PSI: A Platform for Secure Static Binary Instrumentation
See our VEE 2014
paper for an overview of this approach. Some of the key steps are described in more detail in our paper from USENIX Security 2013.
Program instrumentation techniques form the basis
of many recent software security defenses, including defenses against common
exploits and security policy enforcement. As compared to source-code
instrumentation, binary instrumentation is easier to use and more broadly
applicable due to theready availability of binary code. Two key features
neededfor security instrumentations are (a) it should be applied to all
application code, including code contained in various system and application
libraries, and (b) it should be non-bypassable. So far, dynamic binary
instrumentation (DBI) techniques have provided these features, whereas static
bi-nary instrumentation (SBI) techniques have lacked them.These features,
combined with ease of use, have made DBI the de facto choice for security
instrumentations. However,DBI techniques can incur high overheads in several
commonusage scenarios, such as application startups, system-calls,and many
real-world applications. We therefore develop a newplatform for secure static
binary instrumentation (PSI) that overcomes these drawbacks of DBI techniques,
whileretaining the security, robustness and ease-of-use features.We illustrate
the versatility of PSI by developing severalinstrumentation applications: basic
block counting, shadowstack defense against control-flow hijack and
return-orientedprogramming attacks, and system call and library policy
en-forcement. While being competitive with the best DBI toolson CPU-intensive
SPEC 2006 benchmark, PSI provides an order of magnitude reduction in overheads
on a collection of real-world applications
PSI is alpha software. It is provided for research and evaluation purposes only.
Virtual Box VM shipped under GPL: psi-vbox-v1.0.tar.gz.
This work was supported in part by NSF grants CNS-1319137, CNS-0831298,
an AFOSR grant FA9550-09-1-0539, and an ONR grant N000140710928.