Unveiling Dynamic Binary Instrumentation Techniques

TL;DR

This paper provides a comprehensive analysis of Dynamic Binary Instrumentation techniques, comparing their methods, performance, and suitability across different scenarios, highlighting that no single approach is universally superior.

Contribution

It offers a detailed comparison of process-level and whole-system DBI approaches, analyzing their building blocks, instrumentation capabilities, and performance trade-offs.

Findings

No single DBI technique outperforms others in all cases.

Different techniques excel at different primitives and runtime events.

Performance varies significantly depending on the approach and application context.

Abstract

Dynamic Binary Instrumentation (DBI) is the set of techniques that enable instrumentation of programs at run-time, making it possible to monitor and modify the execution of compiled binaries or entire systems. DBI is used for countless security applications and analyses, and is extensively used across many fields in both industry and academia. Over the years, several DBI approaches have been proposed based on different technologies and implementing diverse techniques. Every solution tries to overcome certain limitations, but they sometimes bring other shortcomings. Some are specialized for one particular domain or task, while others have a wider scope. In this paper, we shed light into the labyrinth of DBI, bringing together process-level and whole-system approaches. We depict their building blocks and analyze the underlying instrumentation techniques, comparing their ability to instrument different primitives and run-time events. Then, we evaluate their performance when implementing each primitive, and highlight relevant observations. Our results show that no single technique is better than the rest in all circumstances.