an analysis of call site patching without strong hardware
play

An Analysis of Call-site Patching Without Strong Hardware Support - PowerPoint PPT Presentation

Aug 16, 2022 •110 likes •266 views

An Analysis of Call-site Patching Without Strong Hardware Support for Self-Modifying-Code Tim Hartley, Foivos Zakkak, first.last@manchester.ac.uk Christos Kotselidis, Mikel Lujan MPLR19 2019-10-22 Call-Sites Direct branching Indirect

  1. An Analysis of Call-site Patching Without Strong Hardware Support for Self-Modifying-Code Tim Hartley, Foivos Zakkak, first.last@manchester.ac.uk Christos Kotselidis, Mikel Lujan MPLR’19 2019-10-22

  2. Call-Sites Direct branching Indirect branching Method A Method A call/jmp <offset> ld target, 0xabcd Memory call/jmp target Method B Method B Method C Method C 2019-10-22 MPLR’19 @foivoszakkak 2

  3. Call-Site Patching § Tiered compilation § De-optimization § Etc. 2019-10-22 MPLR’19 @foivoszakkak 3

  4. JIT compilation and Caches Main Memory 1 Code-stream vs Data-stream I-CACHE 001010101010110 010101010100101 0 11 00 1 00 11 00 111 1. Code gets fetched to I-Cache 3 1 000 1 0 1 0 1 0 1 0 1 00 1 000 1 0 1 0 1 0 1 0 111 2. Data get fetched to D-Cache 1 000 1 0 1 0 1 0 1 0 1 00 0 11 00 1 00 11 00 111 3. CPU executes code from I-Cache CPU 010101010101010 111110101010100 4. CPU writes data to D-Cache 6 010100100010101 100110010000011 5. D-Cache writes-back to memory 100110010000011 8 7 4 11 000 1 00 111 00 1 0 6. D-Cache fetches code to be edited 1 0 1 0 1 0 1 00 1 00 1 0 1 1 0 1 0 111 00 1 00 111 7. CPU writes code to D-Cache 1 0 1 0 1 0 1 00 1 00 1 0 1 11 00 1 0 1 00 1 00 1 0 1 D-CACHE 8. D-Cache writes-back code 111110101010100 5 2 2019-10-22 MPLR’19 @foivoszakkak 4

  5. Low-power architectures and call-site patching § Fixed size instructions – Limit the range of direct branches/calls • +- 128MiB on AArch64 • +- 1MiB on RISC-V – Require multiple instructions to perform long-range calls AArch64 128MiB x86-64 240MiB 2019-10-22 MPLR’19 @foivoszakkak 5

  6. Low-power architectures and call-site patching (cont.) § Weak memory models and self-modifying-code (SMC) support – SW explicitly issues memory barriers – Code-stream handled separately from data-stream (need to sync them) § Not all instructions are safe to patch – ARM (armv7 and armv8) and IBM (Power) limit the instructions that are safe to be patched while executing • Even if using atomic writes 2019-10-22 MPLR’19 @foivoszakkak 6

  7. Patchable call-site implementations in AArch64 Direct Branching (short-range only) Relative-Load Indirect Branching B TARGET CALLEE_1 : .quad 0 x0123456789ABCDEF ... CALLEE_N : .quad 0 x01234ABCDEF56789 START : ... LDR X16, CALLEE_1 BLR X16 Absolute-Load Indirect Branching Trampolines (OpenJDK approach) MOVZ X16, #0xABCD ; Craft the address L: LDR X16, CALLEE MOVK X16, #0xEF89, lsl #16 ; holding BR X16 ; Don 't link MOVK X16, #0x7654, lsl #32 ; the CALLEE: .quad 0 x0123456789ABCDEF MOVK X16, #0x0213, lsl #48 ; target START: ... LDR X16, [X16] BL SHORT_TARGET ; or L BLR X16 2019-10-22 MPLR’19 @foivoszakkak 7

  8. Comparison of call-site implementation approaches 2019-10-22 MPLR’19 @foivoszakkak 8

  9. Evaluation Setup § Odroid-C2 – Quad-core Cortex-A53 @ 1.54GHz (pinned) • 8-stage pipelined processor with 2-way superscalar, in-order pipeline – 2 GB DDR3 RAM – Ubuntu 18.04.02 LTS – Kernel: Odroid 3.16..68-41 – GCC 8.3.0 – MaxineVM 2.8.0 – OpenJDK 8 u212 2019-10-22 MPLR’19 @foivoszakkak 9

