DOCSLIB.ORG

Dynamic Binary Translation & Instrumentation

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Dynamic Binary Translation & Instrumentation 1/24/2017 Dynamic Binary Translation & Instrumentation Pin Building Customized Program Analysis Tools with Dynamic Instrumentation CK Luk, Robert Cohn, Robert Muth, Harish Patil, Artur Klauser, Geoff Lowney, Steven Wallace, Kim Hazelwood Intel Vijay Janapa Reddi University of Colorado http://rogue.colorado.edu/Pin PLDI’05 2 1 1/24/2017 Instrumentation • Insert extra code into programs to collect information about execution • Program analysis: • Code coverage, call‐graph generation, memory‐leak detection • Architectural study: • Processor simulation, fault injection • Existing binary‐level instrumentation systems: • Static: • ATOM, EEL, Etch, Morph • Dynamic: • Dyninst, Vulcan, DTrace, Valgrind, Strata, DynamoRIO Pin is a new dynamic binary instrumentation system PLDI’05 3 A Pintool for Tracing Memory Writes #include <iostream> #include "pin.H" executed immediately before a FILE* trace; write is executed • Same source code works on the 4 architectures VOID RecordMemWrite(VOID* ip, VOID* addr, UINT32 size) { fprintf(trace, “%p: W %p %d\n”, ip, addr, size);=> Pin takes care of different addressing modes } • No need to manually save/restore application state VOID Instruction(INS ins, VOID *v) { if (INS_IsMemoryWrite(ins))=> Pin does it for you automatically and efficiently INS_InsertCall(ins, IPOINT_BEFORE, AFUNPTR(RecordMemWrite), IARG_INST_PTR, IARG_MEMORYWRITE_EA, IARG_MEMORYWRITE_SIZE, IARG_END); } int main(int argc, char * argv[]) { executed when an instruction is PIN_Init(argc, argv); dynamically compiled trace = fopen(“atrace.out”, “w”); INS_AddInstrumentFunction(Instruction, 0); PIN_StartProgram(); return 0; PLDI’05 4 } 2 1/24/2017 Dynamic Instrumentation Original code Code cache Exits point back to Pin 1 1’ 2 3 2’ 5 4 7’ 6 7 Pin Pin fetches trace starting block 1 and start instrumentation PLDI’05 5 Dynamic Instrumentation Original code Code cache 1 1’ 2 3 2’ 5 4 7’ 6 7 Pin Pin transfers control into code cache (block 1) PLDI’05 6 3 1/24/2017 Dynamic Instrumentation Original code Code cache trace linking 1 1’ 3’ 2 3 2’ 5’ 5 4 7’ 6’ 6 7 Pin Pin fetches and instrument a new trace PLDI’05 7 Pin’s Software Architecture Address space Pintool 3 programs (Pin, Pintool, App) in same Pin address space: User‐level only Instrumentation APIs Instrumentation APIs: Virtual Machine (VM) Through which Pintool communicates with Pin JIT Compiler Code JIT compiler: Cache Dynamically compile and instrument Application Emulation Unit Emulation unit: Handle insts that can’t be directly executed (e.g., syscalls) Operating System Hardware Code cache: Store compiled code PLDI’05 => Coordinated by VM 8 4 1/24/2017 Pin Internal Details • Loading of Pin, Pintool, & Application • An Improved Trace Linking Technique • Register Re‐allocation • Instrumentation Optimizations • Multithreading Support PLDI’05 9 Register Re‐allocation • Instrumented code needs extra registers. E.g.: • Virtual registers available to the tool • A virtual stack pointer pointing to the instrumentation stack • Many more … • Approaches to get extra registers: 1. Ad‐hoc (e.g., DynamoRIO, Strata, DynInst) – Whenever you need a register, spill one and fill it afterward 2. Re‐allocate all registers during compilation a. Local allocation (e.g., Valgrind) • Allocate registers independently within