OS-Agnostic Identification of Processes and Threads in the Full System Emulation for Selective Instrumentation

Dynamic binary analysis is one of the most promising and key techniques in the analysis of programs and systems. It is usually based on the technique of dynamic binary instrumentation. The most useful instrumentation technique is whole-system instrumentation because it allows one to analyze operations that occur at the kernel level and monitor interactions between different processes. The whole-system instrumentation makes it possible to perform a wide range of analysis tasks; however, it has certain drawbacks—instrumentation of the whole system causes huge overheads both in terms of the speed of operation of the system under study and in terms of the amount of redundant data obtained for analysis, which significantly complicates the work of the analyst. A way to solve this problem is to use selective instrumentation in which the object of instrumentation is an individual process or thread in the analyzed system. The analyst can specify the information he is interested in while retaining the potentials of the whole-system analysis. To implement selective instrumentation, one needs to identify the current processes, threads, or higher level abstractions to determine the scope of instrumentation. In this paper, a number of available instrumentation systems and techniques used by them to get information of interest are discussed, problems and shortcomings of these systems are identified, an implementation of selective instrumentations for individual processes on ARM and x86 processors is described, and a version of selective instrumentation for threads is proposed.