  10. Microbenchmark § Generates inline call-sites § Callers are ret-only methods § To patch we call a patcher method instead of a ret-only § Patcher always patches the next call-site (allows us to control number of patches § Patcher performs the necessary barriers as it would in a real system 2019-10-22 MPLR’19 @foivoszakkak 10

  11. Microbenchmark results 2019-10-22 MPLR’19 @foivoszakkak 11

  12. Dacapo and MaxineVM § We take the best two performing approaches (Direct and Relative-Load Indirect) and evaluate them with DaCapo using MaxineVM § We had to tweak Relative-Load Indirect to make it work with MaxineVM – Due to its metacircular nature, MaxineVM can only operate with offsets (relative branches), since at boot image creation the absolute targets are not known yet Indirect-Maxine ADR X17, CALL ; Get address of BLR LDR X16, OFFSET ; Load offset ADD X16, X16 , X17 ; Add them B #8 ; Jump over inline offset OFFSET: .int CALL - CALLEE_1 CALL: BLR X16 2019-10-22 MPLR’19 @foivoszakkak 12

  13. Indirect-Maxine in Microbenchmark results 2019-10-22 MPLR’19 @foivoszakkak 13

  14. DaCapo Results 2019-10-22 MPLR’19 @foivoszakkak 14

  15. Conclusions § OpenJDK’s method seems the best for AArch64 since it penalizes only long-range branches and avoids explicit instruction cache invalidations on callers. – If you have a higher #"#$%&'($%) *(""+ #+,#'-&'($%) *(""+ ratio then maybe Relative-Load is better § The most promising approach in theory would be combining the following gadgets Indirect (long-rang) Direct (short-range only) ADRP X16, CALLEE ADD X16, X16, :lo12:CALLEE B TARGET BLR X16 – On AArch64 this is not possible though since ADRP and ADD cannot be safely overwritten if they are being executed concurrently with the modifications. 2019-10-22 MPLR’19 @foivoszakkak 15

Recommend

A Site Analysis Site Conditions: Seismic Challenges Strong Winds Average Temperature

A Site Analysis Site Conditions: Seismic Challenges Strong Winds Average Temperature

A Site Analysis Site Conditions: Seismic Challenges Strong Winds Average Temperature 69 San Francisco A Site Analysis A Engineering School of San Francisco Requirements 2015 Innovative Design Gold LEED

964 views • 75 slides
Android patching From a Mobile Device Management perspective Cedric Van Bockhaven

Android patching From a Mobile Device Management perspective Cedric Van Bockhaven

Introduction Background information SNE Research Project 2 Kernel patching Evaluation Android patching from the MDM Proof of concept Android patching From a Mobile Device Management perspective Cedric Van Bockhaven cbockhaven@os3.nl

466 views • 20 slides
PenPlace Aurora Highlands Civic Association January 31, 2013 Presentation Outline Site

PenPlace Aurora Highlands Civic Association January 31, 2013 Presentation Outline Site

PenPlace Aurora Highlands Civic Association January 31, 2013 Presentation Outline Site Analysis Process To-Date Project Overview 2 Site Analysis Location Site Analysis Site Analysis 4 Existing Condition Site Analysis Site

912 views • 37 slides
MODULAR KITCHEN 01 Site 02 Construction 03 Kitchen 01 Site Analysis Generic Site Diagrams

MODULAR KITCHEN 01 Site 02 Construction 03 Kitchen 01 Site Analysis Generic Site Diagrams

CAC.C STUDIO V MODULAR KITCHEN 01 Site 02 Construction 03 Kitchen 01 Site Analysis Generic Site Diagrams Site Analysis Location - South Carolina - Charleston County - Johns Island Parcel Information GAP Shed Parcel # 3160000123

483 views • 26 slides
User Space Live Patching Joo Moreira SUSE Labs User Space Live Patching Joo Moreira

User Space Live Patching Joo Moreira SUSE Labs User Space Live Patching Joo Moreira

