Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
BernatC ScADS-2012
1. The Deconstruction of Dyninst
Andrew Bernat, Bill Williams
Paradyn Project
CScADS
June 26, 2012
2. Dyninst 8.0
o Component integration
o ProcControlAPI
o StackwalkerAPI
o PatchAPI
o Additional analyses
o Register liveness
o Improved stack height
o Significantly reduced overhead
o Additional platforms: PPC-64, BlueGene
The Deconstruction of Dyninst 2
3. Performance Improvements
% Execution Time Increase
400%
350%
300%
250%
200%
150%
100%
50%
0%
pe
bz
gc
m
go
hm
sj
lib
h2
om
as
xa
G
eo
en
cf
ta
c
la
rl
ip
qu
b
6
ne
m
m
4r
m
r
g
nc
a
er
tp
k
et
ef
nt
b
p
r ic
m
um
k
M
ea
Dyninst 7.0 PEBIL PIN DynamoRIO
n
Dyninst 8.0
The Deconstruction of Dyninst 3
4. Dyninst Components Timeline
Design and Implementation
DynCAPI
Beta Release
First Release DataflowAPI
Integration into Dyninst
PatchAPI
ParseAPI
ProcControlAPI
InstructionAPI
StackwalkerAPI
SymtabAPI
2006 2007 2008 2009 2010 2011 2012
The Deconstruction of Dyninst 4
5. Dyninst Components Timeline
Design and Implementation
DynCAPI
Beta Release
First Release DataflowAPI
Integration into Dyninst
PatchAPI
ParseAPI
ProcControlAPI
InstructionAPI
StackwalkerAPI
SymtabAPI
2006 2007 2008 2009 2010 2011 2012
The Deconstruction of Dyninst 4
6. Dyninst and the Components
= Existing Component
= Proposed
AST
Code
Gen
SymtabAPI Parsing Process
API
Patch
Binary API Binary
Instruction DataFlow
API API
ProcControl
Stackwalker API
API
7. Dyninst and the Components
= Existing Component
= Proposed
AST
Code
Gen
SymtabAPI Parsing Process
API
Patch
Binary API Binary
Instruction DataFlow
API API
ProcControl
Stackwalker API
API
8. Dyninst and the Components
= Existing Component
= Proposed
AST
Code
Gen
SymtabAPI Parsing Process
API
Patch
Binary API Binary
Instruction DataFlow
API API
ProcControl
Stackwalker API
API
9. Dyninst and the Components
= Existing Component
= Proposed
AST
Code
Gen
SymtabAPI Parsing Process
API
Patch
Binary API Binary
Instruction DataFlow
API API
ProcControl
Stackwalker API
API
10. Programming with Dyninst and
o Dyninst user interface is backwards
compatible
o Component interfaces are more capable
o Goal: Dyninst as thin veneer over
components
PatchMgrPtr PatchAPI::convert(BPatch_addressSpace
*);
PatchBlock *PatchAPI::convert(BPatch_basicBlock *);
Block *ParseAPI::convert(BPatch_basicBlock *);
Symtab *SymtabAPI::convert(BPatch_module *);
The Deconstruction of Dyninst 6
13. Component Challenges
Concurrency
+
Incomplete and inconsistent interfaces
The Deconstruction of Dyninst 7
14. Component Challenges
Concurrency
+
Incomplete and inconsistent interfaces
=
High-performance process control
The Deconstruction of Dyninst 7
15. ProcControlAPI
o Entirely reengineered stop/continue logic
o Simplified RPC interface
o Process group support
o Hardware breakpoint support
o Platform support
o BlueGene
o Windows
The Deconstruction of Dyninst 8
16. StackwalkerAPI
o Binary analysis frameStepper
o Improves stack walk accuracy in frameless
functions
o Fallback option if cheaper steppers fail
o 3rd party stack walking through
ProcControlAPI
o Improved portability
o More capable process control interface
The Deconstruction of Dyninst 9
17. PatchAPI – Binary Modification
o Use familiar abstractions
o CFG
o Snippets
o Interactive
o Inserted code becomes part of the CFG and
can be modified further
o Instrument modified code
o Safe
o Avoid unexpected side-effects
o Preserve correct control flow
The Deconstruction of Dyninst 10
18. CFG Transformations
o Modifying code: block split, edge
redirection
o Inserting code: snippets
store
addr add
deref 1
addr
The Deconstruction of Dyninst 11
