Peter Feiner Angela Demke Brown Ashvin Goel University of Toronto Presenter Chuong Ngo The Origin Story Starting IN medias Res No parents uncles or girlfriends were killed during the creation of this presentation ID: 744746
Download Presentation The PPT/PDF document "Comprehensive Kernel Instrumentation via..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Comprehensive Kernel Instrumentation via Dynamic Binary Translation
Peter Feiner, Angela Demke Brown, Ashvin GoelUniversity of Toronto
Presenter:
Chuong
NgoSlide2
The Origin Story Starting IN medias Res
No parents, uncles, or girlfriends were killed during the creation of this presentationSlide3
DBT is the Answer!
Emulation of one instruction set by another through translation of binary code during execution.More practical than static binary translation.Simplifies identification of executable code.Amortization of translation overhead costs over time.Slide4
…and I Remember Everything!Slide5
The Answer to What?
Ports
Abandonware
Analysis
Bug finding
SecuritySlide6
Assemble!
User Level
JIFL
PinOS
Pin
DynamoRio
Valgrind
Power Level < 9KSlide7
it’s a Bird! It’s A Plane! It’s DRK!
All the way from Earth-1610 via CataclysmSlide8
But Who Hides Behind the Mask?
4 Goals for kernel DBT framework:Full coverage of kernel code.No direct overhead for user level code.Preserve original concurrency and execution interleaving.Be transparent.DynamoRio for the kernel.Slide9
DynamoRio Flashback!
Code cacheCTIs return control to dispatcherDirect branching patchesNext Executing TailClient callbacksSlide10
Well Victor…I’ve been thinking.
All kernel entry points
point to
dispatcher.
Shadow descriptor table
Self-contained dispatcher
Custom heap allocator
“Pull” I/O model
CPU-private data
Interrupts delayed in code cache, disabled in dispatcher.
Exceptions use restored native states.Slide11
A Carbonadium SkeletonSlide12
DRK Initialization
Individual CPU initializationAllocate CPU resourcesAll kernel entry points to dispatcherAll interrupts redirectedAllocates memory for heapChecks all processors for successful memory mapping.
Must be within 2GB of text and data segments.Slide13
DRK Normal Operations
Determine target of control transfer instruction and dispatch.Kernel exit points executed via native instructions.
Dispatcher creates and caches code fragment.
Context switches to the code fragment.Slide14
You Can’t Escape This Timeline!
Exceptions run nativeNative state must be restored.Interrupts are delayed and emulated.Other interrupts are disabled.Captured interrupt executed between block dispatches. Slide15
How does it stack up?
How did--? This… you… What are you?Slide16
I’ve always found hardware to be more reliable
Test System: Dell Optiplex 9808 GB RAM4x Intel Core i7s at 2.8 GHz, no hyperthreading2 Clients:Null ClientInstruction CountFilebenchSlide17
I’m the best at what I do?Slide18
There’s a whole new master of magnetism in town!Slide19
I know everything. I can’t help it.Slide20
With great power…
4 Goals for kernel DBT framework:Full coverage of kernel code.No direct overhead for user level code.Preserve original concurrency and execution interleaving.Be transparent.Slide21
I’ll be there…around every corner
Full coverage of kernel code.Preserve original concurrency and execution interleaving.Slide22
Fastest man alive with a limp
No direct overhead for user level code.Increased cache and TLB misses.Slide23
The cosmic rays…what
did they do to us?
Be transparent
.
No
code cache consistency.
Shadow descriptor tables readable via hardware registers.
Page table inconsistencies
.
CPU-private data.Slide24
…comes great responsibility.
4 Goals for kernel DBT framework:Full coverage of kernel code.No direct overhead for user level code.Preserve original concurrency and execution interleaving.Be transparent.Slide25
DRK Applications
This was the world that I had created.Slide26
DRK’s Shadow Memory
Storing metadata about memory used.Ported UMBRA.Simple indirect mapping.Copy-on-write.10x overhead vs. native.Slide27
KAddrcheck
Memory addressability checking tool.Scans slab allocator’s data structures to locate all pages and freelists.Triggers shadow memory allocations.Addressability checks run on every memory access.Slide28
Stackcheck
Checks for addressability errors.Kills calling thread and continues.Modified KAddrcheckResolves overflow without system crash.
Stack overflow guardSlide29
Triumph!
DRK is a kernel-level DBT.DynamoRIO “port”.Heavy implementation.Missing a number of features.Slide30