LibIHT: A Hardware-Based Approach to Efficient and Evasion-Resistant Dynamic Binary Analysis Article Swipe

View

C. Zhao , Yohan Beugin , Jean-Charles Noirot Ferrand , Quinn Burke , Guancheng Li , Patrick McDaniel ·

YOU? · · 2025 · Open Access · · DOI: https://doi.org/10.1145/3733822.3764670

Dynamic program analysis is invaluable for malware detection, debugging, and performance profiling. However, software-based instrumentation incurs high overhead and can be evaded by anti-analysis techniques. In this paper, we propose LibIHT, a hardware-assisted tracing framework that leverages on-CPU branch tracing features (Intel Last Branch Record and Branch Trace Store) to efficiently capture program control-flow with minimal performance impact. Our approach reconstructs control-flow graphs (CFGs) by collecting hardware generated branch execution data in the kernel, preserving program behavior against evasive malware. We implement LibIHT as an OS kernel module and user-space library, and evaluate it on both benign benchmark programs and adversarial anti-instrumentation samples. Our results indicate that LibIHT reduces runtime overhead by over 150x compared to Intel Pin (7x vs 1,053x slowdowns), while achieving high fidelity in CFG reconstruction (capturing over 99% of execution basic blocks and edges). Although this hardware-assisted approach sacrifices the richer semantic detail available from full software instrumentation by capturing only branch addresses, this trade-off is acceptable for many applications where performance and low detectability are paramount. Our findings show that hardware-based tracing captures control flow information significantly faster, reduces detection risk and performs dynamic analysis with minimal interference.

Related Topics

Truth And Reconciliation Commission Of Canada

Concepts

No concepts available.

Metadata

Type: preprint
Landing Page: https://doi.org/10.1145/3733822.3764670
OA Status: green
References: 24
OpenAlex ID: https://openalex.org/W4415722000

All OpenAlex metadata

Raw OpenAlex JSON

OpenAlex ID: https://openalex.org/W4415722000

Canonical identifier for this work in OpenAlex
DOI: https://doi.org/10.1145/3733822.3764670

Digital Object Identifier
Title: LibIHT: A Hardware-Based Approach to Efficient and Evasion-Resistant Dynamic Binary Analysis

Work title
Type: preprint

OpenAlex work type
Publication year: 2025

Year of publication
Publication date: 2025-10-13

Full publication date if available
Authors: C. Zhao, Yohan Beugin, Jean-Charles Noirot Ferrand, Quinn Burke, Guancheng Li, Patrick McDaniel

