Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Design of a Resourceable and Retargetable Binary Translator Cristina Cifuentes Sixth Working Conference on Reverse Engineering On page(s): 280 - 291.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "The Design of a Resourceable and Retargetable Binary Translator Cristina Cifuentes Sixth Working Conference on Reverse Engineering On page(s): 280 - 291."— Presentation transcript:

1 The Design of a Resourceable and Retargetable Binary Translator Cristina Cifuentes Sixth Working Conference on Reverse Engineering On page(s): 280 - 291 6-8 Oct. 1999 Atlanta, GA, USA 1999

2 Outline  Introduction  Goals and Objectives  Resourceable and retargetable binary translation  Core translator  Implementation and preliminary result  Discussion

3 Introduction  Problems of binary translation – It is not always possible to find all the code in a binary program. – Static analysis cannot always find the targets of jumps to addresses computed at run time.  Previous work – Digital’s VEST – OpenVMS and MIPS to Alpha – FX!32 – x86 windows NT to Alpha

4 Goals and objectives  Reuse is difficult because binary translators are highly machine-dependent.  Another impediment to reuse is that many details of existing translators remain proprietary and unpublished.  The goal of the UQBT project is to develop a binary translator that will be constructed from well-specified components.

5 Resourceable and retargetable binary translation

6 Binary-file decoder  The initial state of the M S processor that would apply when about to run this binary on a native M S processor, including at least the initial value of the program counter,  A list of potential entry points for procedures, including at least the initial program counter as an entry point,  The contents of the program's code and data segments, by the address those contents would occupy in a running M S executable  A list of procedures that are to be linked with the binary dynamically, and the names of the libraries containing them.

7 Mapping manager  Which maps locations in code space, locations in data space, and locations referring to registers or other processor state.

8 Target memory manager  To allocate locations in the target machine's storage space, e.g., to store translated code.

9 Boundary manager  Tracks the boundary between translated and untranslated code and handles flow of control across the boundary.

10 Core translator  Translates groups of machine instructions

11 Binary-le encoder  Specify the contents of the M T address space at the start of execution,  Establish the state of the M T processor at the start of execution,  Write an executable le in the M T native format.  Set up dynamic linking information for translated or native libraries.

12 Intermediate Representations  Low-level representation – A single instruction corresponds to a register-transfer list or RTL. – Machine-dependent  High-level representation – HRTL is a higher-level language that abstracts away from the machine-dependent details of procedure calls, intraprocedural control flow, and relational expressions. – Higher-level HRTL form is more like a compiler's inter-mediate code, because it uses high-level abstractions of control flow.

13 Core translator

14 Core translator (cont.)  Decoding binary code to M S -RTLs – SLED, SSL  Translating M S -RTLs up to HRTL – CTL, DCTL, PAL  Manipulating HRTL – General-purpose optimizers  Translating HRTL down to M T -RTLs – VPO

15 SLED  SLED (Specification Language for Encoding and Decoding) describes the binary representation of each instruction. # SLED specs for immediate call instruction fields of instruction (32) inst 0:31 op 30:31 disp30 0:29 rd 25:29 op2 22:24 imm22 0:21 a 29:29 cond 25:28 disp22 0:21 op3 19:24 rs1 14:18 i 13:13 asi 5:12 rs2 0:4 simm13 0:12 opf 5:13 fd 25:29 cd 25:29 fs1 14:18 fs2 0:4 patterns [ TABLE_F2 CALL TABLE_F3 TABLE_F4 ] is op = {0 to 3} constructors call__ addr { addr = L + 4 * disp30! } is L: CALL & disp30

16 SSL  semantic mapper is table-driven from an SSL (Semantic Specification Language) specification, which associates an RTL with each instruction. # SSL specs for immediate call instruction call__ disp30 *32* r[15] := %pc *32* %pc := %npc *32* %npc := r[15] + (4 * disp30);

17 CTL  CTL, Control Transfer Language, describes which machine instructions map into the high- level control transfer instructions of HRTL, namely, conditional and unconditional jumps, calls, and returns. call mapping call__ addr & address = addr | JMPL dispA(rs1, i), %o7 & address = rs1+i | JMPL absoluteA(i), %o7 & address = i | JMPL indirectA(rs1), %o7 & address = rs1 | JMPL indexA (rs1, rs2), %o7& address = rs1+rs2.

18 PAL  Procedural Abstraction Language, describes how a stack frame is set up when a procedure is invoked and how values are accessed on the stack frame, according to the machine's calling convention.  PAL allows for the description of valid prologues and epilogues for callers and callees, the locations that can be used for passing parameters, the location(s) used for returning values from a function, and the location block used by locals.

19 VPO  Very Portable Optimizer, and with C optimizing compilers (both, gcc and cc).  VPO emits assembly code for the target machine.

20 Implementation  UQBT is written in C++ and compiles using gcc on Solaris and Linux systems.  It uses SLED, SSL and CTL descriptions for SPARC and Pentium, and PAL descriptions for SPARC and Pentium Unix System.