each trace b. Global allocation (Pin) • Allocate registers across traces (can be inter‐procedural) PLDI’05 10 5 1/24/2017 Valgrind’s Register Re‐allocation Original Code Trace 1 mov 1, %eax mov 1, %eax mov 2, %ebx mov 2, %esi Virtual Physical cmp %ecx, %edx re‐allocate cmp %ecx, %edx %eax %eax jz t mov %eax, SPILLeax %ebx %esi mov %esi, SPILLebx %ecx %ecx jz t’ t: add 1, %eax %edx %edx sub 2, %ebx Trace 2 t’: mov SPILLeax, %eax Virtual Physical mov SPILLebx ,%edi %eax %eax add 1, %eax %ebx %edi Simple but inefficient sub 2, %edi %ecx %ecx %edx %edx • All modified registers are spilled at a trace’s end • Refill registers at a trace’s beginning PLDI’05 11 Pin’s Register Re‐allocation Scenario (1): Compiling a new trace at a trace exit Original Code Trace 1 mov 1, %eax mov 1, %eax mov 2, %ebx mov 2, %esi Compile Trace 2 using the cmp %ecx, %edx re‐allocate cmp %ecx, %edx jz t jz t’ binding at Trace 1’s exit: Virtual Physical t: add 1, %eax %eax %eax %ebx %esi sub 2, %ebx Trace 2 %ecx %ecx %edx %edx t’: add 1, %eax sub 2, %esi PLDI’05 No spilling/filling needed across traces 12 6 1/24/2017 Pin’s Register Re‐allocation Scenario (2): Targeting an already generated trace at a trace exit Original Code Trace 1 (being compiled) mov 1, %eax mov 1, %eax mov 2, %ebx mov 2, %esi re‐allocate Virtual Physical cmp %ecx, %edx cmp %ecx, %edx %eax %eax mov %esi, SPILL jz t ebx %ebx %esi mov SPILLebx, %edi %ecx %ecx t: add 1, %eax jz t’ %edx %edx sub 2, %ebx Trace 2 (in code cache) t’: add 1, %eax Virtual Physical sub 2, %edi %eax %eax %ebx %edi %ecx %ecx Minimal spilling/filling code %edx %edx PLDI’05 13 Instrumentation Optimizations 1. Inline instrumentation code into the application 2. Avoid saving/restoring eflags with liveness analysis 3. Schedule inlined instrumentation code PLDI’05 14 7 1/24/2017 OriginalExample: Instruction Counting code cmov %esi, %edi cmp %edi, (%esp) BBL_InsertCall(bbl, IPOINT_BEFORE, docount(), jle <target1> IARG_UINT32, BBL_NumIns(bbl), add %ecx, %edx IARG_END) cmp %edx, 0 je <target2> 33 extra instructions executed altogether Instrument without applying any optimization Trace bridge() mov %esp,SPILLappsp pushf mov SPILL ,%esp pinsp push %edx call <bridge> push %ecx cmov %esi, %edi docount() mov SPILLappsp,%esp push %eax cmp %edi, (%esp) movl 0x3, %eax add %eax,icount jle <target1’> call docount ret pop %eax mov %esp,SPILLappsp pop %ecx mov SPILLpinsp,%esp call <bridge> pop %edx add %ecx, %edx popf cmp %edx, 0 PLDI’05 ret 15 je <target2’> Example: Instruction Counting Original code cmov %esi, %edi cmp %edi, (%esp) jle <target1> Inlining add %ecx, %edx cmp %edx, 0 Trace je <target2> mov %esp,SPILLappsp mov SPILLpinsp,%esp pushf add 0x3, icount popf cmov %esi, %edi 11 extra instructions executed mov SPILLappsp,%esp cmp %edi, (%esp) jle <target1’> mov %esp,SPILLappsp mov SPILLpinsp,%esp pushf add 0x3, icount popf add %ecx, %edx PLDI’05 cmp %edx, 0 16 je <target2’> 8 1/24/2017 Example: Instruction Counting Original code cmov %esi, %edi cmp %edi, (%esp) jle <target1> Inlining + eflags liveness analysis add %ecx, %edx cmp %edx, 0 Trace je <target2> mov %esp,SPILLappsp mov SPILLpinsp,%esp pushf add 0x3, icount popf cmov %esi, %edi 7 extra instructions executed mov SPILLappsp,%esp cmp %edi, (%esp) jle <target1’> add 0x3, icount add %ecx, %edx cmp %edx, 0 je <target2’> PLDI’05 17 Example: Instruction Counting Original code cmov %esi, %edi cmp %edi, (%esp) jle <target1> Inlining + eflags