Stony Brook University Logo Department of Computer Science Stony Brook Search Button
Secure Systems Lab

PSI: A Platform for Secure Static Binary Instrumentation

See our VEE 2014 paper for an overview of this approach. Some of the key steps are described in more detail in our paper from USENIX Security 2013.


Program instrumentation techniques form the basis of many recent software security defenses, including defenses against common exploits and security policy enforcement. As compared to source-code instrumentation, binary instrumentation is easier to use and more broadly applicable due to theready availability of binary code. Two key features neededfor security instrumentations are (a) it should be applied to all application code, including code contained in various system and application libraries, and (b) it should be non-bypassable. So far, dynamic binary instrumentation (DBI) techniques have provided these features, whereas static bi-nary instrumentation (SBI) techniques have lacked them.These features, combined with ease of use, have made DBI the de facto choice for security instrumentations. However,DBI techniques can incur high overheads in several commonusage scenarios, such as application startups, system-calls,and many real-world applications. We therefore develop a newplatform for secure static binary instrumentation (PSI) that overcomes these drawbacks of DBI techniques, whileretaining the security, robustness and ease-of-use features.We illustrate the versatility of PSI by developing severalinstrumentation applications: basic block counting, shadowstack defense against control-flow hijack and return-orientedprogramming attacks, and system call and library policy en-forcement. While being competitive with the best DBI toolson CPU-intensive SPEC 2006 benchmark, PSI provides an order of magnitude reduction in overheads on a collection of real-world applications


PSI is alpha software. It is provided only for the research and evaluation purpose.


Virtual Box VM shipped under GPL v1 or later:



This is the initial version. Updated version will be released later


This work was supported in part by an NSF grants CNS-1319137, CNS-0831298, an AFOSR grant FA9550-09-1-0539, and an ONR grant N000140710928.

Home Contact CEWIT Center for Cyber Security

Copyright © 1999-2013 Secure Systems Laboratory, Stony Brook University. All rights reserved.