Binary instrumentation is an essential technique for program analysis tasks, with wide application ranging from reverse (such as debugging, taint-tracking), defense (like hot-patching, sandboxing) to offense (examples are rootkit, vulnerability detection). Basically, instrumentation is performed by injecting extra code into a binary application to observe or modify its runtime behaviour. There are few instrumentation frameworks, but unfortunately all of them suffer from some critical drawbacks.
We built Skorpio, a lightweight binary instrumentation framework, which offers some unparalleled features:
- Multi-platform: native build for Windows, iOS, Android & *nix (with Mac OSX, Linux, *BSD & Solaris confirmed).
- Multi-architecture: support for Arm, Arm64 (AArch64/Armv8), Mips, PowerPC, Sparc and X86 (include 16/32/64bit).
- Multi-level: allows instrumentation everywhere, from userspace to OS kernel, from instruction to function level.
- Flexibility: support multiple types of instrumentations, and offer various customized optimization on code relocation & optional trampoline settings.
- Lightweight, so we can instrument real-world complicated applications.
- Implemented in pure C language, with some bindings available.
- Clean/simple/lightweigh
This talk is going to present the motivation, design & implementation of Skorpio. The focus will be on technical decisions we made, and the challenges we had to overcome to realise the ideas behind our framework.
Skorpio aims to lay the ground for innovative works. To demonstrate its power, we built some exciting tools on top of our framework. Expect some cool live demos during this talk.