User Space Live Patching Joo Moreira SUSE Labs User Space Live Patching Joo Moreira (formerly at) SUSE Labs joao.moreira@lsc.ic.unicamp.br Software has bugs, and bugs have to be fixed + security issues + execution degradation + undefined

941 views • 46 slides
Hardware Accelerated Graphics Group #6 Stephen Just - Stefan Martynkiw - Mason Strong Purpose

Hardware Accelerated Graphics Group #6 Stephen Just - Stefan Martynkiw - Mason Strong Purpose

Hardware Accelerated Graphics Group #6 Stephen Just - Stefan Martynkiw - Mason Strong Purpose Build a platform capable of providing high-speed graphics support to a variety of applications Make use of FPGA (hardware) to speed up

353 views • 14 slides
Bayes factors: A re-volution in psychology Geoff Patching Department of Psychology

Bayes factors: A re-volution in psychology Geoff Patching Department of Psychology

Bayes factors: A re-volution in psychology Geoff Patching Department of Psychology E-mail: geoffrey.patching@psy.lu.se The Bayes Factor The Bayes factor ( BF ) is the likelihood ratio of the evidences given the hypotheses ! # | % !

601 views • 13 slides
Strong Authentication without Tamper-Resistant Hardware and Application to Federated Identities

Strong Authentication without Tamper-Resistant Hardware and Application to Federated Identities

Strong Authentication without Tamper-Resistant Hardware and Application to Federated Identities Zhenfeng Zhang , Yuchen Wang , Kang Yang Institute of Software, Chinese Academy of Sciences; The Joint Academy of Blockchain

869 views • 25 slides
IESO Report Site Refresh New Report Site Changes October 10, 2014 R. Jovic Introduction The

IESO Report Site Refresh New Report Site Changes October 10, 2014 R. Jovic Introduction The

IESO Report Site Refresh New Report Site Changes October 10, 2014 R. Jovic Introduction The current IESO Report Site faces a number of issues: Report Site Performance and Capacity The IESO Report Site is built upon aging hardware

227 views • 7 slides
CrypTech October 2018 Barcelona Hardware Security Module From Wikipedia: A hardware security

CrypTech October 2018 Barcelona Hardware Security Module From Wikipedia: A hardware security

CrypTech October 2018 Barcelona Hardware Security Module From Wikipedia: A hardware security module (HSM) is a physical computing device that safeguards and manages digital keys for strong authentication and provides crypto processing. These

977 views • 34 slides
Filling the Gaps and Patching the Cracks Connected Care for Home Health Care Agencies Barbara

Filling the Gaps and Patching the Cracks Connected Care for Home Health Care Agencies Barbara

Filling the Gaps and Patching the Cracks Connected Filling the Gaps and Patching the Cracks Connected Care for Home Health Care Agencies Barbara Katz, RN, MSN President, BK Healthcare Consulting, LLC www.bkhealthconsulting.com Learning

596 views • 32 slides
Zalando. The Starting Point for Fashion. Q3 / 2019 Earnings Call October 31, 2019 Highlights

Zalando. The Starting Point for Fashion. Q3 / 2019 Earnings Call October 31, 2019 Highlights

Zalando. The Starting Point for Fashion. Q3 / 2019 Earnings Call October 31, 2019 Highlights and Business Update Strong financial performance driven by outstanding traffic and active customer growth Starting point strategy: Site visits

601 views • 20 slides
Hardware Parametric Energy Consumption Analysis - Joint TACLe EACO Workshop on Analysis

Hardware Parametric Energy Consumption Analysis - Joint TACLe EACO Workshop on Analysis

Hardware Parametric Energy Consumption Analysis - Joint TACLe EACO Workshop on Analysis Techniques for Energy-Aware Computing - Marko van Eekelen Paolo Parisen Toldin, Rody Kersten, Bernard van Gastel Marc Schoolderman, Jascha Neutelings,

446 views • 21 slides
Hardware Design and Analysis of Efficient Loop Coarsening and Border Handling for Image

Hardware Design and Analysis of Efficient Loop Coarsening and Border Handling for Image

