Empfohlen
Weitere ähnliche Inhalte
Ähnlich wie BernatC ScADS-2012
Ähnlich wie BernatC ScADS-2012 (20)
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
BernatC ScADS-2012
- 1. The Deconstruction of Dyninst Andrew Bernat, Bill Williams Paradyn Project CScADS June 26, 2012
- 2. Dyninst 8.0 o Component integration o ProcControlAPI o StackwalkerAPI o PatchAPI o Additional analyses o Register liveness o Improved stack height o Significantly reduced overhead o Additional platforms: PPC-64, BlueGene The Deconstruction of Dyninst 2
- 3. Performance Improvements % Execution Time Increase 400% 350% 300% 250% 200% 150% 100% 50% 0% pe bz gc m go hm sj lib h2 om as xa G eo en cf ta c la rl ip qu b 6 ne m m 4r m r g nc a er tp k et ef nt b p r ic m um k M ea Dyninst 7.0 PEBIL PIN DynamoRIO n Dyninst 8.0 The Deconstruction of Dyninst 3
- 4. Dyninst Components Timeline Design and Implementation DynCAPI Beta Release First Release DataflowAPI Integration into Dyninst PatchAPI ParseAPI ProcControlAPI InstructionAPI StackwalkerAPI SymtabAPI 2006 2007 2008 2009 2010 2011 2012 The Deconstruction of Dyninst 4
- 5. Dyninst Components Timeline Design and Implementation DynCAPI Beta Release First Release DataflowAPI Integration into Dyninst PatchAPI ParseAPI ProcControlAPI InstructionAPI StackwalkerAPI SymtabAPI 2006 2007 2008 2009 2010 2011 2012 The Deconstruction of Dyninst 4
- 6. Dyninst and the Components = Existing Component = Proposed AST Code Gen SymtabAPI Parsing Process API Patch Binary API Binary Instruction DataFlow API API ProcControl Stackwalker API API
- 7. Dyninst and the Components = Existing Component = Proposed AST Code Gen SymtabAPI Parsing Process API Patch Binary API Binary Instruction DataFlow API API ProcControl Stackwalker API API
- 8. Dyninst and the Components = Existing Component = Proposed AST Code Gen SymtabAPI Parsing Process API Patch Binary API Binary Instruction DataFlow API API ProcControl Stackwalker API API
- 9. Dyninst and the Components = Existing Component = Proposed AST Code Gen SymtabAPI Parsing Process API Patch Binary API Binary Instruction DataFlow API API ProcControl Stackwalker API API
- 10. Programming with Dyninst and o Dyninst user interface is backwards compatible o Component interfaces are more capable o Goal: Dyninst as thin veneer over components PatchMgrPtr PatchAPI::convert(BPatch_addressSpace *); PatchBlock *PatchAPI::convert(BPatch_basicBlock *); Block *ParseAPI::convert(BPatch_basicBlock *); Symtab *SymtabAPI::convert(BPatch_module *); The Deconstruction of Dyninst 6
- 11. Component Challenges The Deconstruction of Dyninst 7
- 12. Component Challenges Concurrency The Deconstruction of Dyninst 7
- 13. Component Challenges Concurrency + Incomplete and inconsistent interfaces The Deconstruction of Dyninst 7
- 14. Component Challenges Concurrency + Incomplete and inconsistent interfaces = High-performance process control The Deconstruction of Dyninst 7
- 15. ProcControlAPI o Entirely reengineered stop/continue logic o Simplified RPC interface o Process group support o Hardware breakpoint support o Platform support o BlueGene o Windows The Deconstruction of Dyninst 8
- 16. StackwalkerAPI o Binary analysis frameStepper o Improves stack walk accuracy in frameless functions o Fallback option if cheaper steppers fail o 3rd party stack walking through ProcControlAPI o Improved portability o More capable process control interface The Deconstruction of Dyninst 9
