memTrace: Lightweight Memory Tracing

memTrace is a lightweight memory tracing infrastructure that supports user-defined memlets (short sequences of code, execute for every memory access) for unmodified binary x86 applications. A cross-ISA binary translator builds on libdetox to translate the application from x86 to x86_64 and to weave the memlets into the executed application code.
By using the wider memory space and the additional registers of x86_64 memTrace is able to achieve very low performance overhead for full memory tracing.


TRuE: Trusted RUntime Environment

TRuE logo TRuE is a secure runtime environment that enables the safe execution of untrusted (but not malicious) code. Untrusted code (e.g., the Apache server) is dynamically analyzed and secured against different forms of control-flow based attacks like code injection, control-flow redirection, and return oriented programming. This fine-grained security layer detects attacks right when they happen (i.e., before the control flow is executed) and the program is terminated. A second layer of protection uses a system-call interposition layer to validate each executed system call against a vigorous system call policy. TRuE uses several components to both extract information from the application and to secure the application:

  • A secure loader replaces the standard loader ( The secure loader is a part of the trusted domain and extracts information about each used shared object (the executable and all loaded shared libraries). The information contains details about individual memory regions and the locations of symbols and relocation slots. Details about the secure loader are published in the TRuE paper. The information is then used in the binary translator to weave control flow checks into the translated application code.
  • libdetox is the virtualization system that separates user-space into two execution domains: the trusted sandbox domain that contains the binary translator and the untrusted application domain. The sandbox domain uses a separate stack from the application stack and makes sure that no pointers leak to the application. All application code is translated using the binary translator. In addition, all system calls are redirected from the application domain to the sandbox domain where they are handled (interposed, redirected, or executed). The libdetox system is published at VEE'11, 27c3'11, and 26c3'09. The binary translator is also extended with low-level domain specific aspect language that makes code generation easier, see DSAL'12 for more information.
  • The binary translator fastBT uses a table-based translation scheme and thread-local code caches to dynamically translate all application code. Trampolines are used to translate individual indirect control flow transfers (indirect jumps, indirect calls, and function returns). The translation tables cover the complete set of x86-ia32 instructions and a table generator can be used to specify high-level code transformations (the API is similar to PIN with the difference that fastBT offers the high-level API at compile time while PIN offers the API at runtime). fastBT is published at SYSTOR'10 and AMAS-BT'09.

For a complete description and evaluation of TRuE look at my PhD thesis. If you are interested in a quick overview watch my Google TechTalk for an overview of fastBT, or my 27c3 talk and my 26c3 talk for an overview of libdetox.

TRuE has the following runtime requirements: a machine with an IA-32 (x86) CPU, a Linux kernel 2.6 or higher, and GCC version 4.2 or higher. You can download a given software package below, unpack it in a directory, read the INSTALL information, (optionally) adapt the translation tables, configure the optimizations (for both additional security and performance settings) and let it run. fastBT and libdetox both use LD_PRELOAD to inject the binary translator into the application while TRuE uses the secure loader to initialize the sandbox before the application is loaded.



adaptSTM: a fast, adaptive Software Transactional Memory system

We present adaptSTM, a competitive, word-based STM library that is based on a global clock and an array of combined global versions (timestamps) and locks. To keep track of transactional data adaptSTM implements a multi-level buffer and uses read-set extension to achieve competitive performance.
A detailed description of the system is available in the technical report and the ISPASS'11 publication contains a more detailed evaluation.