1 Dynamic Emulation and Fault- Injection using Dyninst Presented by: Rean Griffith Programming Systems Lab (PSL)

Slides:



Advertisements
Similar presentations
Programming Technologies, MIPT, April 7th, 2012 Introduction to Binary Translation Technology Roman Sokolov SMWare
Advertisements

CPU Review and Programming Models CT101 – Computing Systems.
1 Tools and Techniques for Designing and Evaluating Self-Healing Systems Rean Griffith, Ritika Virmani, Gail Kaiser Programming Systems Lab (PSL) Columbia.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
Anti-Cheating Mechanisms for Computer Games Michael Rudolph Jason Cook.
Mr. D. J. Patel, AITS, Rajkot 1 Operating Systems, by Dhananjay Dhamdhere1 Static and Dynamic Memory Allocation Memory allocation is an aspect of a more.
Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec
RIVERSIDE RESEARCH INSTITUTE Helikaon Linux Debugger: A Stealthy Custom Debugger For Linux Jason Raber, Team Lead - Reverse Engineer.
1/1/ / faculty of Electrical Engineering eindhoven university of technology Introduction Part 3: Input/output and co-processors dr.ir. A.C. Verschueren.
SHelp: Automatic Self-healing for Multiple Application Instances in a Virtual Machine Environment Gang Chen, Hai Jin, Deqing Zou, Weizhong Qiang, Gang.
The Role of RAS-Models in the Design and Evaluation of Self-Healing Systems Rean Griffith, Ritika Virmani, Gail Kaiser Programming Systems Lab (PSL) Columbia.
1 Kheiron: Runtime Adaptation of Native-C and Bytecode Applications Rean Griffith, Gail Kaiser Programming Systems Lab (PSL) Columbia University June 14.
An Integrated Framework for Dependable Revivable Architectures Using Multi-core Processors Weiding Shi, Hsien-Hsin S. Lee, Laura Falk, and Mrinmoy Ghosh.
Run-Time Storage Organization
LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.
Advanced OS Chapter 3p2 Sections 3.4 / 3.5. Interrupts These enable software to respond to signals from hardware. The set of instructions to be executed.
1 Interrupts INPUT/OUTPUT ORGANIZATION: Interrupts CS 147 JOKO SUTOMO.
1 RAS-Models: A Building Block for Self-Healing Benchmarks Rean Griffith, Ritika Virmani, Gail Kaiser Programming Systems Lab (PSL) Columbia University.
Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.
System-level Virtualization for HPC: Recent work on Loadable Hypervisor Modules Systems Research Team Computer Science and Mathematics Division Oak Ridge.
Software Faults and Fault Injection Models --Raviteja Varanasi.
Yavor Todorov. Introduction How it works OS level checkpointing Application level checkpointing CPR for parallel programing CPR functionality References.
Address Space Layout Permutation
Protection and the Kernel: Mode, Space, and Context.
Paradyn Project Dyninst/MRNet Users’ Meeting Madison, Wisconsin August 7, 2014 The Evolution of Dyninst in Support of Cyber Security Emily Gember-Jacobson.
Chapter 10 The Stack Stack: An Abstract Data Type An important abstraction that you will encounter in many applications. We will describe two uses:
Contact Information Office: 225 Neville Hall Office Hours: Monday and Wednesday 12:00-1:00 and by appointment.
Support for Debugging Automatically Parallelized Programs Robert Hood Gabriele Jost CSC/MRJ Technology Solutions NASA.
A Framework for Elastic Execution of Existing MPI Programs Aarthi Raveendran Tekin Bicer Gagan Agrawal 1.
Operating Systems ECE344 Ashvin Goel ECE University of Toronto OS-Related Hardware.
CS533 Concepts of Operating Systems Jonathan Walpole.
Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer.
Lecture 3 Process Concepts. What is a Process? A process is the dynamic execution context of an executing program. Several processes may run concurrently,
Hardware process When the computer is powered up, it begins to execute fetch-execute cycle for the program that is stored in memory at the boot strap entry.
COP4020 Programming Languages Subroutines and Parameter Passing Prof. Xin Yuan.
© Janice Regan, CMPT 300, May CMPT 300 Introduction to Operating Systems Memory: Relocation.
Runtime Stack Computer Organization I 1 November 2009 © McQuain, Feng & Ribbens MIPS Memory Organization In addition to memory for static.
Instrumentation in Software Dynamic Translators for Self-Managed Systems Bruce R. Childers Naveen Kumar, Jonathan Misurda and Mary.
Processes Introduction to Operating Systems: Module 3.
Interrupt driven I/O. MIPS RISC Exception Mechanism The processor operates in The processor operates in user mode user mode kernel mode kernel mode Access.
1 A Secure Access Control Mechanism against Internet Crackers Kenichi Kourai* Shigeru Chiba** *University of Tokyo **University of Tsukuba.
Operating Systems Security
Shellcode Development -Femi Oloyede -Pallavi Murudkar.
© 2006 Andrew R. BernatMarch 2006Generalized Code Relocation Generalized Code Relocation for Instrumentation and Efficiency Andrew R. Bernat University.
Outsourcing, subcontracting and COTS Tor Stålhane.
1 Manipulating Managed Execution Runtimes to support Self-Healing Systems Rean Griffith‡, Gail Kaiser‡ Presented by Rean Griffith
Efficient Software-Based Fault Isolation Authors: Robert Wahbe Steven Lucco Thomas E. Anderson Susan L. Graham Presenter: Gregory Netland.
Improving the Reliability of Commodity Operating Systems Michael M. Swift, Brian N. Bershad, Henry M. Levy Presented by Ya-Yun Lo EECS 582 – W161.
Dynamic Tuning of Parallel Programs with DynInst Anna Morajko, Tomàs Margalef, Emilio Luque Universitat Autònoma de Barcelona Paradyn/Condor Week, March.
1 Xen and the Art of Binary Modification Lies, Damn Lies, and Page Frame Addresses Greg Cooksey and Nate Rosenblum, March 2007.
CS5204 Fall 20051Oct. 26, 2005 Mondrix: Memory Isolation for Linux using Mondriaan Memory Protection Emmett Witchel Junghwan Rhee Krste Asanovic Sreeram.
Kernel Modules – Introduction CSC/ECE 573, Sections 001 Fall, 2012.
System Components Operating System Services System Calls.
Qin Zhao1, Joon Edward Sim2, WengFai Wong1,2 1SingaporeMIT Alliance 2Department of Computer Science National University of Singapore
Memory Protection through Dynamic Access Control Kun Zhang, Tao Zhang and Santosh Pande College of Computing Georgia Institute of Technology.
Computer System Structures
Storage Classes There are three places in memory where data may be placed: In Data section declared with .data in assembly language in C - Static) On the.
Presented by: Daniel Taylor
WP3: D3.1 status, pending comments and next steps
OpenMosix, Open SSI, and LinuxPMI
Performance Optimizations in Dyninst
Mechanism: Limited Direct Execution
Rean Griffith‡, Gail Kaiser‡ Presented by Rean Griffith
Overview Introduction General Register Organization Stack Organization
Chapter 10 The Stack.
Single Event Upset Simulation
CSE 451: Operating Systems Autumn Module 24 Virtual Machine Monitors
COMP755 Advanced Operating Systems
Dynamic Binary Translators and Instrumenters
Presentation transcript:

1 Dynamic Emulation and Fault- Injection using Dyninst Presented by: Rean Griffith Programming Systems Lab (PSL)

2 Overview Introduction Introduction Background Background Dynamic Emulation Example Dynamic Emulation Example Solution Requirements Solution Requirements Dyninst Modifications Necessary Dyninst Modifications Necessary On-going Fault-injection Tool Development On-going Fault-injection Tool Development Conclusions Conclusions

3 Introduction We are working on the design and evaluation of self-healing systems. We are working on the design and evaluation of self-healing systems. Based on two techniques Based on two techniques Runtime-adaptations (technical) Runtime-adaptations (technical) Mathematical models of failures & recovery (analytical) Mathematical models of failures & recovery (analytical)

4 Role of Runtime-Adaptations Fault-Detection Fault-Detection Transparently adding/modifying detection mechanisms Transparently adding/modifying detection mechanisms Replacing/removing under-performing mechanisms Replacing/removing under-performing mechanisms Failure-Diagnosis Failure-Diagnosis In-situ diagnosis of systems (drill-down) In-situ diagnosis of systems (drill-down) In-vivo testing (ghost transactions) In-vivo testing (ghost transactions) System-Repairs System-Repairs Dynamic fine-grained or coarse-grained repairs Dynamic fine-grained or coarse-grained repairs

