Presentation is loading. Please wait.

Presentation is loading. Please wait.

How to Detect Self-Modifying Code During Instruction-Set Simulation Pardo AMAS-BT 2009.

Published byHoratio Bruce Modified over 8 years ago

Similar presentations

Presentation on theme: "How to Detect Self-Modifying Code During Instruction-Set Simulation Pardo AMAS-BT 2009."— Presentation transcript:

1 How to Detect Self-Modifying Code During Instruction-Set Simulation Pardo AMAS-BT 2009

2 Background Helped invent & build two significant simulators Shade Crusoe Also: studied and written lots of SMC Lots! Maybe: something interesting to say

3 Who Cares? Everybody knows Self-Modifying Code is dead But: SMC is alive and well (alive and still sick?) Dynamic linking, JITs, debuggers, … Instruction Space Changes (ISC) Demand paging - reuse code pages Memory remapping ”SMC is everywhere” Everybody knows Self-Modifying Code is dead But: SMC is alive and well (alive and still sick?) Dynamic linking, JITs, debuggers, … Instruction Space Changes (ISC) Demand paging - reuse code pages Memory remapping ”SMC is everywhere”

4 Simulating SMC Rare: ”expensive” is okay Frequent: ”expensive” is slow Is slow okay? Depends on requirements How slow? Many forms of SMC: ”no silver bullet” Code and writable data interleaved Fine-grained JIT Instruction patching Immediates, opcodes, registers,...

5 Strategies Easy solution: interpret everything Decode every time → see every change Slow... Fast and almost easy: Translate, don't handle SMC/ISC Many workloads won't run Fast and handle SMC/ISC: Some cases: almost easy General case: hard... but almost possible!

6 Simulator Structure Interpreter: Decode is slow, so cache: Avoids ”fetch” and ”decode” except on miss But: What if the instruction changes? What if the PC mapping changes?

7 Trap On Write Write-protect pages during decode Discard on writes to protected pages Works great in many cases: paging, JIT,...

8 But... False Sharing Application malloc()'s code Page has both code and data write is slow: Trap Discard valid translation of code Make page writable, perform write Next use of code : make read-only, retranslate Sometimes so slow it dominates running time If code writes data : complicated infinite loop

9 Other Cases Also slow for: Recompile every 10K instructions e.g., BitBlt() Frequent instruction patching Register numbers, instruction immediates Debugger watchpoints Other fast-changing SMC ”styles” I have seen these in commercial workloads...

10 Optimize For Many Cases General strategies Reoptimize: handle the ”new” case fast … but no longer handle ”old” case Deoptimize: handle both cases … but both cases are slower Keep multiple ”fast” cases + dispatch … but ”dispatch” overhead Often works

11 What To ”Trigger” On? Instruction events: Write/map event Coherency event (maybe) Execute event Simulator events: Lookup Fetch Decode Dispatch Execute

12 Coherency Events x86 (and others): no primitive Need to detect what changed Platform ”primitive” for instruction coherency ISCP: ”something changed” Poor match between application and simulator Need to detect what really changed

13 Approach: Try A Strategy Adapt If Too Expensive Default: write-protect on translate, fault on write Faults are expensive, so... After ”too many” faults, try another strategy Asymptotically slower, but avoids faults After ”a while” try default strategy again

14 A Strategy: Self-Checking Polls for coherency 2X slower than write-protect → usually avoid No READONLY faults Faster on fault-prone code Adaptive: gets used only on fault-prone code

15 Fast-Changing Code Self-checking avoids write faults Avoids discard of ”good” translations But: need to retranslate all true code changes Frequent changes → high retranslation cost Other strategies: Trade off: faster translator, slower code Knob? Multiple translators? Save ”invalid” fast code, see if it reappears Many SMC patterns have just a few values

16 Adaptive, Take 2 Same as before, but... On self-check failure, save the ”bad” translation And: before translating Scan ”bad” translations ”Revalidate” if memory now matches Reuse translations that now work ”Revalidating” is cheaper than retranslating

17 Problem Solved! Almost Good: more applications run fast Bad: some are still slow Why: details of SMC/ISC usage E.g., some cases of instruction patching Lots of values for instruction immediates No reuse of earlier translations Is it okay if some workloads are slow? Depends on your application

18 Example: Shade Simulates user-space SPARC on SPARC Used for program analysis Performance is ”optional” If it's slow sometimes, that's okay Always translates, ~100I/I SPARC: iflush ADDR signals coherency Applications missing iflush : User has to say, via command-line flag Writable memory: ”self-discarding” translations

19 Example: Crusoe Crusoe: commerical x86 CPU: Must be fast! Default: protect on translate, discard on write Translation: ~10,000 I/I. Avoid retranslation! High fault rate, retranslate (subpage hardware): Write: save translations, make subpage writable Execute: reprotect, revalidate translations If still high fault rates: retranslate self-checking Self-check fails: retranslate: ”fetch immediates” Still fails: retranslate: ”call interpreter” What was that about ”avoid retranslation?”

