Presentation is loading. Please wait.

Presentation is loading. Please wait.

University of Maryland Instrumentation with Relocatable Program Code Tugrul Ince Department of Computer Science University of Maryland, College Park, MD.

Published byHollie McKinney Modified over 9 years ago

Similar presentations

Presentation on theme: "University of Maryland Instrumentation with Relocatable Program Code Tugrul Ince Department of Computer Science University of Maryland, College Park, MD."— Presentation transcript:

1 University of Maryland Instrumentation with Relocatable Program Code Tugrul Ince Department of Computer Science University of Maryland, College Park, MD 20742

2 University of Maryland Code Patching 2 void BZ2_blockSort ( EState* s ) { UInt32* ptr = s->ptr; UChar* block = s->block; UInt32* ftab = s->ftab; Int32 nblock = s->nblock; Int32 verb = s->verbosity; Int32 wfact = s->workFactor;... } reportFuncName(“BZ2_blockSort”);

3 University of Maryland : 0x4023c0push%r15 0x4023c2push%r14 0x4023c4push%r13 0x4023c6push%r12 0x4023c8push%rbp 0x4023c9push%rbx 0x4023casub$0x12a8,%rsp 0x4023d1mov0x6c(%rdi),%ecx 0x4023d4mov0x38(%rdi),%rax ∙ ∙ ∙ 0x402405mov0x58(%rdi),%ecx 0x402408jle0x4033d5 Code Patching 3 mov $0x40b554,%rdi callq 400800

4 University of Maryland : Code Patching 4 0x4023c0push%r15 0x4023c2push%r14 0x4023c4push%r13 0x4023c6push%r12 0x4023c8push%rbp 0x4023c9push%rbx 0x4023casub$0x12a8,%rsp 0x4023d1mov0x6c(%rdi),%ecx 0x4023d4mov0x38(%rdi),%rax ∙ ∙ ∙ 0x402405mov0x58(%rdi),%ecx 0x402408jle0x4033d5 0x402410…. push%r15 push%r14 push%r13 push%r12 push%rbp push%rbx sub$0x12a8,%rsp mov0x6c(%rdi),%ecx mov0x38(%rdi),%rax ∙ ∙ ∙ mov0x58(%rdi),%ecx jle0x4033d5 mov $0x40b554,%rdi callq 400800 Set up for instrumentation (Save state) Restore original state Illegal Instruction ∙ ∙ ∙ Illegal Instruction jmp 0xdeadbeef jmp 0x402410

5 University of Maryland Limitations of Current Mechanism Effort to relocate code Execution is terminated if old code is accessed –Illegal instructions trigger crash 5 A B C A jmp B’ Illegal C B’ jmp C Need to use interrupts –If a jump will not fit into the space provided by relocated code, insert a small interrupt instead

6 University of Maryland What If? We had space for inserting instrumentation –Reduce the need to relocate –No need to use interrupts Relocation was easy –No need to update all addresses –No forwarding mechanism required 6 A B C A B’ C A B C A C Old Code

7 University of Maryland What If? We were guaranteed that old code would never be executed –No need to insert illegal instructions Inserting instrumentation required less effort –Can use instrumentation more often 7 A B C A C B’ Empty

8 University of Maryland Relocatable Basic Blocks Untie code from its location –Position independent code –Limited dependency on addresses at control transfers –Explicit control transfers where needed New data structure to store basic block locations –Basic Block Linkage Table (BLT): jump instructions to the target 8

9 University of Maryland Creating Relocatable Basic Blocks 9

10 University of Maryland Relocatable Basic Blocks – BLT_only 10 BLT = Basic Block Linkage Table

11 University of Maryland Relocatable Basic Blocks – BLT_with_FT 11 BLT = Basic Block Linkage TableFT = Fall-through

12 University of Maryland Creating Relocatable Basic Blocks Source to intermediate representation –Our IR: Assembly Work on intermediate representation –Generate BLT and/or TAT –Insert/Replace jumps to make use of BLT Convert intermediate representation into executable –We use GNU Assembler (gas) 12

13 University of Maryland Relocating Basic Blocks Relocation might be unnecessary –Use padding left in binary during compilation Relocate if not enough space for instrumentation –Just copy the code –Update BLT entry 13

14 University of Maryland No Need for Illegal Instructions Execution will not reach old location –Jumps will go through BLT –Indirect jumps? During compilation, all labels are identified All uses are replaced with corresponding BLT entries Indirect jumps use these labels and go through BLT … except when fall-throughs are allowed –Handled by leaving a single jump instruction at the old location 14

15 University of Maryland Number of Instructions 15 Number of taken branchesTotal number of instructions Billions Benchmark used: mcf

