Rémi Douence, Thomas Fritz Nicolas Loriant, Jean-Marc Menaud Marc Ségura-Devillechaise, Mario Südholt OBASCO group EMN/INRIA An expressive aspect language for system applications with Arachne

2 Outline Why another aspect system? How to program with Arachne? How does Arachne work? How fast are Arachne aspects?

3 Aspects for adapting legacy applications ● Adaptation and evolution usually mismatch with the original program architecture legacy C applications ● Difficult to anticipate adaptation and evolution ● How to adapt, evolve an application? Highly available server, waste of money/resources ● Can AOP help?

4 Three concerns from the squid web cache Switching network protocols uses UDP instead of TCP when safe to improve performance Buffer overflows programming error where data written in an array (ie buffer) exceeds the array size often exploited by hackers (Slammer, Code Red,...) crosscutting: all squid source files use buffers Prefetching predict the page that the user will access and download before the user asks for it

5 Motivations for a new aspect system in the imperative world of C-written applications: sequence of events in the execution of the base program Weaving: needs to be dynamic can not be anticipated should not suspend the base program execution Efficiency adaptation often occurs for performance reasons

6 Outline Why another aspect system? How to program with Arachne? How does Arachne work? How fast are Arachne aspects?

7 Sequence instances Buggy base program: char* two = malloc(2); gets(two);/*fills one with input typed by the user*/ free(two); char* one = malloc(1); gets(one);/*fills two with input typed by the user*/ free(one); Sample naive gets implementation (standard C library): char* gets(char* buffer) { int i=0; do { buffer[i]=getchar(); i++;} while(buffer[i]!='\n'); buffer[i-1]='\0'; return buffer; }

8 The problem: relating events Execution trace when user types “A” create two, a one character long buffer [ two=malloc(2) ] call gets, buffer now alias two [ gets(two) ] set i to 0 [ int i=0; ] read A [ getchar() ] put A in two at index 0 [ buffer[i]=... ] Ok set i to 1 [ i++ ] compare with \n [ buffer[i]!='\n' ] put O in two at index 1 [ buffer[i]=... ] Ok

9 Sequence instances Execution trace when user types “A” then “OP” create two a 2 characters buffer [ two=malloc(2) address 0x800] call gets, buffer now alias two [ gets(two) ]... put A in two at index 0 [ buffer[i]=... ],... put \n in two at index 1 [ buffer[i]=... ],... replace \n by \0 in two at index 1 [ buffer[i-1]='\0' ],... destroy two a 2 characters buffer [ free(two) ] create one a 1 characters buffer [ one=malloc(1) address 0x800] call gets, buffer now alias one [ gets(one) ]... put O in one at index 0 [ buffer[i]=... ],... put P in one at index 1 [ buffer[i]=... ],...

10 A solution: aspect detecting overflow seq( call(void* malloc(size_t))&& args(size) && return(buffer); /*possibly other events in between*/ write(buffer)&& size(newSize) && if(newSize>size)) then reportOverflow(buffer);* /*possibly other events in between*/ call(void free(void*))&& args(array) && if(buffer==array)); );

11 Advice definition (around semantic) seq( call(void* malloc(size_t))&& args(size) && return(buffer); write(buffer)&& size(newSize) && if(newSize>size)) then reportOverflow(buffer);* call(void free(void*))&& args(array) && if(buffer==array)); );

12 Defining the steps of the sequence A step has the form pointcut [ then advice] opt ; [ * ] opt with * the pointcut can match 0 or n times A step has a pointcut defined with: ● call : direct function calls ● cflowstar, cflow : sequence of nested function calls ● readGlobal, writeGlobal : global variable accesses ● read, write : memory accesses Each step can retain some information about its joinpoint: args, return, size... if can be used to test against this information Possible to write sequence less aspect

13 Relating events through time: start seq( call(void* malloc(size_t))&& args(size) && return(buffer); write(buffer)&& size(newSize) && if(newSize>size)) then reportOverflow(buffer);* call(void free(void*))&& args(array) && if(buffer==array)); );

14 Relating events through time: step 2 seq( call(void* malloc(size_t))&& args(size) && return(buffer); write(buffer)&& size(newSize) && if(newSize>size)) then reportOverflow(buffer);* call(void free(void*))&& args(array) && if(buffer==array)); );

15 Relating events through time: end seq( call(void* malloc(size_t))&& args(size) && return(buffer); write(buffer)&& size(newSize) && if(newSize>size)) then reportOverflow(buffer);* call(void free(void*))&& args(array) && if(buffer==array)); );