- 17. PatchAPI – Binary Modification o Use familiar abstractions o CFG o Snippets o Interactive o Inserted code becomes part of the CFG and can be modified further o Instrument modified code o Safe o Avoid unexpected side-effects o Preserve correct control flow The Deconstruction of Dyninst 10
- 18. CFG Transformations o Modifying code: block split, edge redirection o Inserting code: snippets store addr add deref 1 addr The Deconstruction of Dyninst 11
- 19. Code Insertion (Apache hotpatch tool) PatchBlock *b1, *b2; b1 callee b2 The Deconstruction of Dyninst 12
- 20. Code Insertion (Apache hotpatch tool) PatchBlock *b1, *b2; b1 Snippet::Ptr snip; callee IC::Ptr code = PatchModifier::insert(b1->obj(), snip, b1->exit()); b2 The Deconstruction of Dyninst 12
- 21. Code Insertion (Apache hotpatch tool) PatchBlock *b1, *b2; b1 Snippet::Ptr snip; callee IC::Ptr code = PatchModifier::insert(b1->obj(), snip, b1->exit()); b2 PatchModifier::redirect(getEdge(b1, CALL_FT), code->entry()); The Deconstruction of Dyninst 12
- 22. Code Insertion (Apache hotpatch tool) PatchBlock *b1, *b2; b1 Snippet::Ptr snip; callee IC::Ptr code = PatchModifier::insert(b1->obj(), snip, b1->exit()); b2 PatchModifier::redirect(getEdge(b1, CALL_FT), code->entry()); for (iterator iter = code->exits().begin(); iter != code->exits().end(); ++iter) { PatchModifier::redirect(*iter, b2); } The Deconstruction of Dyninst 12
- 23. Code Replacement (CRAFT, Michael PatchBlock *b; Address a2, a3; a2 b a3 The Deconstruction of Dyninst 13
- 24. Code Replacement (CRAFT, Michael PatchBlock *b; b1 Address a2, a3; a2 PatchBlock *b3 = PatchModifier::split(b, a3); b2 PatchBlock *b2 = PatchModifier::split(b, a2); PatchBlock *b1 = b; a3 b3 The Deconstruction of Dyninst 13
- 25. Code Replacement (CRAFT, Michael PatchBlock *b; b1 Address a2, a3; a2 PatchBlock *b3 = PatchModifier::split(b, a3); b2 PatchBlock *b2 = PatchModifier::split(b, a2); PatchBlock *b1 = b; a3 b3 IC::Ptr code = PatchModifier::insert(b->obj(), snip, b2->entry()); The Deconstruction of Dyninst 13
- 26. Code Replacement (CRAFT, Michael PatchBlock *b; b1 Address a2, a3; PatchBlock *b3 = PatchModifier::split(b, a3); b2 PatchBlock *b2 = PatchModifier::split(b, a2); PatchBlock *b1 = b; b3 IC::Ptr code = PatchModifier::insert(b->obj(), snip, b2->entry()); PatchModifier::redirect(getEdge(b1, FT), code->entry()); for (iterator iter = code->exits().begin(); iter != code->exits().end(); ++iter) { PatchModifier::redirect(*iter, b2); } The Deconstruction of Dyninst 13
- 27. Code Replacement (CRAFT, Michael PatchBlock *b; b1 Address a2, a3; PatchBlock *b3 = PatchModifier::split(b, a3); PatchBlock *b2 = PatchModifier::split(b, a2); PatchBlock *b1 = b; b3 IC::Ptr code = PatchModifier::insert(b->obj(), snip, b2->entry()); PatchModifier::redirect(getEdge(b1, FT), code->entry()); for (iterator iter = code->exits().begin(); iter != code->exits().end(); ++iter) { PatchModifier::redirect(*iter, b2); } PatchModifier::remove(b2); The Deconstruction of Dyninst 13
- 28. CFG Modification Callbacks o Interface class for CFG modification updates o Register one (or more) child classes o Notify on CFG element: o Creation o Destruction o Block splitting o New in-edge or out-edge o Removed in-edge or out-edge o Notify on Point creation, destruction, or change The Deconstruction of Dyninst 14
- 29. PatchAPI – User-defined snippets o Allow users to insert their own code o Floating point o Access to complex data structures o Platform-specific optimizations o Precompiled binary blobs o Simple interface o Extensible for better code generation efficiency The Deconstruction of Dyninst 15
- 30. class Snippet o bool generate(Point *point, Buffer &buffer); o point: identifies location of code generation o buffer: container of generated code The Deconstruction of Dyninst 16