liveness analysis + scheduling add %ecx, %edx cmp %edx, 0 Trace je <target2> cmov %esi, %edi add 0x3, icount cmp %edi, (%esp) 2 extra instructions executed jle <target1’> add 0x3, icount add %ecx, %edx cmp %edx, 0 je <target2’> PLDI’05 18 9 1/24/2017 Pin Instrumentation Performance Runtime overhead of basic‐block counting with Pin on IA32 Without optimization Inlining Inlining + eflags liveness analysis Inlining + eflags liveness analysis + scheduling 11 10.4 10 9 7.8 8 7 6 5 3.9 3.5 4 2.8 2.5 3 1.5 2 1.4 1 Average Average Slowdown 0 SPECINT SPECFP (SPEC2K using reference data sets) PLDI’05 19 Comparison among Dynamic Instrumentation Tools Runtime overhead of basic‐block counting with three different tools Valgrind DynamoRIO Pin 9 8.3 8 7 6 5.1 5 4 3 2.5 2 Average Slowdown Average 1 0 SPECINT • Valgrind is a popular instrumentation tool on Linux • Call‐based instrumentation, no inlining • DynamoRIO is the performance leader in binary dynamic optimization • Manually inline, no eflags liveness analysis and scheduling PLDI’05Pin automatically provides efficient instrumentation20 10 1/24/2017 Pin Applications • Sample tools in the Pin distribution: • Cache simulators, branch predictors, address tracer, syscall tracer, edge profiler, stride profiler • Some tools developed and used inside Intel: • Opcodemix (analyze code generated by compilers) • PinPoints (find representative regions in programs to simulate) • A tool for detecting memory bugs • Some companies are writing their own Pintools: • A major database vendor, a major search engine provider • Some universities using Pin in teaching and research: • U. of Colorado, MIT, Harvard, Princeton, U of Minnesota, Northeastern, Tufts, University of Rochester, … PLDI’05 21 Conclusions • Pin • A dynamic instrumentation system for building your own program analysis tools • Easy to use, robust, transparent, efficient • Tool source compatible on IA32, EM64T, Itanium, ARM • Works on large applications • database, search engine, web browsers, … • Available on Linux; Windows version coming soon • Downloadable from http://rogue.colorado.edu/Pin • User manual, many example tools, tutorials • 3300 downloads since 2004 July PLDI’05 22 11 1/24/2017 Valgrind A Framework for Heavyweight Dynamic Binary Instrumentation Nicholas Nethercote — National ICT Australia Julian Seward — OpenWorks LLP 23 FAQ #1 • How do you pronounce “Valgrind”? • “Val‐grinned”, not “Val‐grined” • Don’t feel bad: almost everyone gets it wrong at first 24 12 1/24/2017 DBA tools • Program analysis tools are useful • Bug detectors • Profilers • Visualizers • Dynamic binary analysis (DBA) tools • Analyse a program’s machine code at run‐time • Augment original code with analysis code 25 Building DBA tools • Dynamic binary instrumentation (DBI) • Add analysis code to the original machine code at run‐ time • No preparation, 100% coverage • DBI frameworks • Pin, DynamoRIO, Valgrind, etc. Tool Framework +=Tool plug‐in 26 13 1/24/2017 Prior work Well-studied Not well-studied Framework Instrumentation performance capabilities Simple tools Complex tools • Potential of DBI has not been fully exploited • Tools get less attention than frameworks • Complex tools are more interesting than simple tools 27 Shadow value tools 28 14 1/24/2017 Shadow value tools (I) • Shadow every value with another value that describes it • Tool stores and propagates shadow values in parallel Tool(s) Shadow values help find..
