from QEMU).
Popular tools: valgrind, DynamoRIO, Intel PIN, DynInst, Qiling, Frida.
Last updated