19. Code Insertion (Apache hotpatch tool)
PatchBlock *b1, *b2;
b1
callee
b2
The Deconstruction of Dyninst 12
26. Code Replacement (CRAFT, Michael
PatchBlock *b;
b1 Address a2, a3;
PatchBlock *b3 = PatchModifier::split(b, a3);
b2 PatchBlock *b2 = PatchModifier::split(b, a2);
PatchBlock *b1 = b;
b3
IC::Ptr code = PatchModifier::insert(b->obj(),
snip,
b2->entry());
PatchModifier::redirect(getEdge(b1, FT),
code->entry());
for (iterator iter = code->exits().begin();
iter != code->exits().end(); ++iter) {
PatchModifier::redirect(*iter, b2);
}
The Deconstruction of Dyninst 13
27. Code Replacement (CRAFT, Michael
PatchBlock *b;
b1 Address a2, a3;
PatchBlock *b3 = PatchModifier::split(b, a3);
PatchBlock *b2 = PatchModifier::split(b, a2);
PatchBlock *b1 = b;
b3
IC::Ptr code = PatchModifier::insert(b->obj(),
snip,
b2->entry());
PatchModifier::redirect(getEdge(b1, FT),
code->entry());
for (iterator iter = code->exits().begin();
iter != code->exits().end(); ++iter) {
PatchModifier::redirect(*iter, b2);
}
PatchModifier::remove(b2);
The Deconstruction of Dyninst 13
28. CFG Modification Callbacks
o Interface class for CFG modification
updates
o Register one (or more) child classes
o Notify on CFG element:
o Creation
o Destruction
o Block splitting
o New in-edge or out-edge
o Removed in-edge or out-edge
o Notify on Point creation, destruction, or
change The Deconstruction of Dyninst
14
29. PatchAPI – User-defined snippets
o Allow users to insert their own code
o Floating point
o Access to complex data structures
o Platform-specific optimizations
o Precompiled binary blobs
o Simple interface
o Extensible for better code generation
efficiency
The Deconstruction of Dyninst 15
30. class Snippet
o bool generate(Point *point, Buffer
&buffer);
o point: identifies location of code generation
o buffer: container of generated code
The Deconstruction of Dyninst 16
31. Data structure accesses (boar)
lea -128(%rsp), %rsp
push %rax
Register saves lahf
seto %al
push %rax
push %rbx
mov $1, %rax
xaddl %rax, <index>(%rip)
Circular buffer and <size>, %rax
lea <base>(%rip), %rbx
access movl <ID> (%rbx,%rax,4)
pop %rbx
pop %rax
add 0x7f, %al
Register restores sahf
pop %rax
lea 128(%rsp), %rsp
The Deconstruction of Dyninst 17
32. Data structure accesses (boar)
mov $1, %rax
xaddl %rax, <index>(%rip)
Circular buffer and <size>, %rax
lea <base>(%rip), %rbx
access movl <ID> (%rbx,%rax,4)
The Deconstruction of Dyninst 17
35. Dyninst 8.0
o Coming soon!
o Individual component integration complete
o Final merging in progress
o Great features and new platform support
o Beta access upon request
The Deconstruction of Dyninst 19
36. Research Status
o Recently finished:
o Binary editing (Bernat)
o Extreme scale process control and inspection
(Brim)
o Analyzing and instrumenting malicious code
(Roundy)
o In flight:
o Analysis and visualization of large systems
(Fang)
o Return address tamper detection (Jacobson)
Papers at www.paradyn.org
o Binary authorship (Meng)
The Deconstruction of Dyninst 20
Hinweis der Redaktion
\n
\n
Overhead results were gathered from instrumenting the SPEC CPU benchmarks. We instrumented each basic block with an increment of a value in memory. For each tool we used their provided example code that includes all pertinent optimizations. \n\nDyninst 7.0 and 8.0: www.dyninst.org\nPEBIL: http://www.sdsc.edu/pmac/projects/pebil.html\nPIN: http://www.pintool.org/\nDynamoRIO: http://code.google.com/p/dynamorio/\n\nResults for omnetpp are missing for Dyninst 7.0 and PEBIL; omnet uses an exception mechanism that neither tool handles. \nPEBIL failed to correctly instrument GCC. \n\n