Load more

Recommended publications
  • Dynamic Optimization of IA-32 Applications Under Dynamorio by Timothy Garnett
    Dynamic Optimization of IA-32 Applications Under DynamoRIO by Timothy Garnett Submitted to the Department of Electrical Engineering and Computer Science in Partial Fulfillment of the Requirements for the Degree of Master of Engineering in Computer Science Abstract The ability of compilers to optimize programs statically is diminishing. The advent and increased use of shared libraries, dynamic class loading, and runtime binding means that the compiler has, even with difficult to accurately obtain profiling data, less and less knowledge of the runtime state of the program. Dynamic optimization systems attempt to fill this gap by providing the ability to optimize the application at runtime when more of the system's state is known and very accurate profiling data can be obtained. This thesis presents two uses of the DynamoRIO runtime introspection and modification system to optimize applications at runtime. The first is a series of optimizations for interpreters running under DynamoRIO's logical program counter extension. The optimizations include extensions to DynamoRIO to allow the interpreter writer add a few annotations to the source code of his interpreter that enable large amounts of optimization. For interpreters instrumented as such, improvements in performance of 20 to 60 percent were obtained. The second use is a proof of concept for accelerating the performance of IA-32 applications running on the Itanium processor by dynamically translating hot trace paths into Itanium IA-64 assembly through DynamoRIO while allowing the less frequently executed potions of the application to run in Itanium's native IA-32 hardware emulation. This transformation yields speedups of almost 50 percent on small loop intensive benchmarks.
    [Show full text]
  • Linux Kernel and Driver Development Training Slides
    Linux Kernel and Driver Development Training Linux Kernel and Driver Development Training © Copyright 2004-2021, Bootlin. Creative Commons BY-SA 3.0 license. Latest update: October 9, 2021. Document updates and sources: https://bootlin.com/doc/training/linux-kernel Corrections, suggestions, contributions and translations are welcome! embedded Linux and kernel engineering Send them to [email protected] - Kernel, drivers and embedded Linux - Development, consulting, training and support - https://bootlin.com 1/470 Rights to copy © Copyright 2004-2021, Bootlin License: Creative Commons Attribution - Share Alike 3.0 https://creativecommons.org/licenses/by-sa/3.0/legalcode You are free: I to copy, distribute, display, and perform the work I to make derivative works I to make commercial use of the work Under the following conditions: I Attribution. You must give the original author credit. I Share Alike. If you alter, transform, or build upon this work, you may distribute the resulting work only under a license identical to this one. I For any reuse or distribution, you must make clear to others the license terms of this work. I Any of these conditions can be waived if you get permission from the copyright holder. Your fair use and other rights are in no way affected by the above. Document sources: https://github.com/bootlin/training-materials/ - Kernel, drivers and embedded Linux - Development, consulting, training and support - https://bootlin.com 2/470 Hyperlinks in the document There are many hyperlinks in the document I Regular hyperlinks: https://kernel.org/ I Kernel documentation links: dev-tools/kasan I Links to kernel source files and directories: drivers/input/ include/linux/fb.h I Links to the declarations, definitions and instances of kernel symbols (functions, types, data, structures): platform_get_irq() GFP_KERNEL struct file_operations - Kernel, drivers and embedded Linux - Development, consulting, training and support - https://bootlin.com 3/470 Company at a glance I Engineering company created in 2004, named ”Free Electrons” until Feb.