16 Relating events through data seq( call(void* malloc(size_t))&& args(size) && return(buffer); write(buffer)&& size(newSize) && if(newSize>size)) then reportOverflow(buffer);* call(void free(void*))&& args(array) && if(buffer==array)); );

17 Outline Why another aspect system? How to program with Arachne? How does Arachne work? How fast are Arachne aspects?

18 The Arachne aspect system: core features Weaver for x86/Linux/C application Internally rewrites binary code Weaving and deweaving are fully dynamic Weaving and deweaving are directed by the end user No need to “prepare” the base program Compatible with threaded applications

19 Weaving process Arachne rewriting thread code analysis binary code rewriting aspect activation Weaving request compiled aspect loading Arachne injection Base program process

20 Outline Why another aspect system? How to program with Arachne? How does Arachne work? How fast are Arachne aspects?

21 Evaluation on real application: method Goal compare the overhead of using Arachne to editing/recompiling the source code to adapt an application Method Add prefetching to squid by editing/recompiling its source code weaving Arachne aspect Use a well known benchmark (polygraph) Report the performance variations between versions

22 Benchmark 1 Benchmark 2 Results

23 Conclusion Practice suggested need for aspect constructs relating events need for dynamic weaving The Arachne aspect system: language to adapt applications call, variable accesses, cflow, sequences towards a formal semantic weaver for adapting applications dynamic enforcement of continuous service support of legacy C programs without preparation of the base program

Questions?

25 Why another aspect language? Single buffer overflow ● Useful to correct a known published bug ● Pointcut based on the name of the vulnerable buffer ● Action checks the access ● Solution = µDyner ● state of the art aspect language ● a dynamic weaver Any buffer overflow ● Useful when you do not trust the base program program under hacker attacks… ● Pointcuts based on a sequence of events ● Buffer creation ● Then access to the buffer ● Action checks the access Solution = ?

26 The problem: buffer overflow Buggy base program: char* in = malloc(1); gets(in);/*fills in with input typed by the user*/ free(in); Sample naive gets implementation (standard C library): char* gets(char* buffer) { int i=0; do { buffer[i]=getchar(); i++; } while(buffer[i]!='\n'); buffer[i-1]='\0'; return buffer; }

27 The problem: relating events Execution trace when user types “AOP” create in, a one character long buffer [ in=malloc(1) ] call gets, buffer now alias in [ gets(in) ] set i to 0 [ int i=0; ] read A [ getchar() ] put A in in at index 0 [ buffer[i]=... ] Ok set i to 1 [ i++ ] compare with \n [ buffer[i]!='\n' ] put O in in at index 1 [ buffer[i]=... ] Bug

28 Number of matching instances Cycles Cycles Cycles466.3 Cycles seq 577 Cycles Ratio readGlobal Size of variable (bits) Cycles2487 Cycles 2762 Cycles 3363 Cycles 4990 Cycles Ratio cflow 28 Cycles 228 Cycles 327 Cycles 424 Cycles522 Cycles Number of imbricated calls Ratio Arachne language constructs versus the speed of their C equivalent

29 Goal compare the speed of Arachne with C Method ratio= Base program void f() { return; } int main(int argc, char**argv){ startTimer(); f(); /*joinpoint*/ endTimer(); } Aspect call(void f())then f(); Arachne language constructs versus the speed of their C equivalents runtime with the aspect runtime without aspect

30 Results Ratio Pointcut

31 Mapping protocols

32 Another aspect example seq( call(int socket(…)) && args(…) && return(fd) then socket(…); call(int connect(int,…)) && args(fd1,…) && if(fd1 == fd) then returnZero(); ( call(size_t read(int,…)) && args(fd2…) && if(fd2 == fd) then recvfrom(fd,…); || call(size_t write(int,…)) && args(fd3…) && if(fd3 == fd) then sendTo(fd,…);) (*) call(int close(int)) && args(fd4) && if(fd4 == fd) )

33 Arachne architecture

34 Implementation model shadow: rewriting site replaced by a x86 instruction execution flow jump Binary code of the compiled base program and/or advices Residue (dynamic tests) Entry hook save registersReturn hook Restore registers instruction(s) Relocated tailored updating registers Base program process Hooks generated at weaving time Legacy base binary code Aspect DLL generated at aspect compile time

35 The future Continue the exploration of efficient language constructs to relate events together Extend Arachne to C++ in progress, already using an application to medical imaging to the linux kernel