16 University of Maryland Normalized Running Times 16

17 University of Maryland Other Uses 17 Support for use of multiple versions of shared libraries –Correct BLT is selected at runtime Branch alignment at runtime –Use an auto-tuner to reorder basic blocks Code obfuscation through hidden basic block locations –Encrypt BLT entries at compile time –Decrypt at launch time Resilience against intrusion attacks –Address Space Layout Randomization using runtime relocation

18 University of Maryland Conclusion Introduced Relocatable Basic Blocks Simplified instrumentation Have other uses (security, shared libraries, etc.) 18 Current MechanismWith Relocatable Basic Blocks Use of illegal instructionsNo need for illegal instructions Forwarding mechanism during relocation Only update block address at BLT for relocation Relocation required oftenRelocation required less frequently Interrupts sometimes neededNo interrupts needed Plain mutateeLarger mutatee, running time overhead No recompilation requiredRequires recompilation

Download ppt "University of Maryland Instrumentation with Relocatable Program Code Tugrul Ince Department of Computer Science University of Maryland, College Park, MD."

Similar presentations

Target Code Generation

Target Code Generation
Intermediate Code Generation

Intermediate Code Generation
Wish Branches Combining Conditional Branching and Predication for Adaptive Predicated Execution The University of Texas at Austin *Oregon Microarchitecture.

Wish Branches Combining Conditional Branching and Predication for Adaptive Predicated Execution The University of Texas at Austin *Oregon Microarchitecture.
Program Development Tools The GNU (GNU’s Not Unix) Toolchain The GNU toolchain has played a vital role in the development of the Linux kernel, BSD, and.

Program Development Tools The GNU (GNU’s Not Unix) Toolchain The GNU toolchain has played a vital role in the development of the Linux kernel, BSD, and.
Lecture 8: MIPS Instruction Set

Lecture 8: MIPS Instruction Set
Assembler/Linker/Loader Mooly Sagiv html://www.cs.tau.ac.il/~msagiv/courses/wcc11-12.html Chapter 4.3 J. Levine: Linkers & Loaders

Assembler/Linker/Loader Mooly Sagiv html:// Chapter 4.3 J. Levine: Linkers & Loaders
Linkage Editors Difference between a linkage editor and a linking loader: Linking loader performs all linking and relocation operations, including automatic.

Linkage Editors Difference between a linkage editor and a linking loader: Linking loader performs all linking and relocation operations, including automatic.
Linking & Loading CS-502 Operating Systems

Linking & Loading CS-502 Operating Systems
Chapter 3 Loaders and Linkers

Chapter 3 Loaders and Linkers
Loaders and Linkers CS 230 이준원. 2 Overview assembler –generates an object code in a predefined format »COFF (common object file format) »ELF (executable.

Loaders and Linkers CS 230 이준원. 2 Overview assembler –generates an object code in a predefined format »COFF (common object file format) »ELF (executable.
1 Starting a Program The 4 stages that take a C++ program (or any high-level programming language) and execute it in internal memory are: Compiler - C++

1 Starting a Program The 4 stages that take a C++ program (or any high-level programming language) and execute it in internal memory are: Compiler - C++
Mehmet Can Vuran, Instructor University of Nebraska-Lincoln Acknowledgement: Overheads adapted from those provided by the authors of the textbook.

Mehmet Can Vuran, Instructor University of Nebraska-Lincoln Acknowledgement: Overheads adapted from those provided by the authors of the textbook.
Chapter 12 CPU Structure and Function. CPU Sequence Fetch instructions Interpret instructions Fetch data Process data Write data.

Chapter 12 CPU Structure and Function. CPU Sequence Fetch instructions Interpret instructions Fetch data Process data Write data.
CPSC 325 - Compiler Tutorial 8 Code Generator (unoptimized)

CPSC Compiler Tutorial 8 Code Generator (unoptimized)
Assembler/Linker/Loader Mooly Sagiv html://www.cs.tau.ac.il/~msagiv/courses/wcc04.html Chapter 4.3.

Assembler/Linker/Loader Mooly Sagiv html:// Chapter 4.3.
1 Storage Registers vs. memory Access to registers is much faster than access to memory Goal: store as much data as possible in registers Limitations/considerations:

1 Storage Registers vs. memory Access to registers is much faster than access to memory Goal: store as much data as possible in registers Limitations/considerations:
Multiprocessing Memory Management

Multiprocessing Memory Management
LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.

LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.
Run time vs. Compile time

Run time vs. Compile time
S. Barua – CPSC 240 CHAPTER 9 TRAP ROUTINES AND SUBROUTINES The TRAP mechanism allows the user program.

S. Barua – CPSC 240 CHAPTER 9 TRAP ROUTINES AND SUBROUTINES The TRAP mechanism allows the user program.

Similar presentations

Ads by Google