SAFER: Efficient and Error-Tolerant Binary Instrumentation

Recent advances in binary instrumentation have been focused on performance. By statically transforming the code to avoid additional runtime operations, systems such as Egalito and RetroWrite achieve near zero overheads. The safety of these static transformations relies on several assumptions: (a) error-free and complete disassembly, (b) exclusive use of position-independent code, and (c) code pointer identification that is free of both false positives and false negatives. Violations of these assumptions can cause an instrumented program to crash, or worse, experience delayed failures that corrupt data or compromise security. Many earlier binary instrumentation techniques (e.g., DynamoRio, Pin, and BinCFI) minimized such assumptions, but the price to be paid is a much higher overhead, especially for indirect-call-intensive (e.g., C++) applications. Thus, an open research question is whether the safety benefits of the earlier works can be combined with the performance benefits of recent works. We answer this question in the affirmative by presenting a new instrumentation technique that (a) tolerates the use of position-dependent code and common disassembly and static analysis errors, and (b) detects assumption violations at runtime before they can lead to undefined behavior. Our approach provides a fail-crash primitive for graceful shutdown or recovery. We achieve safe instrumentation without sacrificing performance, introducing a low overhead of about ∼ 2%.