BernatC ScADS-2012
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

BernatC ScADS-2012

on

  • 171 views

 

Statistics

Views

Total Views
171
Views on SlideShare
171
Embed Views
0

Actions

Likes
0
Downloads
0
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Apple Keynote

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • \n
  • \n
  • Overhead results were gathered from instrumenting the SPEC CPU benchmarks. We instrumented each basic block with an increment of a value in memory. For each tool we used their provided example code that includes all pertinent optimizations. \n\nDyninst 7.0 and 8.0: www.dyninst.org\nPEBIL: http://www.sdsc.edu/pmac/projects/pebil.html\nPIN: http://www.pintool.org/\nDynamoRIO: http://code.google.com/p/dynamorio/\n\nResults for omnetpp are missing for Dyninst 7.0 and PEBIL; omnet uses an exception mechanism that neither tool handles. \nPEBIL failed to correctly instrument GCC. \n\n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n

BernatC ScADS-2012 Presentation Transcript

  • 1. The Deconstruction of Dyninst Andrew Bernat, Bill Williams Paradyn Project CScADS June 26, 2012
  • 2. Dyninst 8.0o Component integration o ProcControlAPI o StackwalkerAPI o PatchAPIo Additional analyses o Register liveness o Improved stack heighto Significantly reduced overheado Additional platforms: PPC-64, BlueGene The Deconstruction of Dyninst 2
  • 3. Performance Improvements% Execution Time Increase 400% 350% 300% 250% 200% 150% 100% 50% 0% pe bz gc m go hm sj lib h2 om as xa G eo en cf ta c la rl ip qu b 6 ne m m 4r m r g nc a er tp k et ef nt b p r ic m um k M ea Dyninst 7.0 PEBIL PIN DynamoRIO n Dyninst 8.0 The Deconstruction of Dyninst 3
  • 4. Dyninst Components Timeline Design and Implementation DynCAPI Beta Release First Release DataflowAPI Integration into Dyninst PatchAPI ParseAPI ProcControlAPI InstructionAPI StackwalkerAPI SymtabAPI 2006 2007 2008 2009 2010 2011 2012 The Deconstruction of Dyninst 4
  • 5. Dyninst Components Timeline Design and Implementation DynCAPI Beta Release First Release DataflowAPI Integration into Dyninst PatchAPI ParseAPI ProcControlAPI InstructionAPI StackwalkerAPI SymtabAPI 2006 2007 2008 2009 2010 2011 2012 The Deconstruction of Dyninst 4
  • 6. Dyninst and the Components = Existing Component = Proposed AST Code Gen SymtabAPI Parsing Process API PatchBinary API Binary Instruction DataFlow API API ProcControl Stackwalker API API
  • 7. Dyninst and the Components = Existing Component = Proposed AST Code Gen SymtabAPI Parsing Process API PatchBinary API Binary Instruction DataFlow API API ProcControl Stackwalker API API
  • 8. Dyninst and the Components = Existing Component = Proposed AST Code Gen SymtabAPI Parsing Process API PatchBinary API Binary Instruction DataFlow API API ProcControl Stackwalker API API
  • 9. Dyninst and the Components = Existing Component = Proposed AST Code Gen SymtabAPI Parsing Process API PatchBinary API Binary Instruction DataFlow API API ProcControl Stackwalker API API
  • 10. Programming with Dyninst ando Dyninst user interface is backwards compatibleo Component interfaces are more capableo Goal: Dyninst as thin veneer over components PatchMgrPtr PatchAPI::convert(BPatch_addressSpace *); PatchBlock *PatchAPI::convert(BPatch_basicBlock *); Block *ParseAPI::convert(BPatch_basicBlock *); Symtab *SymtabAPI::convert(BPatch_module *); The Deconstruction of Dyninst 6
  • 11. Component Challenges The Deconstruction of Dyninst 7
  • 12. Component Challenges Concurrency The Deconstruction of Dyninst 7
  • 13. Component Challenges Concurrency + Incomplete and inconsistent interfaces The Deconstruction of Dyninst 7
