PIEtrace

PIEtrace: Platform Independent Executable Trace [download]

Yonghwi Kwon, Xiangyu Zhang, and Dongyan Xu

Department of Computer Science, Purdue University

{kwon58,xyzhang,dxu}@cs.purdue.edu

West Lafayette, Indiana, USA

Summary

PIEtrace traces and virtualizes a regular program execution that is platform dependent, and generates a stand-alone program called the trace program. Running the trace program re-generates the original execution. More importantly, trace program execution is completely independent of the underlying operating system and libraries such that it can be compiled and executed on arbitrary platforms. As such, it can be analyzed by a third party tool on a platform preferred by the tool. We have implemented the technique on x86 and sensor platforms. We show that buggy executions of 10 realworld Windows and sensor applications can be traced and virtualized, and later analyzed by existing Linux tools. We also demonstrate how the technique can be used in cross-platform malware analysis.