List of authors in order
Landing page: https://doi.org/10.1145/3733822.3764670

Publisher landing page
Open access: Yes

Whether a free full text is available
OA status: green

Open access status per OpenAlex
OA URL: https://arxiv.org/pdf/2510.16251

Direct OA link when available
Cited by: 0

Total citation count in OpenAlex
References (count): 24

Number of works referenced by this work

Full payload

id	https://openalex.org/W4415722000
doi	https://doi.org/10.1145/3733822.3764670
ids.doi	https://doi.org/10.1145/3733822.3764670
ids.openalex	https://openalex.org/W4415722000
fwci
type	preprint
title	LibIHT: A Hardware-Based Approach to Efficient and Evasion-Resistant Dynamic Binary Analysis
biblio.issue
biblio.volume
biblio.last_page	101
biblio.first_page	89
is_xpac	False
apc_list
apc_paid
language
locations[0].id	doi:10.1145/3733822.3764670
locations[0].is_oa	False
locations[0].source
locations[0].license
locations[0].pdf_url
locations[0].version	publishedVersion
locations[0].raw_type	proceedings-article
locations[0].license_id
locations[0].is_accepted	True
locations[0].is_published	True
locations[0].raw_source_name	Proceedings of the 2025 Workshop on Software Understanding and Reverse Engineering
locations[0].landing_page_url	https://doi.org/10.1145/3733822.3764670
locations[1].id	pmh:oai:arXiv.org:2510.16251
locations[1].is_oa	True
locations[1].source.id	https://openalex.org/S4306400194
locations[1].source.issn
locations[1].source.type	repository
locations[1].source.is_oa	True
locations[1].source.issn_l
locations[1].source.is_core	False
locations[1].source.is_in_doaj	False
locations[1].source.display_name	arXiv (Cornell University)
locations[1].source.host_organization	https://openalex.org/I205783295
locations[1].source.host_organization_name	Cornell University
locations[1].source.host_organization_lineage	https://openalex.org/I205783295
locations[1].license
locations[1].pdf_url	https://arxiv.org/pdf/2510.16251
locations[1].version	submittedVersion
locations[1].raw_type	text
locations[1].license_id
locations[1].is_accepted	False
locations[1].is_published	False
locations[1].raw_source_name
locations[1].landing_page_url	http://arxiv.org/abs/2510.16251
indexed_in	arxiv, crossref
authorships[0].author.id	https://openalex.org/A5113870920
authorships[0].author.orcid	https://orcid.org/0009-0009-9375-1519
authorships[0].author.display_name	C. Zhao
authorships[0].countries	US
authorships[0].affiliations[0].institution_ids	https://openalex.org/I135310074
authorships[0].affiliations[0].raw_affiliation_string	University of Wisconsin-Madison, Madison, Wisconsin, USA
authorships[0].institutions[0].id	https://openalex.org/I135310074
authorships[0].institutions[0].ror	https://ror.org/01y2jtd41
authorships[0].institutions[0].type	education
authorships[0].institutions[0].lineage	https://openalex.org/I135310074
authorships[0].institutions[0].country_code	US
authorships[0].institutions[0].display_name	University of Wisconsin–Madison
authorships[0].author_position	first
authorships[0].raw_author_name	Changyu Zhao
authorships[0].is_corresponding	False
authorships[0].raw_affiliation_strings	University of Wisconsin-Madison, Madison, Wisconsin, USA
authorships[1].author.id	https://openalex.org/A5007771274
authorships[1].author.orcid	https://orcid.org/0000-0003-0991-7926
authorships[1].author.display_name	Yohan Beugin
authorships[1].countries	US
authorships[1].affiliations[0].institution_ids	https://openalex.org/I135310074
authorships[1].affiliations[0].raw_affiliation_string	University of Wisconsin-Madison, Madison, Wisconsin, USA
authorships[1].institutions[0].id	https://openalex.org/I135310074
authorships[1].institutions[0].ror	https://ror.org/01y2jtd41
authorships[1].institutions[0].type	education
authorships[1].institutions[0].lineage	https://openalex.org/I135310074
authorships[1].institutions[0].country_code	US
authorships[1].institutions[0].display_name	University of Wisconsin–Madison
authorships[1].author_position	middle
authorships[1].raw_author_name	Yohan Beugin
authorships[1].is_corresponding	False
authorships[1].raw_affiliation_strings	University of Wisconsin-Madison, Madison, Wisconsin, USA