    [Show full text]
  • Dynamic Binary Translation & Instrumentation
    Dynamic Binary Translation & Instrumentation Pin Building Customized Program Analysis Tools with Dynamic Instrumentation CK Luk, Robert Cohn, Robert Muth, Harish Patil, Artur Klauser, Geoff Lowney, Steven Wallace, Kim Hazelwood Intel Vijay Janapa Reddi University of Colorado http://rogue.colorado.edu/Pin PLDI’05 2 Instrumentation • Insert extra code into programs to collect information about execution • Program analysis: • Code coverage, call-graph generation, memory-leak detection • Architectural study: • Processor simulation, fault injection • Existing binary-level instrumentation systems: • Static: • ATOM, EEL, Etch, Morph • Dynamic: • Dyninst, Vulcan, DTrace, Valgrind, Strata, DynamoRIO C Pin is a new dynamic binary instrumentation system PLDI’05 3 A Pintool for Tracing Memory Writes #include <iostream> #include "pin.H" executed immediately before a FILE* trace; write is executed • Same source code works on the 4 architectures VOID RecordMemWrite(VOID* ip, VOID* addr, UINT32 size) { fprintf(trace,=> “%p: Pin Wtakes %p %dcare\n”, of ip, different addr, size); addressing modes } • No need to manually save/restore application state VOID Instruction(INS ins, VOID *v) { if (INS_IsMemoryWrite(ins))=> Pin does it for you automatically and efficiently INS_InsertCall(ins, IPOINT_BEFORE, AFUNPTR(RecordMemWrite), IARG_INST_PTR, IARG_MEMORYWRITE_EA, IARG_MEMORYWRITE_SIZE, IARG_END); } int main(int argc, char * argv[]) { executed when an instruction is PIN_Init(argc, argv); dynamically compiled trace = fopen(“atrace.out”, “w”); INS_AddInstrumentFunction(Instruction,
    [Show full text]
  • Pin: Building Customized Program Analysis Tools with Dynamic Instrumentation
    Pin: Building Customized Program Analysis Tools with Dynamic Instrumentation Chi-Keung Luk Robert Cohn Robert Muth Harish Patil Artur Klauser Geoff Lowney Steven Wallace Vijay Janapa Reddi Kim Hazelwood Intel Corporation ¡ University of Colorado ¢¤£¦¥¨§ © £ ¦£ "! #%$&'( £)&(¦*+©-,.+/01$©-!2 ©-,2¦3 45£) 67©2, £¦!2 "0 Abstract 1. Introduction Robust and powerful software instrumentation tools are essential As software complexity increases, instrumentation—a technique for program analysis tasks such as profiling, performance evalu- for inserting extra code into an application to observe its behavior— ation, and bug detection. To meet this need, we have developed is becoming more important. Instrumentation can be performed at a new instrumentation system called Pin. Our goals are to pro- various stages: in the source code, at compile time, post link time, vide easy-to-use, portable, transparent, and efficient instrumenta- or at run time. Pin is a software system that performs run-time tion. Instrumentation tools (called Pintools) are written in C/C++ binary instrumentation of Linux applications. using Pin’s rich API. Pin follows the model of ATOM, allowing the The goal of Pin is to provide an instrumentation platform for tool writer to analyze an application at the instruction level with- building a wide variety of program analysis tools for multiple archi- out the need for detailed knowledge of the underlying instruction tectures. As a result, the design emphasizes ease-of-use, portabil- set. The API is designed to be architecture independent whenever ity, transparency, efficiency, and robustness. This paper describes possible, making Pintools source compatible across different archi- the design of Pin and shows how it provides these features.
    [Show full text]
  • Pin Tutorial What Is Instrumentation?