  • 14. Component Challenges Concurrency + Incomplete and inconsistent interfaces = High-performance process control The Deconstruction of Dyninst 7
  • 15. ProcControlAPIo Entirely reengineered stop/continue logico Simplified RPC interfaceo Process group supporto Hardware breakpoint supporto Platform support o BlueGene o Windows The Deconstruction of Dyninst 8
  • 16. StackwalkerAPIo Binary analysis frameStepper o Improves stack walk accuracy in frameless functions o Fallback option if cheaper steppers failo 3rd party stack walking through ProcControlAPI o Improved portability o More capable process control interface The Deconstruction of Dyninst 9
  • 17. PatchAPI – Binary Modificationo Use familiar abstractions o CFG o Snippetso Interactive o Inserted code becomes part of the CFG and can be modified further o Instrument modified codeo Safe o Avoid unexpected side-effects o Preserve correct control flow The Deconstruction of Dyninst 10
  • 18. CFG Transformationso Modifying code: block split, edge redirectiono Inserting code: snippets store addr add deref 1 addr The Deconstruction of Dyninst 11
  • 19. Code Insertion (Apache hotpatch tool) PatchBlock *b1, *b2; b1 callee b2 The Deconstruction of Dyninst 12
  • 20. Code Insertion (Apache hotpatch tool) PatchBlock *b1, *b2; b1 Snippet::Ptr snip; callee IC::Ptr code = PatchModifier::insert(b1->obj(), snip, b1->exit()); b2 The Deconstruction of Dyninst 12
  • 21. Code Insertion (Apache hotpatch tool) PatchBlock *b1, *b2; b1 Snippet::Ptr snip; callee IC::Ptr code = PatchModifier::insert(b1->obj(), snip, b1->exit()); b2 PatchModifier::redirect(getEdge(b1, CALL_FT), code->entry()); The Deconstruction of Dyninst 12
  • 22. Code Insertion (Apache hotpatch tool) PatchBlock *b1, *b2; b1 Snippet::Ptr snip; callee IC::Ptr code = PatchModifier::insert(b1->obj(), snip, b1->exit()); b2 PatchModifier::redirect(getEdge(b1, CALL_FT), code->entry()); for (iterator iter = code->exits().begin(); iter != code->exits().end(); ++iter) { PatchModifier::redirect(*iter, b2); } The Deconstruction of Dyninst 12
  • 23. Code Replacement (CRAFT, Michael PatchBlock *b; Address a2, a3; a2 b a3 The Deconstruction of Dyninst 13
  • 24. Code Replacement (CRAFT, Michael PatchBlock *b; b1 Address a2, a3; a2 PatchBlock *b3 = PatchModifier::split(b, a3); b2 PatchBlock *b2 = PatchModifier::split(b, a2); PatchBlock *b1 = b; a3 b3 The Deconstruction of Dyninst 13
  • 25. Code Replacement (CRAFT, Michael PatchBlock *b; b1 Address a2, a3; a2 PatchBlock *b3 = PatchModifier::split(b, a3); b2 PatchBlock *b2 = PatchModifier::split(b, a2); PatchBlock *b1 = b; a3 b3 IC::Ptr code = PatchModifier::insert(b->obj(), snip, b2->entry()); The Deconstruction of Dyninst 13
  • 26. Code Replacement (CRAFT, Michael PatchBlock *b; b1 Address a2, a3; PatchBlock *b3 = PatchModifier::split(b, a3); b2 PatchBlock *b2 = PatchModifier::split(b, a2); PatchBlock *b1 = b; b3 IC::Ptr code = PatchModifier::insert(b->obj(), snip, b2->entry()); PatchModifier::redirect(getEdge(b1, FT), code->entry()); for (iterator iter = code->exits().begin(); iter != code->exits().end(); ++iter) { PatchModifier::redirect(*iter, b2); } The Deconstruction of Dyninst 13
  • 27. Code Replacement (CRAFT, Michael PatchBlock *b; b1 Address a2, a3; PatchBlock *b3 = PatchModifier::split(b, a3); PatchBlock *b2 = PatchModifier::split(b, a2); PatchBlock *b1 = b; b3 IC::Ptr code = PatchModifier::insert(b->obj(), snip, b2->entry()); PatchModifier::redirect(getEdge(b1, FT), code->entry()); for (iterator iter = code->exits().begin(); iter != code->exits().end(); ++iter) { PatchModifier::redirect(*iter, b2); } PatchModifier::remove(b2); The Deconstruction of Dyninst 13