authorships[2].author.id	https://openalex.org/A5110190353
authorships[2].author.orcid	https://orcid.org/0009-0009-9650-4011
authorships[2].author.display_name	Jean-Charles Noirot Ferrand
authorships[2].countries	US
authorships[2].affiliations[0].institution_ids	https://openalex.org/I135310074
authorships[2].affiliations[0].raw_affiliation_string	University of Wisconsin-Madison, Madison, Wisconsin, USA
authorships[2].institutions[0].id	https://openalex.org/I135310074
authorships[2].institutions[0].ror	https://ror.org/01y2jtd41
authorships[2].institutions[0].type	education
authorships[2].institutions[0].lineage	https://openalex.org/I135310074
authorships[2].institutions[0].country_code	US
authorships[2].institutions[0].display_name	University of Wisconsin–Madison
authorships[2].author_position	middle
authorships[2].raw_author_name	Jean-Charles Noirot Ferrand
authorships[2].is_corresponding	False
authorships[2].raw_affiliation_strings	University of Wisconsin-Madison, Madison, Wisconsin, USA
authorships[3].author.id	https://openalex.org/A5031987483
authorships[3].author.orcid	https://orcid.org/0000-0003-1719-3112
authorships[3].author.display_name	Quinn Burke
authorships[3].countries	US
authorships[3].affiliations[0].institution_ids	https://openalex.org/I135310074
authorships[3].affiliations[0].raw_affiliation_string	University of Wisconsin-Madison, Madison, Wisconsin, USA
authorships[3].institutions[0].id	https://openalex.org/I135310074
authorships[3].institutions[0].ror	https://ror.org/01y2jtd41
authorships[3].institutions[0].type	education
authorships[3].institutions[0].lineage	https://openalex.org/I135310074
authorships[3].institutions[0].country_code	US
authorships[3].institutions[0].display_name	University of Wisconsin–Madison
authorships[3].author_position	middle
authorships[3].raw_author_name	Quinn Burke
authorships[3].is_corresponding	False
authorships[3].raw_affiliation_strings	University of Wisconsin-Madison, Madison, Wisconsin, USA
authorships[4].author.id	https://openalex.org/A5100914680
authorships[4].author.orcid	https://orcid.org/0009-0007-4226-656X
authorships[4].author.display_name	Guancheng Li
authorships[4].countries	CN
authorships[4].affiliations[0].institution_ids	https://openalex.org/I2250653659
authorships[4].affiliations[0].raw_affiliation_string	Tencent Xuanwu Lab, Beijing, Beijing, China
authorships[4].institutions[0].id	https://openalex.org/I2250653659
authorships[4].institutions[0].ror	https://ror.org/00hhjss72
authorships[4].institutions[0].type	company
authorships[4].institutions[0].lineage	https://openalex.org/I2250653659
authorships[4].institutions[0].country_code	CN
authorships[4].institutions[0].display_name	Tencent (China)
authorships[4].author_position	middle
authorships[4].raw_author_name	Guancheng Li
authorships[4].is_corresponding	False
authorships[4].raw_affiliation_strings	Tencent Xuanwu Lab, Beijing, Beijing, China
authorships[5].author.id	https://openalex.org/A5055368149
authorships[5].author.orcid	https://orcid.org/0000-0003-2091-7484
authorships[5].author.display_name	Patrick McDaniel
authorships[5].countries	US
authorships[5].affiliations[0].institution_ids	https://openalex.org/I135310074
authorships[5].affiliations[0].raw_affiliation_string	University of Wisconsin-Madison, Madison, Wisconsin, USA
authorships[5].institutions[0].id	https://openalex.org/I135310074
authorships[5].institutions[0].ror	https://ror.org/01y2jtd41
authorships[5].institutions[0].type	education
authorships[5].institutions[0].lineage	https://openalex.org/I135310074
authorships[5].institutions[0].country_code	US
authorships[5].institutions[0].display_name	University of Wisconsin–Madison
authorships[5].author_position	last
authorships[5].raw_author_name	Patrick McDaniel
authorships[5].is_corresponding	False
authorships[5].raw_affiliation_strings	University of Wisconsin-Madison, Madison, Wisconsin, USA
has_content.pdf	False
has_content.grobid_xml	False
is_paratext	False
open_access.is_oa	True
open_access.oa_url	https://arxiv.org/pdf/2510.16251
open_access.oa_status	green
open_access.any_repository_has_fulltext	False
