Dynamic Data Flow Analysis via Virtual Code Integration (aka The SpiderPig case)

This paper addresses the process of dynamic data ow analysis using virtual code integration (VCI), often refered to as dynamic binary rewriting. This article will try to demonstrate all of the techniques that were applied in the SpiderPig project [15]. It will also discuss the main di erences between the methods that were employed and those used in other available software, as well as introducing other related work. SpiderPig 's approach was found to be very fast and was transparent enough for reliable and usable data ow analysis. It was created with the purpose of providing a tool which would aid vulnerability and security researchers with tracing and analyzing any necessary data and its further propagation through a program. At the time of writing this article, it is the authors opinion that SpiderPig o ers one of the most advanced solutions for data 1 ar X iv :0 90 6. 07 24 v1 [ cs .C R ] 3 J un 2 00 9 ow monitoring. At the current state it works on IA-32 platforms with Microsoft Windows systems and it supports FPU, SSE, MMX and all of the IA-32 general instructions. Furthermore it can be extended to cover other operating systems and architectures as well. SpiderPig also demonstrates the usage of a virtual code integration (VCI) framework which allows for modifying the target application code at the instruction level. By this I mean that the VCI framework allows for custom code insertion, original code modi cation and full customization of the original application's code. Instructions can be swapped out, deleted or modi ed at a whim, without corrupting the surrounding code and side-e ects of the modi cation are resolved. In the next sections, the most important and relevant techniques used in SpiderPig will be described.