lecture: Pwning Intel PIN
Reconsidering Intel Pin in Context of Security
Binary instrumentation is a robust and powerful technique which facilitates binary code modification of computer programs in order to better analyze their behavior and characteristics even when no source code is available. This is achieved either statically by rewriting the binary instructions of the program and then executing the altered program or dynamically, by changing the code at run-time right before it is executed. The design of most Dynamic Binary Instrumentation frameworks puts emphasis on ease-of-use, portability, and efficiency, offering the possibility to execute inspecting analysis code from an interpositioned perspective maintaining full access to the instrumented program. This has established DBI as a powerful tool utilized for analysis tasks such as profiling, performance evaluation, and prototyping.
Moreover, the interest of employing DBI tools for binary hardening techniques (e.g. Program Shepherding) and malware analysis is constantly increasing among researchers. However, the usage of DBI for security related tasks is questionable, as in such scenarios it is important that analysis code runs isolated from the instrumented program in a stealthy way. This inspired us to look more closely at how DBI frameworks influence (impair) the security characteristics of an instrumented binary.
In this talk, we show (1) that a plethora of work implicitly seems to assume isolation and stealthiness of DBI frameworks and strongly challenge these assumptions. We use Intel Pin running on x86-64 Linux as an example to show that when a program is running in context of a DBI framework (2) the presence thereof can be detected, (3) policies introduced by binary hardening mechanisms can be circumvented (i.e. it is possible to break out of Pin's virtual machine), and (4) otherwise hard-to-exploit CVEs in existing applications can be escalated to full code execution when run in Intel Pin.
To follow good non-scientific practice, we will publish source code, proof of concepts, a technical writeup, our demos, and slides after the presentation.