At Core we enjoy participating in activities, and helping to improve the security community. As a result you will often see us sponsoring industry events and presenting research and tools that our engineering and research teams have developed. This was true at the recent RECon conference in Montreal, Canada where two members of our Exploit Writing Team presented. Unfortunately, I was not able to attend and see the presentation but I was pleased to be able to talk to them about their presentation.
Q: So, basics first, could you Introduce yourselves and tell us what you do at Core? A: Our names are Francisco Falcón and Nahuel Riva. We work as Exploit Writers in the Exploit Writing Team at Core Security.
Q: What was your talk on at RECon 2012? A: Our talk was titled "Dynamic Binary Instrumentation Frameworks: I know you're there spying on me". During our talk we disclosed more than 20 techniques to detect if our program's binary code is running under a Dynamic Binary Instrumentation (DBI) framework and we focused on Pin, Intel's DBI framework.
Q: I have to ask, what is "Dynamic Binary Instrumentation"? A: We define dynamic binary instrumentation as a technique to analyze and modify the behavior of a binary program by injecting code into it at runtime.
Q: Why did you choose this topic? A: Well, we have a couple of reasons that lead us to want to research and publish our findings and tools on this topic. Firstly, we have seen an increase in DBI based tools being released and presentations being given at many security conferences, so we knew that interest in DBI as a topic is growing and more people are becoming interested in the DBI field. However, when we started looking we noticed there was a lack of comprehensive documentation or research available publically about anti-DBI techniques. Given the increased interest in DBI frameworks it clearly is a trend that is growing, and as that trend rises we predict that the interest in anti-DBI techniques will also rise. Lastly, we chose Pin specifically as the DBI framework to focus on because we think that currently, at least in the reverse engineering field, it is the DBI framework that is most used.
Q: Tell me more about Pin… A: Pin, as a dynamic binary instrumentation framework, has a wide range of applications beyond security-related reverse engineering, and as a result it was not designed with stealth in mind. The same is also true for other non-reverse engineering-specific kind of tools that help us to perform dynamic analysis of binary code, like debuggers and virtualization platforms –(at least the most popular ones). These tools do not intend to be stealth, and nevertheless, certain types of software (software packers and protectors used in malware) have been including defensive code to protect themselves against detection by these tools. So, as DBI-based dynamic analysis is growing in the reverse engineering field, we think that it's worthwhile to find and document ways to detect the presence of dynamic binary instrumentation frameworks, regardless of the intention of the DBI frameworks to stay hidden or not. This presentation aims to be the initial document on anti-DBI techniques as other researchers did in the past with the Anti-Debugging and Anti-Virtualization techniques. During the presentation, we disclosed more than 20 anti-DBI techniques that we divided into several categories. We talked about generic and Pin-specific ways to detect if our code is being instrumented. Also, we presented eXait, our benchmark-like tool to test all the anti-DBI techniques we showed. It was a great experience to be at RECon and to see all the other talks presented there.