with Relocatable Program Code Tugrul Ince Department of Computer Science University of Maryland College Park MD 20742 Code Patching 2 void BZ2blockSort EState s UInt32 ID: 499855
Download Presentation The PPT/PDF document "Instrumentation" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
InstrumentationwithRelocatable Program Code
Tugrul InceDepartment of Computer ScienceUniversity of Maryland, College Park, MD 20742Slide2
Code Patching
2void BZ2_blockSort (
EState* s ){
UInt32*
ptr
= s->
ptr; UChar* block = s->block; UInt32* ftab = s->ftab; Int32 nblock = s->nblock; Int32 verb = s->verbosity; Int32 wfact = s->workFactor;...}
reportFuncName(“BZ2_blockSort”);Slide3
<BZ2_blockSort>:
0x4023c0 push %r150x4023c2 push %r14
0x4023c4 push %r130x4023c6 push %r120x4023c8 push %rbp0x4023c9 push %rbx
0x4023ca sub $0x12a8,%rsp
0x4023d1 mov 0x6c(%rdi),%ecx
0x4023d4 mov 0x38(%rdi),%rax
∙ ∙ ∙
0x402405 mov 0x58(%rdi),%ecx0x402408 jle 0x4033d5 <BZ2_blockSort+4117>Code Patching3mov $0x40b554,%rdicallq 400800 <reportFuncName>Slide4
<BZ2_blockSort>:
Code Patching4
0x4023c0 push %r15
0x4023c2 push %r14
0x4023c4 push %r13
0x4023c6 push %r12
0x4023c8 push %rbp
0x4023c9 push %rbx0x4023ca sub $0x12a8,%rsp0x4023d1 mov 0x6c(%rdi),%ecx0x4023d4 mov 0x38(%rdi),%rax ∙ ∙ ∙0x402405 mov 0x58(%rdi),%ecx0x402408 jle 0x4033d5 <BZ2_blockSort+4117>0x402410 ….push %r15push %r14push %r13push %r12push %rbppush %rbxsub $0x12a8,%rspmov 0x6c(%rdi),%ecxmov 0x38(%rdi),%rax∙ ∙ ∙mov 0x58(%rdi),%ecxjle 0x4033d5 <BZ2_blockSort+4117>
mov
$0x40b554,%rdi
callq
400800 <
reportFuncName
>
Set up for instrumentation
(Save state)
Restore original state
Illegal Instruction
Illegal Instruction
∙ ∙ ∙
Illegal Instruction
Illegal Instruction
jmp 0xdeadbeef
jmp 0x402410Slide5
Limitations of Current MechanismEffort to relocate code
Execution is terminated if old code is accessedIllegal instructions trigger crash5
A
B
C
A
jmp B’
IllegalC
B’
jmp C
Need to use interrupts
If a jump will not fit into the space provided by relocated code, insert a small interrupt insteadSlide6
What If?We had space for inserting instrumentation
Reduce the need to relocateNo need to use interruptsRelocation was easyNo need to update all addressesNo forwarding mechanism required
6
A
B
C
A
B’C
A
B
C
A
C
B’
Old CodeSlide7
What If?We were guaranteed that old
code would never be executedNo need to insert illegal instructionsInserting instrumentation required less effortCan use instrumentation more often
7
A
B
C
A
CB’
EmptySlide8
Relocatable Basic BlocksUntie code from its locationPosition independent code
Limited dependency on addresses at control transfersExplicit control transfers where neededNew data structure to store basic block locationsBasic Block Linkage Table (BLT): jump instructions to the target
8Slide9
Creating Relocatable Basic Blocks
9Slide10
Relocatable Basic Blocks – BLT_only
10
BLT = Basic Block Linkage TableSlide11
Relocatable Basic Blocks – BLT_with_FT
11
BLT = Basic Block Linkage Table
FT = Fall-throughSlide12
Creating Relocatable Basic BlocksSource to intermediate representation
Our IR: AssemblyWork on intermediate representationGenerate BLT and/or TATInsert/Replace jumps to make use of BLTConvert intermediate representation into executableWe use GNU Assembler (gas)
12Slide13
Relocating Basic BlocksRelocation might be unnecessaryUse padding left in binary during compilation
Relocate if not enough space for instrumentationJust copy the codeUpdate BLT entry13Slide14
No Need for Illegal InstructionsExecution will not reach old location
Jumps will go through BLTIndirect jumps?During compilation, all labels are identifiedAll uses are replaced with corresponding BLT entriesIndirect jumps use these labels and go through BLT… except when fall-throughs are allowedHandled by leaving a single jump instruction at the old location
14Slide15
Number of Instructions
15
Number of taken branches
Total number of instructions
Billions
Benchmark used:
mcfSlide16
Normalized Running Times
16Slide17
Other Uses
17Support for use of multiple versions of shared librariesCorrect BLT is selected at runtimeBranch alignment at runtime
Use an auto-tuner to reorder basic blocksCode obfuscation through hidden basic block locationsEncrypt BLT entries at compile timeDecrypt at launch time
Resilience against intrusion attacks
Address Space Layout Randomization using runtime relocationSlide18
ConclusionIntroduced Relocatable Basic BlocksSimplified instrumentation
Have other uses (security, shared libraries, etc.)18
Current
Mechanism
With
Relocatable Basic Blocks
Use of illegal instructions
No need for illegal instructionsForwarding mechanism during relocationOnly update block address at BLT for relocationRelocation required oftenRelocation required less frequentlyInterrupts sometimes neededNo interrupts neededPlain mutateeLarger mutatee, running time overheadNo recompilation requiredRequires recompilation