Presentation is loading. Please wait.

Presentation is loading. Please wait.

Paradyn Project Paradyn / Dyninst Week College Park, Maryland March 26-28, 2012 Self-propelled Instrumentation Wenbin Fang.

Published byLorenzo Badders Modified over 9 years ago

Similar presentations

Presentation on theme: "Paradyn Project Paradyn / Dyninst Week College Park, Maryland March 26-28, 2012 Self-propelled Instrumentation Wenbin Fang."— Presentation transcript:

1 Paradyn Project Paradyn / Dyninst Week College Park, Maryland March 26-28, 2012 Self-propelled Instrumentation Wenbin Fang

2 Overview o Self-propelled instrumentation o Inject a fragment of code into the target process o Instrumentation automatically follows control flow o Within process o Cross process / host boundary o Features o 1 st party execution in the same address space o On demand, function call level instrumentation o Applications o Fault diagnosis, security analysis, … Self-propelled Instrumentation 2

3 Application Process Big Picture o Injector: Process to inject shared library o Agent: Shared library o User-specified payload functions o Instrumentation engine Self-propelled Instrumentation Injector process 3 a.out libc.so libpthread.so Agent.so Payload Functions Instrumentation Engine

4 void payload(SpPoint* pt){ // Do something } How it works void main () { pthread_create(foo …) printf(…) } void foo () { connect(…) } Self-propelled Instrumentation Host A Host B Process P Process Q Agent.so network Process R Injector 4 Call

5 Reincarnation Previous life (2006) o Parallel implementation with Dyninst o x86 Linux o For research on fault diagnosis [ 1 ] Reincarnation (2012) o Leverage Dyninst toolkits o x86/x86_64 Linux o Initially for security analysis, also for more applications [ 1 ] Alexander Vladimirovich Mirgorodskiy, "Automated problem diagnosis in distributed systems", Doctoral dissertation, University of Wisconsin-Madison, Madison, WI, USA, 2006. Self-propelled Instrumentation 5

6 Injector o Inject a shared library before a process executes o Use dynamic linking to load agent (LD_PRELOAD) o Inject a shared library for a process in execution o Use Dyninst toolkit (ProcControlAPI) Self-propelled Instrumentation 6

7 Agent – Contents o User-provided payload functions o Entry payload: executed before each function call o Exit payload: executed after each function call o Instrumentation Engine o Mainly based on PatchAPI o Also based on other Dyninst toolkits, e.g., Stackwalker, InstructionAPI, … Self-propelled Instrumentation 7

8 Agent – In payload function o Query PatchAPI CFG structures o Functions / Basic blocks / Edges o Enables sophisticated code analysis o Query runtime information related to the current function call o Arguments / Return value o Detect system events o Communication events, e.g., send/recv o Security events, e.g., setuid Self-propelled Instrumentation 8

9 Example: Print func names and # of calls to printf Self-propelled Instrumentation void main () { printf(…); foo(); … } void foo() { printf(); } Agent.so void payload(SpPoint* pt) { // Print Callee Name // Print count of printf } Output: CALL: printf # printf: 1 CALL: foo CALL: printf # printf: 2 9 Call

10 Payload functions Single-threaded, single process int count = 0; void payload(SpPoint* pt) { PatchFunction* f = Callee(pt); if (!f) return; string name = f->name(); printf(“CALL:%s\n”,name.c_str()); if (name.compare(“printf”)==0){ ++count; printf(“# printf: %d\n”,count); } Propel(pt); } Multi-threaded, single process Self-propelled Instrumentation 10 int count = 0; SpLock count_lock = 0; void payload(SpPoint* pt) { PatchFunction* f = Callee(pt); if (!f) return; string name = f->name(); printf(“CALL:%s\n”,name.c_str()); if (name.compare(“printf”)==0){ sp::Lock(&count_lock); ++count; sp::Unlock(&count_lock); printf(“# printf: %d\n”,count); } Propel(pt); }