20 Phew! No ”best” strategy Depends on the requirements A few more notes:

21 Deoptimize: What Is A ”More General” Translation? Fetch instruction immediates Translation that calls to the interpreter Implements several past instructions Check memory and dispatch accordingly Multiple implementations and dispatch? The translation is dispatching within itself

22 Oh, And: It Needs To Work Bad: more implementations: more bugs Worse: more implementations: worse coverage of each case

23 Stability Adaptation can ”hunt” endlessly Cost to check and fail Plus cost to adapt Plus cost to execute ”Consistent” gets more important than ”fast” Sometimes a ”slow” strategy is faster

24 Conclusion SMC/ISC is an important and thorny problem Many cases are in a big-enough workload set Hard to solve well but: Most cases ”suitably” solvable State clearly what you do and don't do Why you want to read the paper: More complicated SMC/ISC cases More strategies More examples of existing systems

25 Universal Simulator [Gill51] 29: A 11 0 # load ”load [PC]” 30: A 2 0 # increment PC 31: G 9 0 # goto top 9: U 11 0 # save "load [PC]" -> 11 10: S 11 0 # clear accumulator 11:[______] # "load [PC]": *PC -> accumulator 12: U 22 0 # save *PC -> 22 14: S 0 # check for branch... 15: A 4 0 #... 16: E 19 0 #... not branch go to 19... #... branch: fix "load PC"; goto 9 19: U 0 # clear accumulator 20: S 0 #... 21: A 1 0 # load vs->accumulator 22:[______] # execute *PC 23: U 1 0 # save vs->accumulator 24: E 26 0 # branch to 26 if positive 25: A 3 0 # add -1/2 for negative 26: S 1 0 # adjust copy(vs->accumulator) 27: U 0 # save vs->sign 28: S 0 #...

Download ppt "How to Detect Self-Modifying Code During Instruction-Set Simulation Pardo AMAS-BT 2009."

Similar presentations

Instruction Set Design

Instruction Set Design
Chapter 12 CPU Structure and Function. CPU Sequence Fetch instructions Interpret instructions Fetch data Process data Write data.

Chapter 12 CPU Structure and Function. CPU Sequence Fetch instructions Interpret instructions Fetch data Process data Write data.
Computer Organization and Architecture

Computer Organization and Architecture
RUGRAT: Runtime Test Case Generation using Dynamic Compilers Ben Breech NASA Goddard Space Flight Center Lori Pollock John Cavazos University of Delaware.

RUGRAT: Runtime Test Case Generation using Dynamic Compilers Ben Breech NASA Goddard Space Flight Center Lori Pollock John Cavazos University of Delaware.
Memory Management and Paging CSCI 3753 Operating Systems Spring 2005 Prof. Rick Han.

Memory Management and Paging CSCI 3753 Operating Systems Spring 2005 Prof. Rick Han.
CS 300 – Lecture 22 Intro to Computer Architecture / Assembly Language Virtual Memory.

CS 300 – Lecture 22 Intro to Computer Architecture / Assembly Language Virtual Memory.
Memory Management 1 CS502 Spring 2006 Memory Management CS-502 Spring 2006.

Memory Management 1 CS502 Spring 2006 Memory Management CS-502 Spring 2006.
CS-3013 & CS-502, Summer 2006 Memory Management1 CS-3013 & CS-502 Summer 2006.

CS-3013 & CS-502, Summer 2006 Memory Management1 CS-3013 & CS-502 Summer 2006.
Chapter 12 CPU Structure and Function. Example Register Organizations.

Chapter 12 CPU Structure and Function. Example Register Organizations.
Code Generation CS 480. Can be complex To do a good job of teaching about code generation I could easily spend ten weeks But, don’t have ten weeks, so.

Code Generation CS 480. Can be complex To do a good job of teaching about code generation I could easily spend ten weeks But, don’t have ten weeks, so.
Hash, Don’t Cache: Fast Packet Forwarding for Enterprise Edge Routers Minlan Yu Princeton University Joint work with Jennifer.

Hash, Don’t Cache: Fast Packet Forwarding for Enterprise Edge Routers Minlan Yu Princeton University Joint work with Jennifer.
Review of Memory Management, Virtual Memory CS448.

Review of Memory Management, Virtual Memory CS448.
Instruction Set Architecture

Instruction Set Architecture
15-740/18-740 Oct. 17, 2012 Stefan Muller.  Problem: Software is buggy!  More specific problem: Want to make sure software doesn’t have bad property.

15-740/ Oct. 17, 2012 Stefan Muller.  Problem: Software is buggy!  More specific problem: Want to make sure software doesn’t have bad property.
CS533 - Concepts of Operating Systems Virtual Memory Primitives for User Programs Presentation by David Florey.

CS533 - Concepts of Operating Systems Virtual Memory Primitives for User Programs Presentation by David Florey.
Lecture Topics: 11/17 Page tables TLBs Virtual memory flat page tables

Lecture Topics: 11/17 Page tables TLBs Virtual memory flat page tables
Silberschatz, Galvin and Gagne ©2013 Operating System Concepts – 9 th Edition Chapter 9: Virtual Memory.

Silberschatz, Galvin and Gagne ©2013 Operating System Concepts – 9 th Edition Chapter 9: Virtual Memory.
Transmeta’s New Processor Another way to design CPU By Wu Cheng

Transmeta’s New Processor Another way to design CPU By Wu Cheng
CS333 Intro to Operating Systems Jonathan Walpole.

CS333 Intro to Operating Systems Jonathan Walpole.
Processes and Virtual Memory

Processes and Virtual Memory

Similar presentations

Ads by Google