created_date	2025-10-31T00:00:00
display_name	LibIHT: A Hardware-Based Approach to Efficient and Evasion-Resistant Dynamic Binary Analysis
has_fulltext	False
is_retracted	False
updated_date	2025-11-06T03:46:38.306776
primary_topic
cited_by_count	0
locations_count	2
best_oa_location.id	pmh:oai:arXiv.org:2510.16251
best_oa_location.is_oa	True
best_oa_location.source.id	https://openalex.org/S4306400194
best_oa_location.source.issn
best_oa_location.source.type	repository
best_oa_location.source.is_oa	True
best_oa_location.source.issn_l
best_oa_location.source.is_core	False
best_oa_location.source.is_in_doaj	False
best_oa_location.source.display_name	arXiv (Cornell University)
best_oa_location.source.host_organization	https://openalex.org/I205783295
best_oa_location.source.host_organization_name	Cornell University
best_oa_location.source.host_organization_lineage	https://openalex.org/I205783295
best_oa_location.license
best_oa_location.pdf_url	https://arxiv.org/pdf/2510.16251
best_oa_location.version	submittedVersion
best_oa_location.raw_type	text
best_oa_location.license_id
best_oa_location.is_accepted	False
best_oa_location.is_published	False
best_oa_location.raw_source_name
best_oa_location.landing_page_url	http://arxiv.org/abs/2510.16251
primary_location.id	doi:10.1145/3733822.3764670
primary_location.is_oa	False
primary_location.source
primary_location.license
primary_location.pdf_url
primary_location.version	publishedVersion
primary_location.raw_type	proceedings-article
primary_location.license_id
primary_location.is_accepted	True
primary_location.is_published	True
primary_location.raw_source_name	Proceedings of the 2025 Workshop on Software Understanding and Reverse Engineering
primary_location.landing_page_url	https://doi.org/10.1145/3733822.3764670
publication_date	2025-10-13
publication_year	2025
referenced_works	https://openalex.org/W3008624017, https://openalex.org/W2117324184, https://openalex.org/W2166766372, https://openalex.org/W2146280225, https://openalex.org/W2960121311, https://openalex.org/W1968002620, https://openalex.org/W2956875759, https://openalex.org/W3214121473, https://openalex.org/W2174935658, https://openalex.org/W2953421748, https://openalex.org/W3194131055, https://openalex.org/W4230613728, https://openalex.org/W2602748134, https://openalex.org/W4285194732, https://openalex.org/W2134633067, https://openalex.org/W3174790505, https://openalex.org/W4239035626, https://openalex.org/W4392111418, https://openalex.org/W2620946705, https://openalex.org/W4243006798, https://openalex.org/W2514974017, https://openalex.org/W1990360323, https://openalex.org/W2811397117, https://openalex.org/W3015129527
referenced_works_count	24
abstract_inverted_index.a	31
abstract_inverted_index.In	25
abstract_inverted_index.OS	85
abstract_inverted_index.We	80
abstract_inverted_index.an	84
abstract_inverted_index.as	83
abstract_inverted_index.be	20
abstract_inverted_index.by	22, 64, 111, 152
abstract_inverted_index.in	71, 126
abstract_inverted_index.is	3, 159
abstract_inverted_index.it	93
abstract_inverted_index.of	132
abstract_inverted_index.on	94
abstract_inverted_index.to	49, 115
abstract_inverted_index.vs	119
abstract_inverted_index.we	28
abstract_inverted_index.(7x	118
abstract_inverted_index.99%	131
abstract_inverted_index.CFG	127
abstract_inverted_index.Our	58, 103, 171
abstract_inverted_index.Pin	117
abstract_inverted_index.and	9, 18, 45, 88, 91, 99, 136, 166, 186
abstract_inverted_index.are	169
abstract_inverted_index.can	19
abstract_inverted_index.for	5, 161
abstract_inverted_index.low	167
abstract_inverted_index.the	72, 143
abstract_inverted_index.150x	113
abstract_inverted_index.Last	42
abstract_inverted_index.both	95
abstract_inverted_index.data	70
abstract_inverted_index.flow	179
abstract_inverted_index.from	148
abstract_inverted_index.full	149
abstract_inverted_index.high	16, 124
abstract_inverted_index.many	162
abstract_inverted_index.only	154
abstract_inverted_index.over	112, 130
abstract_inverted_index.risk	185
abstract_inverted_index.show	173
abstract_inverted_index.that	35, 106, 174
abstract_inverted_index.this	26, 139, 157