  • 28. CFG Modification Callbackso Interface class for CFG modification updateso Register one (or more) child classeso Notify on CFG element: o Creation o Destruction o Block splitting o New in-edge or out-edge o Removed in-edge or out-edgeo Notify on Point creation, destruction, or change The Deconstruction of Dyninst 14
  • 29. PatchAPI – User-defined snippetso Allow users to insert their own code o Floating point o Access to complex data structures o Platform-specific optimizations o Precompiled binary blobso Simple interface o Extensible for better code generation efficiency The Deconstruction of Dyninst 15
  • 30. class Snippeto bool generate(Point *point, Buffer &buffer); o point: identifies location of code generation o buffer: container of generated code The Deconstruction of Dyninst 16
  • 31. Data structure accesses (boar) lea -128(%rsp), %rsp push %rax Register saves lahf seto %al push %rax push %rbx mov $1, %rax xaddl %rax, <index>(%rip) Circular buffer and <size>, %rax lea <base>(%rip), %rbx access movl <ID> (%rbx,%rax,4) pop %rbx pop %rax add 0x7f, %al Register restores sahf pop %rax lea 128(%rsp), %rsp The Deconstruction of Dyninst 17
  • 32. Data structure accesses (boar) mov $1, %rax xaddl %rax, <index>(%rip) Circular buffer and <size>, %rax lea <base>(%rip), %rbx access movl <ID> (%rbx,%rax,4) The Deconstruction of Dyninst 17
  • 33. Single-precision floating point (CRAFT) addsd xmm0, addss xmm0, xmm1 xmm1 The Deconstruction of Dyninst 18
  • 34. Single-precision floating point (CRAFT) nop cvtsd2ss xmm1, xmm1 mov eax, 0x7ff4dead mov qword ptr [rsp-0xb8], rax mov rcx, 0xffffffff mov rax, 0x0 and rax, rcx lahf rol rax, 0x20 seto al movlpd qword ptr [rsp-0xe8], xmm1 mov qword ptr [rsp-0xc0], rax mov rcx, 0xffffffff mov qword ptr [rsp-0xd0], rax and qword ptr [rsp-0xe8], rcx mov qword ptr [rsp-0xd8], rbx or qword ptr [rsp-0xe8], rax mov qword ptr [rsp-0xe0], rcx movlpd xmm1, qword ptr [rsp-0xe8] movq rax, xmm0 mov rbx, 0x7fffffff00000000 mov rax, 0x605000 and rax, rbx mov rbx, qword ptr [rax] mov rbx, 0x7ff4dead00000000 inc qword ptr [rbx+0xf8] cmp rbx, rax mov rcx, qword ptr [rsp-0xe0] jz 0x7fff1d923f6c mov rbx, qword ptr [rsp-0xd8] mov rax, qword ptr [rsp-0xd0] movq rax, xmm1 mov rax, qword ptr [rsp-0xb8] mov rbx, 0x7fffffff00000000 addss xmm0, xmm1 and rax, rbx mov qword ptr [rsp-0xb8], rax mov rbx, 0x7ff4dead00000000 mov qword ptr [rsp-0xd0], rax cmp rbx, rax mov qword ptr [rsp-0xd8], rcx jz 0x7fff1d923f6c mov eax, 0x7ff4dead mov rcx, 0xffffffff cvtsd2ss xmm0, xmm0 and rax, rcx mov eax, 0x7ff4dead rol rax, 0x20 mov rcx, 0xffffffff movlpd qword ptr [rsp-0xe0], xmm0 and rax, rcx mov rcx, 0xffffffff rol rax, 0x20 and qword ptr [rsp-0xe0], rcx movlpd qword ptr [rsp-0xe8], xmm0 or qword ptr [rsp-0xe0], rax mov rcx, 0xffffffff movlpd xmm0, qword ptr [rsp-0xe0] and qword ptr [rsp-0xe8], rcx mov rcx, qword ptr [rsp-0xd8] or qword ptr [rsp-0xe8], rax mov rax, qword ptr [rsp-0xd0] movlpd xmm0, qword ptr [rsp-0xe8] mov rax, qword ptr [rsp-0xc0] add al, 0x7f sahf mov rax, qword ptr [rsp-0xb8] The Deconstruction of Dyninst 18
  • 35. Dyninst 8.0o Coming soon! o Individual component integration complete o Final merging in progresso Great features and new platform supporto Beta access upon request The Deconstruction of Dyninst 19
  • 36. Research Statuso Recently finished: o Binary editing (Bernat) o Extreme scale process control and inspection (Brim) o Analyzing and instrumenting malicious code (Roundy)o In flight: o Analysis and visualization of large systems (Fang) o Return address tamper detection (Jacobson) Papers at www.paradyn.org o Binary authorship (Meng) The Deconstruction of Dyninst 20