11 Intra-process propagation Self-propelled Instrumentation a.out main 8430: 8431: 8433: 8444: 8449: 844b: 844e: 844f: push %ebp mov %esp,%ebp... call printf mov %ebp,%esp xor %eax,%eax pop %ebp ret foo call jmp Patch1 payload(foo) foo 0x8405 Agent.so call jmp payload(printf) printf 0x8449 Patch2 patch jmp push %ebp mov %esp,%ebp... call foo mov %ebp,%esp pop %ebp ret 83f0: 83f1: 83f3: 8400: 8405: 8413: 8414: Inject ActivatePropagate 11 jmp Patch1 jmp Patch2

12 Intra-process propagation challenges o Instrumentation Engine o Call insn size < jump insn size o Call block size < jump insn size o Cannot find a suitable springboard Self-propelled Instrumentation Relocate call block Find springboard block Use trap or ignore 12

13 Example: Print remote process name Host 1 - 192.168.0.2 : 5370 Self-propelled Instrumentation void main () { connect(…) recv(…) send(…) } Output for 192.168.0.2:5370: CONNECT: (192.168.0.2:5370, 192.168.0.31:8080) READ FROM: 192.168.0.31:8080 WRITE TO: 192.168.0.31:8080 Agent.so void payload(SpPoint* pt) { // Print remote process Name } Host 2 - 192.168.0.31 : 8080 void main () { accept(…) send(…) recv(…) } Output for 192.168.0.31:8080: ACCEPT: (192.168.0.31:8080, 192.168.0.2:5370) WRITE TO: 192.168.0.0.2:5370 READ FROM: 192.168.0.0.2:5370 Agent.so void payload(SpPoint* pt) { // Print remote process name } Call payload 13

14 Payload functions for IPC Self-propelled Instrumentation 14 Utilities o Detect communication events. o Get process name o e.g., 192.168.0.2:8080 IPC mechanisms o Pipe o TCP void payload(SpPoint* pt) { PatchFunction* f = sp::Callee(pt); if (!f) return; if (IsConnect(f)) { fprintf(fp, “CONNECT: (%s, %s)\n”, LocalProcessName(), RemoteProcessName()); } else if (IsIpcWrite(f)) { fprintf(fp, “WRITE TO: %s\n”, RemoteProcessName()); } else if (IsIpcRead(f)) { fprintf(fp, “READ FROM: %s\n”, RemoteProcessName()); } sp::Propel(pt); }

15 Inter-process propagation o Main procedure for inter-process propagation 1.Detect the initiation of communication at the local site. o connect, write, send … 2.Identify the remote process 3.Inject the agent into the remote process 4.Start following the flow of control in the remote site Self-propelled Instrumentation void main () { connect(…) recv(…) } void main () { accept(…) send(…) } Agent.so inject call payload() 15 Process A Process B via ssh / scp

16 Applications o Existing : o Fault diagnosis in distributed systems o Software security analysis o Potential: o Error reporting in distributed systems o Performance profiling o Consistency analysis in distributed systems o Taint checking o More... Self-propelled Instrumentation 16

17 Status and Future work o Status o x86 / x86_64 Linux o IPC: pipe, tcp o Testing and debugging to make it robust enough to work on complex programs, e.g., Google Chrome o Future work o Develop tools for software security analysis o Support more protocols / mechanisms for inter- process propagation o Port to Microsoft Windows Self-propelled Instrumentation 17

18 Questions? Self-propelled Instrumentation 18

Download ppt "Paradyn Project Paradyn / Dyninst Week College Park, Maryland March 26-28, 2012 Self-propelled Instrumentation Wenbin Fang."

Similar presentations

Self-Propelled Instrumentation Alex Mirgorodskiy Barton Miller Computer Sciences Department University.

Self-Propelled Instrumentation Alex Mirgorodskiy Barton Miller Computer Sciences Department University.
SDN Controller Challenges

SDN Controller Challenges
A Process Splitting Transformation for Kahn Process Networks Sjoerd Meijer.