abstract_inverted_index.with	54, 190
abstract_inverted_index.Intel	116
abstract_inverted_index.Trace	47
abstract_inverted_index.basic	134
abstract_inverted_index.where	164
abstract_inverted_index.while	122
abstract_inverted_index.(CFGs)	63
abstract_inverted_index.(Intel	41
abstract_inverted_index.1,053x	120
abstract_inverted_index.Branch	43, 46
abstract_inverted_index.LibIHT	82, 107
abstract_inverted_index.Record	44
abstract_inverted_index.Store)	48
abstract_inverted_index.benign	96
abstract_inverted_index.blocks	135
abstract_inverted_index.branch	38, 68, 155
abstract_inverted_index.detail	146
abstract_inverted_index.evaded	21
abstract_inverted_index.graphs	62
abstract_inverted_index.incurs	15
abstract_inverted_index.kernel	86
abstract_inverted_index.module	87
abstract_inverted_index.on-CPU	37
abstract_inverted_index.paper,	27
abstract_inverted_index.richer	144
abstract_inverted_index.Dynamic	0
abstract_inverted_index.LibIHT,	30
abstract_inverted_index.against	77
abstract_inverted_index.capture	51
abstract_inverted_index.control	178
abstract_inverted_index.dynamic	188
abstract_inverted_index.edges).	137
abstract_inverted_index.evasive	78
abstract_inverted_index.faster,	182
abstract_inverted_index.impact.	57
abstract_inverted_index.kernel,	73
abstract_inverted_index.malware	6
abstract_inverted_index.minimal	55, 191
abstract_inverted_index.program	1, 52, 75
abstract_inverted_index.propose	29
abstract_inverted_index.reduces	108, 183
abstract_inverted_index.results	104
abstract_inverted_index.runtime	109
abstract_inverted_index.tracing	33, 39, 176
abstract_inverted_index.Although	138
abstract_inverted_index.However,	12
abstract_inverted_index.analysis	2, 189
abstract_inverted_index.approach	59, 141
abstract_inverted_index.behavior	76
abstract_inverted_index.captures	177
abstract_inverted_index.compared	114
abstract_inverted_index.evaluate	92
abstract_inverted_index.features	40
abstract_inverted_index.fidelity	125
abstract_inverted_index.findings	172
abstract_inverted_index.hardware	66
abstract_inverted_index.indicate	105
abstract_inverted_index.library,	90
abstract_inverted_index.malware.	79
abstract_inverted_index.overhead	17, 110
abstract_inverted_index.performs	187
abstract_inverted_index.programs	98
abstract_inverted_index.samples.	102
abstract_inverted_index.semantic	145
abstract_inverted_index.software	150
abstract_inverted_index.achieving	123
abstract_inverted_index.available	147
abstract_inverted_index.benchmark	97
abstract_inverted_index.capturing	153
abstract_inverted_index.detection	184
abstract_inverted_index.execution	69, 133
abstract_inverted_index.framework	34
abstract_inverted_index.generated	67
abstract_inverted_index.implement	81
abstract_inverted_index.leverages	36
abstract_inverted_index.trade-off	158
abstract_inverted_index.(capturing	129
abstract_inverted_index.acceptable	160
abstract_inverted_index.addresses,	156
abstract_inverted_index.collecting	65
abstract_inverted_index.debugging,	8
abstract_inverted_index.detection,	7
abstract_inverted_index.invaluable	4
abstract_inverted_index.paramount.	170
abstract_inverted_index.preserving	74
abstract_inverted_index.profiling.	11
abstract_inverted_index.sacrifices	142
abstract_inverted_index.user-space	89
abstract_inverted_index.adversarial	100
abstract_inverted_index.efficiently	50
abstract_inverted_index.information	180
abstract_inverted_index.performance	10, 56, 165
abstract_inverted_index.slowdowns),	121
abstract_inverted_index.techniques.	24
abstract_inverted_index.applications	163
abstract_inverted_index.control-flow	53, 61
abstract_inverted_index.reconstructs	60
abstract_inverted_index.anti-analysis	23
abstract_inverted_index.detectability	168
abstract_inverted_index.interference.	192
abstract_inverted_index.significantly	181
abstract_inverted_index.hardware-based	175
abstract_inverted_index.reconstruction	128
abstract_inverted_index.software-based	13
abstract_inverted_index.instrumentation	14, 151
abstract_inverted_index.hardware-assisted	32, 140
abstract_inverted_index.anti-instrumentation	101
cited_by_percentile_year
countries_distinct_count	2
institutions_distinct_count	6
citation_normalized_percentile