- 31. Data structure accesses (boar) lea -128(%rsp), %rsp push %rax Register saves lahf seto %al push %rax push %rbx mov $1, %rax xaddl %rax, <index>(%rip) Circular buffer and <size>, %rax lea <base>(%rip), %rbx access movl <ID> (%rbx,%rax,4) pop %rbx pop %rax add 0x7f, %al Register restores sahf pop %rax lea 128(%rsp), %rsp The Deconstruction of Dyninst 17
- 32. Data structure accesses (boar) mov $1, %rax xaddl %rax, <index>(%rip) Circular buffer and <size>, %rax lea <base>(%rip), %rbx access movl <ID> (%rbx,%rax,4) The Deconstruction of Dyninst 17
- 33. Single-precision floating point (CRAFT) addsd xmm0, addss xmm0, xmm1 xmm1 The Deconstruction of Dyninst 18
- 34. Single-precision floating point (CRAFT) nop cvtsd2ss xmm1, xmm1 mov eax, 0x7ff4dead mov qword ptr [rsp-0xb8], rax mov rcx, 0xffffffff mov rax, 0x0 and rax, rcx lahf rol rax, 0x20 seto al movlpd qword ptr [rsp-0xe8], xmm1 mov qword ptr [rsp-0xc0], rax mov rcx, 0xffffffff mov qword ptr [rsp-0xd0], rax and qword ptr [rsp-0xe8], rcx mov qword ptr [rsp-0xd8], rbx or qword ptr [rsp-0xe8], rax mov qword ptr [rsp-0xe0], rcx movlpd xmm1, qword ptr [rsp-0xe8] movq rax, xmm0 mov rbx, 0x7fffffff00000000 mov rax, 0x605000 and rax, rbx mov rbx, qword ptr [rax] mov rbx, 0x7ff4dead00000000 inc qword ptr [rbx+0xf8] cmp rbx, rax mov rcx, qword ptr [rsp-0xe0] jz 0x7fff1d923f6c mov rbx, qword ptr [rsp-0xd8] mov rax, qword ptr [rsp-0xd0] movq rax, xmm1 mov rax, qword ptr [rsp-0xb8] mov rbx, 0x7fffffff00000000 addss xmm0, xmm1 and rax, rbx mov qword ptr [rsp-0xb8], rax mov rbx, 0x7ff4dead00000000 mov qword ptr [rsp-0xd0], rax cmp rbx, rax mov qword ptr [rsp-0xd8], rcx jz 0x7fff1d923f6c mov eax, 0x7ff4dead mov rcx, 0xffffffff cvtsd2ss xmm0, xmm0 and rax, rcx mov eax, 0x7ff4dead rol rax, 0x20 mov rcx, 0xffffffff movlpd qword ptr [rsp-0xe0], xmm0 and rax, rcx mov rcx, 0xffffffff rol rax, 0x20 and qword ptr [rsp-0xe0], rcx movlpd qword ptr [rsp-0xe8], xmm0 or qword ptr [rsp-0xe0], rax mov rcx, 0xffffffff movlpd xmm0, qword ptr [rsp-0xe0] and qword ptr [rsp-0xe8], rcx mov rcx, qword ptr [rsp-0xd8] or qword ptr [rsp-0xe8], rax mov rax, qword ptr [rsp-0xd0] movlpd xmm0, qword ptr [rsp-0xe8] mov rax, qword ptr [rsp-0xc0] add al, 0x7f sahf mov rax, qword ptr [rsp-0xb8] The Deconstruction of Dyninst 18
- 35. Dyninst 8.0 o Coming soon! o Individual component integration complete o Final merging in progress o Great features and new platform support o Beta access upon request The Deconstruction of Dyninst 19
- 36. Research Status o Recently finished: o Binary editing (Bernat) o Extreme scale process control and inspection (Brim) o Analyzing and instrumenting malicious code (Roundy) o In flight: o Analysis and visualization of large systems (Fang) o Return address tamper detection (Jacobson) Papers at www.paradyn.org o Binary authorship (Meng) The Deconstruction of Dyninst 20
Hinweis der Redaktion
- \n
- \n
- Overhead results were gathered from instrumenting the SPEC CPU benchmarks. We instrumented each basic block with an increment of a value in memory. For each tool we used their provided example code that includes all pertinent optimizations. \n\nDyninst 7.0 and 8.0: www.dyninst.org\nPEBIL: http://www.sdsc.edu/pmac/projects/pebil.html\nPIN: http://www.pintool.org/\nDynamoRIO: http://code.google.com/p/dynamorio/\n\nResults for omnetpp are missing for Dyninst 7.0 and PEBIL; omnet uses an exception mechanism that neither tool handles. \nPEBIL failed to correctly instrument GCC. \n\n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n