Reducing the Attack Surface of Dynamic Binary Instrumentation Frameworks

  • Ailton Santos FilhoEmail author
  • Ricardo J. Rodríguez
  • Eduardo L. Feitosa
Conference paper
Part of the Smart Innovation, Systems and Technologies book series (SIST, volume 152)


Malicious applications pose as one of the most relevant issues in today’s technology scenario, being considered the root of many Internet security threats. In part, this owes the ability of malware developers to promptly respond to the emergence of new security solutions by developing artifacts to detect and avoid them. In this work, we present three countermeasures to mitigate recent mechanisms used by malware to detect analysis environments. Among these techniques, this work focuses on those that enable a malware to detect dynamic binary instrumentation frameworks, thus increasing their attack surface. To ensure the effectiveness of the proposed countermeasures, proofs of concept were developed and tested in a controlled environment with a set of anti-instrumentation techniques. Finally, we evaluated the performance impact of using such countermeasures.


Anti-instrumentation Analysis-aware Malware Dynamic binary instrumentation Anti-analysis 



The research of A. Santos Filho and E. L. Feitosa supported in part by the FAPEAM Proc. No. 009/2017 and by the Federal University of Amazonas (UFAM). The research of R. J. Rodríguez was supported in part by the University, Industry and Innovation Department of the Aragonese Government under Programa de Proyectos Estratégicos de Grupos de Investigación (project references T21-17R).


  1. 1.
    Arafa, P.: Time-aware dynamic binary instrumentation. Ph.D. thesis, University of Waterloo (2017)Google Scholar
  2. 2.
    AV-TEST GmbH: The AV-TEST Security Report 2017/2018 (2018)Google Scholar
  3. 3.
    Balzarotti, D., Cova, M., Karlberger, C., Kirda, E., Kruegel, C., Vigna, G.: Efficient detection of split personalities in malware. In: Proceedings of the Network and Distributed System Security Symposium (NDSS) (2010)Google Scholar
  4. 4.
    Bruening, D., Zhao, Q., Amarasinghe, S.: Transparent dynamic instrumentation. ACM SIGPLAN Not. 47(7), 133–144 (2012)CrossRefGoogle Scholar
  5. 5.
    Carpenter, M., Liston, T., Skoudis, E.: Hiding virtualization from attackers and malware. IEEE Secur. Priv. 5(3), 62–65 (2007)CrossRefGoogle Scholar
  6. 6.
    CPU2006, S.: Standard performance evaluation corporation. (2006) (Online)
  7. 7.
    Falcón, F., Riva, N.: Dynamic binary instrumentation frameworks: I know you’re there spying on me (2012)Google Scholar
  8. 8.
    Ferrie, P.: Attacks on virtual machine emulators. Symantec Adv. Res. Threat. Res. 1–13 (2007)Google Scholar
  9. 9.
    Greamo, C., Ghosh, A.: Sandboxing and virtualization: modern tools for combating malware. IEEE Secur. Priv. 9(2), 79–82 (2011)CrossRefGoogle Scholar
  10. 10.
    Hron, M., Jermář, J.: SafeMachine malware needs love, too. (2014) (Online)
  11. 11.
    Kaspersky lab: Kaspersky lab detects 360,000 new malicious files daily—up 11.5% from 2016. (2017) (Online)
  12. 12.
    Kirat, D., Vigna, G., Kruegel, C.: Barecloud: Bare-metal analysis-based evasive malware detection. In: 23rd USENIX Security Symposium (USENIX Security 14), pp. 287–301. USENIX Association, San Diego, CA (2014)Google Scholar
  13. 13.
    Kumar, A.V., Vishnani, K., Kumar, K.V.: Split personality malware detection and defeating in popular virtual machines. In: Proceedings of the 5th International Conference on Security of Information and Networks (SIN), pp. 20–26. ACM (2012)Google Scholar
  14. 14.
    Li, X., Li, K.: Defeating the transparency features of dynamic binary instrumentation. BlackHat US (2014)Google Scholar
  15. 15.
    Lueck, G., Patil, H., Pereira, C.: PinADX: An interface for customizable debugging with dynamic instrumentation. In: Proceedings of the 10th International Symposium on Code Generation and Optimization (CGO), pp. 114–123. ACM, New York, NY, USA (2012)Google Scholar
  16. 16.
    Luk, C.K., Cohn, R., Muth, R., Patil, H., Klauser, A., Lowney, G., Wallace, S., Reddi, V.J., Hazelwood, K.: Pin: Building customized program analysis tools with dynamic instrumentation. In: Proceedings of the 2005 ACM SIGPLAN conference on Programming Language Design and Implementation, PLDI ’05, pp. 190–200. ACM, New York, NY, USA (2005)Google Scholar
  17. 17.
  18. 18.
    Pan, H., Asanović, K., Cohn, R., Luk, C.K.: Controlling program execution through binary instrumentation. SIGARCH Comput. Archit. News 33(5), 45–50 (2005)CrossRefGoogle Scholar
  19. 19.
    Polino, M., Continella, A., Mariani, S., D’Alessio, S., Fontata, L., Gritti, F., Zanero, S.: Measuring and Defeating Anti-Instrumentation-Equipped Malware. Detection of Intrusions and Malware and Vulnerability Assessment, pp. 73–96. Springer International Publishing, Cham (2017)CrossRefGoogle Scholar
  20. 20.
    Rodríguez, R.J., Artal, J.A., Merseguer, J.: Performance evaluation of dynamic binary instrumentation frameworks. IEEE Lat. Am. Trans. (Rev. IEEE Am. Lat.) 12(8), 1572–1580 (2014)CrossRefGoogle Scholar
  21. 21.
    Rodríguez, R.J., Gaston, I.R., Alonso, J.: Towards the detection of isolation-aware malware. IEEE Lat. Am. Trans. 14(2), 1024–1036 (2016)CrossRefGoogle Scholar
  22. 22.
    Sun, K., Li, X., Ou, Y.: Break Out of The Truman Show: Active Detection and Escape of Dynamic Binary Instrumentation. Black Hat Asia (2016)Google Scholar
  23. 23.
    Vishnani, K., Pais, A.R., Mohandas, R.: Detecting & defeating split personality malware. In: Proocedings of the 5th International Conference on Emerging Security Information, Systems and Technologies (SECURWARE), pp. 7–13 (2011)Google Scholar
  24. 24.
    Zhechev, Z.: Security evaluation of dynamic binary instrumentation engines. Master’s thesis, Department of Informatics Technical University of Munich (2018)Google Scholar

Copyright information

© Springer Nature Singapore Pte Ltd. 2020

Authors and Affiliations

  • Ailton Santos Filho
    • 1
    Email author
  • Ricardo J. Rodríguez
    • 2
  • Eduardo L. Feitosa
    • 1
  1. 1.Instituto de ComputaçãoUniversidade Federal do Amazonas (UFAM)ManausBrazil
  2. 2.Centro Universitario de la DefensaAcademia General MilitarZaragozaSpain

Personalised recommendations