    Pin Tutorial What is Instrumentation? A technique that inserts extra code into a program to collect runtime information Instrumentation approaches: • Source instrumentation: – Instrument source programs • Binary instrumentation: – Instrument executables directly 1 Pin Tutorial 2007 Why use Dynamic Instrumentation? No need to recompile or relink Discover code at runtime Handle dynamically-generated code Attach to running processes 2 Pin Tutorial 2007 Advantages of Pin Instrumentation Easy-to-use Instrumentation: • Uses dynamic instrumentation – Do not need source code, recompilation, post-linking Programmable Instrumentation: • Provides rich APIs to write in C/C++ your own instrumentation tools (called Pintools) Multiplatform: • Supports x86, x86-64, Itanium, Xscale • Supports Linux, Windows, MacOS Robust: • Instruments real-life applications: Database, web browsers, … • Instruments multithreaded applications • Supports signals Efficient: • Applies compiler optimizations on instrumentation code 3 Pin Tutorial 2007 Using Pin Launch and instrument an application $ pin –t pintool –- application Instrumentation engine Instrumentation tool (provided in the kit) (write your own, or use one provided in the kit) Attach to and instrument an application $ pin –t pintool –pid 1234 4 Pin Tutorial 2007 Pin Instrumentation APIs Basic APIs are architecture independent: • Provide common functionalities like determining: – Control-flow changes – Memory accesses Architecture-specific APIs • e.g., Info about segmentation registers on IA32 Call-based APIs:
    [Show full text]
  • In-Memory Protocol Fuzz Testing Using the Pin Toolkit
    In-Memory Protocol Fuzz Testing using the Pin Toolkit BACHELOR’S THESIS submitted in partial fulfillment of the requirements for the degree of Bachelor of Science in Computer Engineering by Patrik Fimml Registration Number 1027027 to the Faculty of Informatics at the Vienna University of Technology Advisor: Dipl.-Ing. Markus Kammerstetter Vienna, 5th March, 2015 Patrik Fimml Markus Kammerstetter Technische Universität Wien A-1040 Wien Karlsplatz 13 Tel. +43-1-58801-0 www.tuwien.ac.at Erklärung zur Verfassung der Arbeit Patrik Fimml Kaiserstraße 92 1070 Wien Hiermit erkläre ich, dass ich diese Arbeit selbständig verfasst habe, dass ich die verwen- deten Quellen und Hilfsmittel vollständig angegeben habe und dass ich die Stellen der Arbeit – einschließlich Tabellen, Karten und Abbildungen –, die anderen Werken oder dem Internet im Wortlaut oder dem Sinn nach entnommen sind, auf jeden Fall unter Angabe der Quelle als Entlehnung kenntlich gemacht habe. Wien, 5. März 2015 Patrik Fimml iii Abstract In this Bachelor’s thesis, we explore in-memory fuzz testing of TCP server binaries. We use the Pin instrumentation framework to inject faults directly into application buffers and take snapshots of the program state. On a simple testing binary, this results in a 2.7× speedup compared to a naive fuzz testing implementation. To evaluate our implementation, we apply it to a VNC server binary as an example for a real-world application. We describe obstacles that we had to tackle during development and point out limitations of our approach. v Contents Abstract v Contents vii 1 Introduction 1 2 Fuzz Testing 3 2.1 Naive Protocol Fuzz Testing .
    [Show full text]
  • Introduction to PIN 6.823: Computer System Architecture
    6.823: Computer System Architecture Introduction to PIN Victor Ying [email protected] Adapted from: Prior 6.823 offerings, and Intel’s Tutorial at CGO 2010 2/7/2020 6.823 Spring 2020 1 Designing Computer Architectures Build computers that run programs efficiently Two important components: 1. Study of programs and patterns – Guides interface, design choices 2. Engineering under constraints – Evaluate tradeoffs of architectural choices 2/7/2020 6.823 Spring 2020 2 Simulation: An Essential Tool in Architecture Research • A tool to reproduce the behavior of a computing device • Why use simulators? – Obtain fine-grained details about internal behavior – Enable software development – Obtain performance predictions for candidate architectures – Cheaper than building system 2/7/2020 6.823 Spring 2020 3 Labs • Focus on understanding program behavior, evaluating architectural tradeoffs Model Results Suite Benchmark 2/7/2020 6.823 Spring 2020 4 PIN • www.pintool.org – Developed by Intel – Free for download and use • A tool for dynamic binary instrumentation Runtime No need to Insert code in the re-compile program to collect or re-link information 2/7/2020 6.823 Spring 2020 5 Pin: A Versatile Tool • Architecture research – Simulators: zsim, CMPsim, Graphite, Sniper, Swarm • Software Development – Intel Parallel Studio, Intel SDE – Memory debugging, correctness/perf. analysis • Security Useful tool to have in – Taint analysis your arsenal! 2/7/2020 6.823 Spring 2020 6 PIN • www.pintool.org – Developed by Intel – Free for download and use • A tool for dynamic binary instrumentation Runtime No need to Insert code in the re-compile program to collect or re-link information 2/7/2020 6.823 Spring 2020 7 Instrumenting Instructions sub $0xff, %edx cmp %esi, %edx jle <L1> mov $0x1, %edi add $0x10, %eax 2/7/2020 6.823 Spring 2020 8 Example 1: Instruction Count I want to count the number of instructions executed.
