Instruction punning: lightweight instrumentation for x86-64

Existing techniques for injecting probes into running applications are limited; they either fail to support probing arbitrary locations, or to support scalable, rapid toggling of probes. We introduce a new technique on x86-64, called instruction punning, which allows scalable probes at any instruction. The key idea is that when we inject a jump instruction, the relative address of the jump serves simultaneously as data and as an instruction sequence. We show that this approach achieves probe invocation overheads of only a few dozen cycles, and probe activation/deactivation costs that are cheaper than a system call, even when all threads in the system are both invoking probes and toggling them.

[1]  Guillaume Bonfante,et al.  CoDisasm: Medium Scale Concatic Disassembly of Self-Modifying Binaries with Overlapping Instructions , 2015, CCS.

[2]  Fenlin Liu,et al.  Mixed Obfuscation of Overlapping Instruction and Self-Modify Code Based on Hyper-Chaotic Opaque Predicates , 2014, 2014 Tenth International Conference on Computational Intelligence and Security.

[3]  Brendan Gregg,et al.  Dtrace: Dynamic Tracing in Oracle Solaris, Mac OS X and Freebsd , 2011 .

[4]  Bo Joel Svensson,et al.  Living on the edge: rapid-toggling probes with cross-modification on x86 , 2016, PLDI.

[5]  Nicholas Nethercote,et al.  Valgrind: a framework for heavyweight dynamic binary instrumentation , 2007, PLDI '07.

[6]  Barton P. Miller,et al.  Anywhere, any-time binary instrumentation , 2011, PASTE '11.

[7]  Shouhuai Xu,et al.  Instructions-Based Detection of Sophisticated Obfuscation and Packing , 2014, 2014 IEEE Military Communications Conference.

[8]  Derek Bruening,et al.  An infrastructure for adaptive dynamic optimization , 2003, International Symposium on Code Generation and Optimization, 2003. CGO 2003..

[9]  Frederick B. Cohen,et al.  Operating system protection through program evolution , 1993, Comput. Secur..

[10]  M. Frans Kaashoek,et al.  Ksplice: automatic rebootless kernel updates , 2009, EuroSys '09.

[11]  Bernhard Scholz,et al.  Register liveness analysis for optimizing dynamic binary translation , 2002, Ninth Working Conference on Reverse Engineering, 2002. Proceedings..

[12]  Michael Laurenzano,et al.  PEBIL: Efficient static binary instrumentation for Linux , 2010, 2010 IEEE International Symposium on Performance Analysis of Systems & Software (ISPASS).

[13]  Greg Cooper DTrace: dynamic tracing in oracle Solaris, Mac OS X, and free BSD by Brendan Gregg and Jim Mauro , 2012, SOEN.

[14]  Ning Wang,et al.  XRay: A Function Call Tracing System , 2016 .