A Process Splitting Transformation for Kahn Process Networks Sjoerd Meijer.
Advanced topics in X86 assembly by Istvan Haller.

Advanced topics in X86 assembly by Istvan Haller.
Chorus and other Microkernels Presented by: Jonathan Tanner and Brian Doyle Articles By: Jon Udell Peter D. Varhol Dick Pountain.

Chorus and other Microkernels Presented by: Jonathan Tanner and Brian Doyle Articles By: Jon Udell Peter D. Varhol Dick Pountain.
Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin May 2-4, 2011 ProcControlAPI and StackwalkerAPI Integration into Dyninst Todd Frederick and Dan.

Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin May 2-4, 2011 ProcControlAPI and StackwalkerAPI Integration into Dyninst Todd Frederick and Dan.
Paradyn Project Paradyn / Dyninst Week College Park, Maryland March 26-28, 2012 Paradyn Project Upcoming Features in Dyninst and its Components Bill Williams.

Paradyn Project Paradyn / Dyninst Week College Park, Maryland March 26-28, 2012 Paradyn Project Upcoming Features in Dyninst and its Components Bill Williams.
Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin May 2-3, 2011 Introduction to the PatchAPI Wenbin Fang, Drew Bernat.

Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin May 2-3, 2011 Introduction to the PatchAPI Wenbin Fang, Drew Bernat.
U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science Emery Berger University of Massachusetts Amherst Operating Systems CMPSCI 377 Lecture.

U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science Emery Berger University of Massachusetts Amherst Operating Systems CMPSCI 377 Lecture.
COS 461 Fall 1997 Where We Are u so far: networking u rest of semester: distributed computing –how to use networks to do interesting things –connection.

COS 461 Fall 1997 Where We Are u so far: networking u rest of semester: distributed computing –how to use networks to do interesting things –connection.
Distributed Self-Propelled Instrumentation Alex Mirgorodskiy VMware, Inc. Barton P. Miller University of Wisconsin-Madison.

Distributed Self-Propelled Instrumentation Alex Mirgorodskiy VMware, Inc. Barton P. Miller University of Wisconsin-Madison.
TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.

TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.
Run time vs. Compile time

Run time vs. Compile time
1 Run time vs. Compile time The compiler must generate code to handle issues that arise at run time Representation of various data types Procedure linkage.

1 Run time vs. Compile time The compiler must generate code to handle issues that arise at run time Representation of various data types Procedure linkage.
Processes in Unix, Linux, and Windows CS-502 Fall 20071 Processes in Unix, Linux, and Windows CS502 Operating Systems (Slides include materials from Operating.

Processes in Unix, Linux, and Windows CS-502 Fall Processes in Unix, Linux, and Windows CS502 Operating Systems (Slides include materials from Operating.
FALL 2005CSI 4118 – UNIVERSITY OF OTTAWA1 Part 4 Web technologies: HTTP, CGI, PHP,Java applets)

FALL 2005CSI 4118 – UNIVERSITY OF OTTAWA1 Part 4 Web technologies: HTTP, CGI, PHP,Java applets)
Previous Next 06/18/2000Shanghai Jiaotong Univ. Computer Science & Engineering Dept. C+J Software Architecture Shanghai Jiaotong University Author: Lu,

Previous Next 06/18/2000Shanghai Jiaotong Univ. Computer Science & Engineering Dept. C+J Software Architecture Shanghai Jiaotong University Author: Lu,
Automated Tracing and Visualization of Software Security Structure and Properties Symposium on Visualization for Cyber Security 2012 (VizSec’12) Seattle,

Automated Tracing and Visualization of Software Security Structure and Properties Symposium on Visualization for Cyber Security 2012 (VizSec’12) Seattle,
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
A Mobile-Agent-Based Performance-Monitoring System at RHIC Richard Ibbotson.

A Mobile-Agent-Based Performance-Monitoring System at RHIC Richard Ibbotson.

Similar presentations

Ads by Google