    [Show full text]
  • An Infrastructure for Adaptive Dynamic Optimization
    An Infrastructure for Adaptive Dynamic Optimization Derek Bruening, Timothy Garnett, and Saman Amarasinghe Laboratory for Computer Science Massachusetts Institute of Technology Cambridge, MA 02139 fiye,timothyg,[email protected] Abstract ing profile information improves the predictions but still falls short for programs whose behavior changes dynami- Dynamic optimization is emerging as a promising ap- cally. Additionally, many software vendors are hesitant to proach to overcome many of the obstacles of traditional ship binaries that are compiled with high levels of static op- static compilation. But while there are a number of com- timization because they are hard to debug. piler infrastructures for developing static optimizations, Shifting optimizations to runtime solves these problems. there are very few for developing dynamic optimizations. Dynamic optimization allows the user to improve the per- We present a framework for implementing dynamic analy- formance of binaries without relying on how they were ses and optimizations. We provide an interface for build- compiled. Furthermore, several types of optimizations are ing external modules, or clients, for the DynamoRIO dy- best suited to a dynamic optimization framework. These in- namic code modification system. This interface abstracts clude adaptive, architecture-specific, and inter-module opti- away many low-level details of the DynamoRIO runtime mizations. system while exposing a simple and powerful, yet efficient Adaptive optimizations require instant responses to and lightweight, API. This is achieved by restricting opti- changes in program behavior. When performed statically, a mization units to linear streams of code and using adaptive single profiling run is taken to be representative of the pro- levels of detail for representing instructions.
    [Show full text]
  • Using Dynamic Binary Instrumentation for Security(And How You May Get
    King’s Research Portal Document Version Peer reviewed version Link to publication record in King's Research Portal Citation for published version (APA): Cono D'Elia, D., Coppa, E., Palmaro, F., & Cavallaro, L. (Accepted/In press). SoK: Using Dynamic Binary Instrumentation for Security (And How You May Get Caught Red Handed). In ACM Asia Conference on Information, Computer and Communications Security (ASIACCS 2019) Citing this paper Please note that where the full-text provided on King's Research Portal is the Author Accepted Manuscript or Post-Print version this may differ from the final Published version. If citing, it is advised that you check and use the publisher's definitive version for pagination, volume/issue, and date of publication details. And where the final published version is provided on the Research Portal, if citing you are again advised to check the publisher's website for any subsequent corrections. General rights Copyright and moral rights for the publications made accessible in the Research Portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognize and abide by the legal requirements associated with these rights. •Users may download and print one copy of any publication from the Research Portal for the purpose of private study or research. •You may not further distribute the material or use it for any profit-making activity or commercial gain •You may freely distribute the URL identifying the publication in the Research Portal Take down policy If you believe that this document breaches copyright please contact [email protected] providing details, and we will remove access to the work immediately and investigate your claim.
    [Show full text]
  • Win API Hooking by Using DBI: Log Me, Baby!