21  The test programs are: – Fibo(40), which calculates the bonacci of 40 and has 19 lines of C code, – Sieve(3000), which calculates the rst 3000 primes and has 13 lines of C code, and – Mbanner(500K), a modied version of banner(1), which loops 500,000 times to display argv[1] (\ELF" in this case) and has 135 lines of C code.  SPARC results were obtained on an Ultra- SPARC II, 250MHz machine with 320Mb RAM running Solaris 2.6.  Pentium results were obtained on a Pentium MMX, 250 MHz machine with 128Mb RAM running Solaris 2.6. Preliminary Results

22 Preliminary Results (cont.)

23

24 Discussion  to understand what knowledge of instruction representation, of instruction semantics, of calling conventions, and of binary-le formats is needed to perform binary translation,  to formalize that knowledge in appropriate description languages,  to derive components from the descriptions,  to understand how to implement machine- dependent analyses on the RTL and HRTL representations, and  to understand which analyses can be made machine-independent, and how.

25 Effort Number of Lines of Code for SPARC and Pentium Specs.

Download ppt "The Design of a Resourceable and Retargetable Binary Translator Cristina Cifuentes Sixth Working Conference on Reverse Engineering On page(s): 280 - 291."

Similar presentations

1 Lecture 3: MIPS Instruction Set Today’s topic:  More MIPS instructions  Procedure call/return Reminder: Assignment 1 is on the class web-page (due.

1 Lecture 3: MIPS Instruction Set Today’s topic:  More MIPS instructions  Procedure call/return Reminder: Assignment 1 is on the class web-page (due.
Chapter 10- Instruction set architectures

Chapter 10- Instruction set architectures
8. Code Generation. Generate executable code for a target machine that is a faithful representation of the semantics of the source code Depends not only.

8. Code Generation. Generate executable code for a target machine that is a faithful representation of the semantics of the source code Depends not only.
CSI 3120, Implementing subprograms, page 1 Implementing subprograms The environment in block-structured languages The structure of the activation stack.

CSI 3120, Implementing subprograms, page 1 Implementing subprograms The environment in block-structured languages The structure of the activation stack.
1 Starting a Program The 4 stages that take a C++ program (or any high-level programming language) and execute it in internal memory are: Compiler - C++

1 Starting a Program The 4 stages that take a C++ program (or any high-level programming language) and execute it in internal memory are: Compiler - C++
 Procedures (subroutines) allow the programmer to structure programs making them : › easier to understand and debug and › allowing code to be reused.

 Procedures (subroutines) allow the programmer to structure programs making them : › easier to understand and debug and › allowing code to be reused.
Subprogram Control - Data sharing Mechanisms to exchange data Arguments - data objects sent to a subprogram to be processed. Obtained through  parameters.

Subprogram Control - Data sharing Mechanisms to exchange data Arguments - data objects sent to a subprogram to be processed. Obtained through  parameters.
Program Representations. Representing programs Goals.

Program Representations. Representing programs Goals.
Typed Assembly Languages COS 441, Fall 2004 Frances Spalding Based on slides from Dave Walker and Greg Morrisett.

Typed Assembly Languages COS 441, Fall 2004 Frances Spalding Based on slides from Dave Walker and Greg Morrisett.
OmniVM Efficient and Language- Independent Mobile Programs Ali-Reza Adl-Tabatabai, Geoff Langdale, Steven Lucco and Robert Wahbe from Carnegie Mellon University.

OmniVM Efficient and Language- Independent Mobile Programs Ali-Reza Adl-Tabatabai, Geoff Langdale, Steven Lucco and Robert Wahbe from Carnegie Mellon University.
Common Sub-expression Elim Want to compute when an expression is available in a var Domain:

Common Sub-expression Elim Want to compute when an expression is available in a var Domain:
1 Storage Registers vs. memory Access to registers is much faster than access to memory Goal: store as much data as possible in registers Limitations/considerations:

1 Storage Registers vs. memory Access to registers is much faster than access to memory Goal: store as much data as possible in registers Limitations/considerations:
Representing programs Goals. Representing programs Primary goals –analysis is easy and effective just a few cases to handle directly link related things.

Representing programs Goals. Representing programs Primary goals –analysis is easy and effective just a few cases to handle directly link related things.
3/17/2008Prof. Hilfinger CS 164 Lecture 231 Run-time organization Lecture 23.

3/17/2008Prof. Hilfinger CS 164 Lecture 231 Run-time organization Lecture 23.
CS 536 Spring 20011 Code generation I Lecture 20.

CS 536 Spring Code generation I Lecture 20.
CSCE 121, Sec 200, 507, 508 Fall 2010 Prof. Jennifer L. Welch.

CSCE 121, Sec 200, 507, 508 Fall 2010 Prof. Jennifer L. Welch.
Run time vs. Compile time

Run time vs. Compile time
Partial Automation of an Integration Reverse Engineering Environment of Binary Code Author : Cristina Cifuentes Reverse Engineering, 1996., Proceedings.

Partial Automation of an Integration Reverse Engineering Environment of Binary Code Author : Cristina Cifuentes Reverse Engineering, 1996., Proceedings.
Recap from last time: live variables x := 5 y := x + 2 x := x + 1 y := x + 10... y...

Recap from last time: live variables x := 5 y := x + 2 x := x + 1 y := x y...
Direction of analysis Although constraints are not directional, flow functions are All flow functions we have seen so far are in the forward direction.

Direction of analysis Although constraints are not directional, flow functions are All flow functions we have seen so far are in the forward direction.

Similar presentations

Ads by Google