Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Designing Robust API Monitoring Solutions

Daniele Cono D'Elia, Simone Nicchi, Matteo Mariani, Matteo Marini, Federico Palmaro

TL;DR

Six challenges that API monitoring solutions should overcome in order to manage these dimensions effectively are identified and actionable design points for building robust API tracers that can be used even for security research are outlined.

Abstract

Tracing the sequence of library and system calls that a program makes is very helpful in the characterization of its interactions with the surrounding environment and ultimately of its semantics. Due to entanglements of real-world software stacks, accomplishing this task can be surprisingly challenging as we take accuracy, reliability, and transparency into the equation. To manage these dimensions effectively, we identify six challenges that API monitoring solutions should overcome and outline actionable design points for them, reporting insights from our experience in building API tracers for software security research. We detail two implementation variants, based on hardware-assisted virtualization (realizing the first general-purpose user-space tracer of this kind) and on dynamic binary translation, that achieve API monitoring robustly. We share our SNIPER system as open source.

Designing Robust API Monitoring Solutions

TL;DR

Six challenges that API monitoring solutions should overcome in order to manage these dimensions effectively are identified and actionable design points for building robust API tracers that can be used even for security research are outlined.

Abstract

Tracing the sequence of library and system calls that a program makes is very helpful in the characterization of its interactions with the surrounding environment and ultimately of its semantics. Due to entanglements of real-world software stacks, accomplishing this task can be surprisingly challenging as we take accuracy, reliability, and transparency into the equation. To manage these dimensions effectively, we identify six challenges that API monitoring solutions should overcome and outline actionable design points for them, reporting insights from our experience in building API tracers for software security research. We detail two implementation variants, based on hardware-assisted virtualization (realizing the first general-purpose user-space tracer of this kind) and on dynamic binary translation, that achieve API monitoring robustly. We share our SNIPER system as open source.

Paper Structure

This paper contains 32 sections, 4 figures, 2 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Background
  3. Windows API Resolution and Internals
  4. Instrumentation Technologies
  5. Design Space of API Monitoring Systems
  6. Challenges in API Monitoring
  7. Threat Model
  8. Scope of Monitoring
  9. Prototypes
  10. Relevant Calls
  11. Hook Insertion
  12. API Entry Events
  13. API Exit Events
  14. Argument Extraction
  15. Our Tracing Solutions
  16. ...and 17 more sections

Figures (4)

  • Figure 1: API call handling with strategy (a) or (b) for exit events. Arrows placed next to instruction addresses represent hooks.
  • Figure 2: Bird's eye-view of the proposed SNIPER system.
  • Figure 3: Analysis callbacks executed upon API entry and exit events.
  • Figure 4: The instruction at address 10020cf in calc.exe is a join point in the control flow graph of its enclosing function: it can be reached either by a conditional jump from the entry basic block of its function or as a fall-through for the call to the LocalFree API function.