    Win API hooking by using DBI: log me, baby! Ricardo J. Rodríguez [email protected] « All wrongs reversed SITARIO D IVER E LA UN D O EF R EN T S EN A C D I I S D C N E E N C DI DO N O S V S V M N I I N T A 2009 ZARAGOZA NcN 2017 NoConName 2017 Barcelona, Spain Credits of some slides thanks to Gal Diskin Win API hooking by using DBI: log me, baby! (R.J. Rodríguez) NcN 2017 1 / 24 Agenda 1 What is Dynamic Binary Instrumentation (DBI)? 2 The Pin framework 3 Developing your Own Pintools Developing Pintools: How-to Logging WinAPIs (for fun & profit) Windows File Format Uses 4 Conclusions Win API hooking by using DBI: log me, baby! (R.J. Rodríguez) NcN 2017 2 / 24 Dynamic Binary Instrumentation DBI: Dynamic Binary Instrumentation Main Words Instrumentation ?? Dynamic ?? Binary ?? Win API hooking by using DBI: log me, baby! (R.J. Rodríguez) NcN 2017 3 / 24 Analyse and control everything around an executable code Collect some information Arbitrary code insertion Dynamic Binary Instrumentation Instrumentation? Instrumentation “Being able to observe, monitor and modify the behaviour of a computer program” (Gal Diskin) Arbitrary addition of code in executables to collect some information Win API hooking by using DBI: log me, baby! (R.J. Rodríguez) NcN 2017 4 / 24 Dynamic Binary Instrumentation Instrumentation? Instrumentation “Being able to observe, monitor and modify the behaviour of a computer program” (Gal Diskin) Arbitrary addition of code in executables to collect some information Analyse and control everything around an executable code Collect some information Arbitrary code insertion Win API hooking by using DBI: log me, baby! (R.J.
    [Show full text]
  • Intel's Dynamic Binary Instrumentation Engine Pin Tutorial
    Pin: Intel’s Dynamic Binary Instrumentation Engine Pin Tutorial Intel Corporation Written By: Tevi Devor Presented By: Sion Berkowits CGO 2013 1 Which one of these people is the Pin Performance Guru? 2 Legal Disclaimer INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS”. NO LICENSE, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, ANY INTELLECTUAL PROPERTY RIGHTS IS GRANTED BY THIS DOCUMENT. INTEL ASSUMES NO LIABILITY WHATSOEVER AND INTEL DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY, RELATING TO THIS INFORMATION INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR INFRINGEMENT OF ANY PATENT, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT. Performance tests and ratings are measured using specific computer systems and/or components and reflect the approximate performance of Intel products as measured by those tests. Any difference in system hardware or software design or configuration may affect actual performance. Buyers should consult other sources of information to evaluate the performance of systems or components they are considering purchasing. For more information on performance tests and on the performance of Intel products, reference www.intel.com/software/products. Intel and the Intel logo are trademarks of Intel Corporation in the U.S. and other countries. *Other names and brands may be claimed as the property of others. Copyright © 2013. Intel Corporation. 3 Optimization Notice Intel compilers, associated libraries and associated development tools may include or utilize options that optimize for instruction sets that are available in both Intel and non-Intel microprocessors (for example SIMD instruction sets), but do not optimize equally for non-Intel microprocessors. In addition, certain compiler options for Intel compilers, including some that are not specific to Intel micro- architecture, are reserved for Intel microprocessors.
    [Show full text]
  • Coverage-Guided Fuzzing of Grpc Interface
    Niko Lappalainen COVERAGE-GUIDED FUZZING OF GRPC INTERFACE Master of Science Thesis Faculty of Information Technology and Communication Sciences Examiners: Marko Helenius Billy Brumley January 2021 i ABSTRACT Niko Lappalainen: Coverage-guided fuzzing of gRPC interface Master of Science Thesis Tampere University Master’s Degree Programme in Information Technology January 2021 Fuzz testing has emerged as a cost-effective method of finding security issues in many real- world targets. The software company M-Files Inc. wanted to incorporate fuzz testing to harden the security of their product M-Files Server. The newly implemented gRPC API was set as the target interface to be fuzzed. This thesis was requested to find a suitable fuzzing tool, and to verify that the tool could find and report issues. Another objective of this thesis was to determine a criterion for stopping fuzzing when adequate testing coverage has been achieved without having to run the fuzzer perpetually. To select a suitable fuzzing tool, some requirements had to be defined. Requirements and selection criteria were set based on the properties of the M-Files system as well as the target interface. Next, various fuzzing tool options were gathered from different sources. These options were validated based on the set requirements to select a short list of tools that could be analysed more closely. The suitable tool was selected from these based on their ease of integration and suspected performance. The coverage-guided WinAFL was evaluated as the most suitable from the considered options. The selected fuzzing tool was used to test M-Files Server in order to record its results.
    [Show full text]