5 Dynamic Emulation Example Proof-of-concept dynamic emulation support for applications using Kheiron/C (mutator) Proof-of-concept dynamic emulation support for applications using Kheiron/C (mutator) Allows select portions of an application to run on an x86 emulator rather than on the raw CPU Allows select portions of an application to run on an x86 emulator rather than on the raw CPU Security-oriented self-healing mechanism Security-oriented self-healing mechanism Allows users to: Allows users to: Limit the impact of un-patched vulnerabilities Limit the impact of un-patched vulnerabilities Test/verify interim (auto-generated) patches Test/verify interim (auto-generated) patches Manage the performance impact of whole-program emulation Manage the performance impact of whole-program emulation

6 Background on the x86 Emulator Selective Transaction Emulator (STEM) Selective Transaction Emulator (STEM) An x86 instruction-level emulator developed by Michael Locasto, Stelios Sidiroglou-Douskos, Stephen Boyd and Prof. Angelos Keromytis An x86 instruction-level emulator developed by Michael Locasto, Stelios Sidiroglou-Douskos, Stephen Boyd and Prof. Angelos Keromytis Developed as a recovery mechanism for illegal memory references, division by zero exceptions and buffer overflow attacks Developed as a recovery mechanism for illegal memory references, division by zero exceptions and buffer overflow attacks

7 Big Picture Idea for STEM Building a Reactive Immune System for Software Systems, Stelios Sidiroglou Michael E. Locasto Stephen W. Boyd Angelos D. Keromytis USENIX 2005

8 Limitations of the Original STEM Inserted via source-code Inserted via source-code Manual identification of locations to emulate Manual identification of locations to emulate Re-compilation and (static) re-linking needed to emulate different sections of an application Re-compilation and (static) re-linking needed to emulate different sections of an application Minimum observed runtime over-head of 30%. Minimum observed runtime over-head of 30%.

9 Proposed Solution Dynamic, No re-compilation

10 Solution Requirements Dynamic Loading of the STEM x86 Emulator. Dynamic Loading of the STEM x86 Emulator. Clean CPU-to-Emulator handoff Clean CPU-to-Emulator handoff Correct Emulator initialization Correct Emulator initialization Correct Emulator execution Correct Emulator execution Clean Emulator-to-CPU handoff Clean Emulator-to-CPU handoff Correct Emulator unload Correct Emulator unload

11 Requirements Met Out-of-the-Box by Dyninst Dynamic Loading of the STEM x86 Emulator. Dynamic Loading of the STEM x86 Emulator. Clean CPU-to-Emulator handoff Clean CPU-to-Emulator handoff Correct Emulator initialization Correct Emulator initialization Correct Emulator execution Correct Emulator execution Clean Emulator-to-CPU handoff Clean Emulator-to-CPU handoff Correct Emulator unload Correct Emulator unload But…with a few simple modifications to Dyninst, we are able to satisfy all these requirements.

12 Unmodified Dyninst Operation

13 Dynamic STEM Operation

14 Correct Emulator Initialization – Dyninst Modifications Emitter32::emitBTSaves modifications Emitter32::emitBTSaves modifications Save CPU state before instrumentation on the real CPU stack AND at a location in the target program address space (Register storage area address) Save CPU state before instrumentation on the real CPU stack AND at a location in the target program address space (Register storage area address) Save the instructions mangled by inserting the trampoline at a KNOWN location in the target program address space (Code storage area address) Save the instructions mangled by inserting the trampoline at a KNOWN location in the target program address space (Code storage area address) instPoint, BPatch_point modifications instPoint, BPatch_point modifications Added extra fields and methods to the type definitions to set/get the extra information Added extra fields and methods to the type definitions to set/get the extra information

15 Dynamic Emulation Mutator Snippet

16 Correct Emulator Execution Register storage area address used to initialize STEM’s registers Register storage area address used to initialize STEM’s registers Code storage area address used to prime STEM’s execution pipeline Code storage area address used to prime STEM’s execution pipeline STEM tracks its current stack depth STEM tracks its current stack depth Initially set to 0 Initially set to 0 Call and Return instructions modify the stack depth Call and Return instructions modify the stack depth A return instruction at depth 0 signals the end of emulation A return instruction at depth 0 signals the end of emulation

