• Journal of Internet Computing and Services
• /
• v.12 no.5
• /
• pp.63-72
• /
• 2011

Binary translation is a kind of the emulation method which converts a binary code compiled on the particular instruction set architecture to the new binary code that can be run on another one. It has been mostly used for migrating legacy systems to new architecture. In recent, binary translation is used for instrumenting programs without modifying source code, because it enables inserting additional codes dynamically, For general application, there already exists some instrumentation software using binary translation, such as dynamic binary analyzers and virtual machine monitors. On the other hand, in order to be benefited from binary translation in kernel-level, a few issues, which include system performance, memory management, privileged instructions, and synchronization, should be treated. These matters are derived from the structure of the kernel, and the difference between the kernel and user-level application. In this paper, we present a scheme to apply binary translation and dynamic instrumentation on kernel. We implement it on Linux kernel and demonstrate that kernel-level binary translation adds an insignificant overhead to performance of the system.

• Journal of KIISE
• /
• v.41 no.11
• /
• pp.892-899
• /
• 2014

Dynamic binary instrumentation is a code insertion technique for debugging a program without scattering its execution flow, while the program is running. Most dynamic instrumentations are implemented using dynamic binary translation techniques. Existing studies translated program codes dynamically by parsing the machine code stream to intermediate representation (IR) and then applying compilation techniques for IRs. However, they have high overhead during translation, which is a major cause of difficulty in applying the dynamic binary translation technique to the program which requires high responsiveness. In this paper, we introduce a light-weight dynamic binary instrumentation framework based on a novel dynamic binary translation technique which has low overhead while translating the program code. In order to reduce the translation overhead, our approach adopts a tabular-based address translation and exploits a translation bypassing scheme, which stores the translated address of a frequently called library function in advance. It then accesses the translated address and executes function codes without code translation when calling the function. Our experiment results demonstrated that the proposed approach outperforms the prior dynamic binary translation techniques from 2% up to 65%.

• Journal of KIISE:Computer Systems and Theory
• /
• v.37 no.5
• /
• pp.304-313
• /
• 2010

There are several methods for malware analyses. However, it is difficult to detect malware exactly with existing detection methods. Especially, malware with strong anti-debugging facilities can detect analyzer and disturb their analyses. Furthermore, it takes too much time to analyze malware. In order to resolve these problems of current analyzers, more improved analysis scheme is required. This paper suggests a dynamic binary instrumentation which supports the instruction analysis and the memory access tracing. Additionally, by supporting the API call tracing with the DLL loading analysis, our system establishes the foundation for analyzing various executable codes. Based on Xen, full-virtualization environment is built using Intel's VT technology. Windows XP can be used as a guest. We analyze representative malware using several functions of our system, and show the accuracy and efficiency enhancements in binary analyses capability of our system.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2010.11a
• /
• pp.1197-1199
• /
• 2010

본 논문에서는 동적 인스트러멘테이션을 적용한 동적 바이너리 분석 툴들에 대해 비교 분석을 수행하였다. 비교 분석은 각 툴들에서 공통의 항목에 맞는 특성 값들을 도출하여 비교함으로써 동일한 상황에서 툴들의 특장점을 확인할 수 있고, 각 특징에 따른 기술적인 배경을 뒷받침하여 더 나은 동적 분석 툴을 만들 수 있는 발판을 마련하였다. 이를 위해 DynamoRIO, DynInst, Pin, Valgrind의 4가지 동적 분석 툴을 지원 가능 플랫폼, 실행 메카니즘의 컨셉, 인스트러멘테이션 가능 범위, 성능, 라이선스와 관련된 입수 가능성의 5가지 주요 항목으로 비교 분석을 수행하였다.

• KIISE Transactions on Computing Practices
• /
• v.21 no.12
• /
• pp.792-797
• /
• 2015

Effective profiling diagnoses the failure of the system and informs risk. If a failure in the target system occurs, it is impossible to diagnose more than one of the exiting tools. In this respect, monitoring of the system based on virtualization is useful. We present in this paper a monitoring framework that uses the characteristics of hardware virtualization to prevent side-effects from a target guest, and uses dynamic binary instrumentation with instruction-level trapping based on hardware virtualization to achieve efficiency and flexibility. We also present examples of some applications that use this framework. The framework provides tracing of guest kernel function, memory dump, and debugging that uses GDB stub with GDB remote protocol. The experimental evaluation of our prototype shows that the monitoring framework incurs at most 2% write memory performance overhead for end users.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.27 no.4
• /
• pp.785-802
• /
• 2017

As cyber threats using malicious code continue to increase, many security and vaccine companies are putting a lot of effort into analysis and detection of malicious codes. However, obfuscation techniques that make software analysis more difficult are applied to malicious codes, making it difficult to respond quickly to malicious codes. In particular, commercial obfuscation tools can quickly and easily generate new variants of malicious codes so that malicious code analysts can not respond to them. In order for analysts to quickly analyze the actual malicious behavior of the new variants, reverse obfuscation(=de-obfuscation) is needed to disable obfuscation. In this paper, general analysis methodology is proposed to de-obfuscate the software used by a commercial obfuscation tool, Themida. First, We describe operation principle of Themida by analyzing obfuscated executable file using Themida. Next, We extract original code and data information of executable from obfuscated executable using Pintool, DBI(Dynamic Binary Instrumentation) framework, and explain the implementation results of automated analysis tool which can deobfuscate to original executable using the extracted original code and data information. Finally, We evaluate the performance of our automated analysis tool by comparing the original executable with the de-obfuscated executable.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.30 no.3
• /
• pp.443-454
• /
• 2020

The JavaScript engine is a module that receives JavaScript code as input and processes it, among many functions that are loaded into web browsers and display web pages. Many fuzzing test studies have been conducted as vulnerabilities in JavaScript engines could threaten the system security of end-users running JavaScript through browsers. Some of them have increased fuzzing efficiency by guiding test coverage in JavaScript engines, but no coverage guided fuzzing of optimized, dynamically generated machine code was attempted. Optimized JavaScript codes are difficult to perform sufficient iterative testing through fuzzing due to the function of runtime guards to free the code in the event of exceptional control flow. To solve these problems, this paper proposes a method of performing fuzzing tests on optimized machine code by avoiding deoptimization. In addition, we propose a method to measure the coverage of runtime-guards by the dynamic binary instrumentation and to guide increment of runtime-guard coverage. In our experiment, our method has outperformed the existing method at two measures: runtime coverage and iteration by time.