17 Correct Emulator Unload Cleanup Cleanup Copy emulator registers to real CPU registers Copy emulator registers to real CPU registers Push the saved_eip onto the real CPU stack Push the saved_eip onto the real CPU stack Make it the return address for the current stack frame – pop it into 4(%ebp) Make it the return address for the current stack frame – pop it into 4(%ebp) Push the saved_ebp onto the real cpu stack Push the saved_ebp onto the real cpu stack Restore that value into the real EBP register Restore that value into the real EBP register

18 Current Status Doesn’t crash on our simple test programs. Doesn’t crash on our simple test programs. Correct computation results for these programs. Correct computation results for these programs. Multiple emulator entries/exits e.g. in a loop. Multiple emulator entries/exits e.g. in a loop. More refinements to x86 emulator needed to support more complicated programs More refinements to x86 emulator needed to support more complicated programs Emulator-state rollbacks in the works Emulator-state rollbacks in the works Clean up the CPU-to-Emulator and Emulator-to- CPU handoffs Clean up the CPU-to-Emulator and Emulator-to- CPU handoffs

19 Role of Runtime-Adaptations Fault-Detection Fault-Detection Transparently adding/modifying detection mechanisms Transparently adding/modifying detection mechanisms Replacing/removing under-performing mechanisms Replacing/removing under-performing mechanisms Failure-Diagnosis Failure-Diagnosis In-situ diagnosis of systems (drill-down) In-situ diagnosis of systems (drill-down) In-vivo testing (ghost transactions) In-vivo testing (ghost transactions) System-Repairs System-Repairs Dynamic fine-grained or coarse-grained repairs Dynamic fine-grained or coarse-grained repairs Fault-Injection Fault-Injection Exercise the detection, diagnosis and repair mechanisms so we can perform a quantitative evaluation Exercise the detection, diagnosis and repair mechanisms so we can perform a quantitative evaluation

20 Fault-Injection Tool Development Kheiron/CLR and Kheiron/JVM Kheiron/CLR and Kheiron/JVM Fault-injection tools for.NET applications and JVM applications/application-servers based runtime adaptations (bytecode-rewriting) Fault-injection tools for.NET applications and JVM applications/application-servers based runtime adaptations (bytecode-rewriting) Kheiron/C extensions Kheiron/C extensions Dynamic fault-injection tool for databases using Dyninst. Specifically targeting the query (re)- planning and processing sub-systems of the database Dynamic fault-injection tool for databases using Dyninst. Specifically targeting the query (re)- planning and processing sub-systems of the database Device driver fault-injection tools for Linux 2.4, Linux 2.6, Windows 2003 Server and Solaris 10 Device driver fault-injection tools for Linux 2.4, Linux 2.6, Windows 2003 Server and Solaris 10 Evaluating device-driver recovery frameworks e.g. Nooks and Solaris 10 Fault Isolation Services Evaluating device-driver recovery frameworks e.g. Nooks and Solaris 10 Fault Isolation Services

21 Conclusions We have described and implemented an example of dynamically inserting and removing a recovery mechanism based on selective emulation. We have described and implemented an example of dynamically inserting and removing a recovery mechanism based on selective emulation. More work needs to be done to polish our prototype and experimentally evaluate the efficacy of this recovery mechanism. More work needs to be done to polish our prototype and experimentally evaluate the efficacy of this recovery mechanism.

22 Acknowledgements This work was conducted under the supervision of Prof. Gail Kaiser and with the help of Stelios This work was conducted under the supervision of Prof. Gail Kaiser and with the help of Stelios Sidiroglou We would like to thank Matthew Legendre, Drew Bernat and the Dyninst Team for their assistance/guidance as we worked with Dyninst and Dyninst to develop our dynamic emulation techniques. We would like to thank Matthew Legendre, Drew Bernat and the Dyninst Team for their assistance/guidance as we worked with Dyninst and Dyninst to develop our dynamic emulation techniques.

23 Thank You Questions, Comments Queries? For more details please contact: Rean Griffith Programming Systems Lab Columbia University

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.