Hardware Design and Analysis of Efficient Loop Coarsening and Border Handling for Image Processing M. Akif zkan, Oliver Reiche, Frank Hannig, and Jrgen Teich Hardware/Software Co-Design, Friedrich-Alexander University Erlangen-Nrnberg

891 views • 65 slides
Chasing Zero Infections Coaching Call Strategies to Reduce Surgical Site Infections March 14,

Chasing Zero Infections Coaching Call Strategies to Reduce Surgical Site Infections March 14,

Chasing Zero Infections Coaching Call Strategies to Reduce Surgical Site Infections March 14, 2018 Agenda Welcome &amp; FHA Mission to Care HIIN Trends and Progress: Surgical Site Infections Cheryl Love, RN, BSN, BS-HCA, MBA, LHRM,

713 views • 52 slides
Site Plan Analysis diAGrAMMATiC SiTE PlAN Design Form 2 14 . . Architecture

Site Plan Analysis diAGrAMMATiC SiTE PlAN Design Form 2 14 . . Architecture

Site Plan Analysis diAGrAMMATiC SiTE PlAN Design Form 2 14 . . Architecture Interiors Project Management Aerial Perspective ProJECT SiTE 15 Ground Floor Plan SChEMATiC drAWiNGS Design Form 2 16 . .

368 views • 4 slides
De la wa re Co unty DPW F a c ility Site s T o p Site s Hyb rid Site # 11A &amp; 7A a nd Site

De la wa re Co unty DPW F a c ility Site s T o p Site s Hyb rid Site # 11A &amp; 7A a nd Site

De la wa re Co unty DPW F a c ility Site s T o p Site s Hyb rid Site # 11A &amp; 7A a nd Site # 3 March 14, 2018 How We Got Here Site Selection Process Original 12 sites 1. Facility Programing 5. Score Sites (1 10) Site

269 views • 26 slides
PATCHING LESSONS LEARNED: An Interesting Perspective WHO WE ARE - MISSION We ensure the success

PATCHING LESSONS LEARNED: An Interesting Perspective WHO WE ARE - MISSION We ensure the success

Cyber Security | Compliance | Industrial Computing PATCHING LESSONS LEARNED: An Interesting Perspective WHO WE ARE - MISSION We ensure the success of our customers by developing innovative technology solutions that optimize and protect

557 views • 37 slides
EAST SIDE! STRONG SIDE! 2018-2019 August 23, 2018 Trojan Pride Call: East Side Response:

EAST SIDE! STRONG SIDE! 2018-2019 August 23, 2018 Trojan Pride Call: East Side Response:

EAST SIDE! STRONG SIDE! 2018-2019 August 23, 2018 Trojan Pride Call: East Side Response: Strong Side WCPSS Core Beliefs #1- Every student is uniquely capable and deserves to be challenged and engaged in relevant, rigorous , and meaningful

1.11k views • 31 slides
Interprocedural control-flow analysis Nate Nystrom CS 711 6 Sep 05 Call graphs Statically

Interprocedural control-flow analysis Nate Nystrom CS 711 6 Sep 05 Call graphs Statically

Interprocedural control-flow analysis Nate Nystrom CS 711 6 Sep 05 Call graphs Statically compute a precise call graph Maps call sites to functions called Challenge: Methods Higher-order functions Can use precise call

425 views • 19 slides
Fiscal 2017 Second Quarter Pet, Home &amp; Garden Earnings Call Hardware &amp; May 2, 2017

Fiscal 2017 Second Quarter Pet, Home &amp; Garden Earnings Call Hardware &amp; May 2, 2017

Global Batteries &amp; Appliances Fiscal 2017 Second Quarter Pet, Home &amp; Garden Earnings Call Hardware &amp; May 2, 2017 Home Improvement Global Auto Care Agenda Dave Prichard Introduction Vice President, Investor Relations

585 views • 30 slides
VC. VC. Hardware Startup The Hardware Revolu/on The Hardware Revolution Removing Barriers to

VC. VC. Hardware Startup The Hardware Revolu/on The Hardware Revolution Removing Barriers to

The Business of Making Strategies for Success from Startup to Exit Hardware and Robotic Startup Accelerator what hardware used to be . VC. VC. Hardware Startup The Hardware Revolu/on The Hardware Revolution Removing Barriers to Entry Open

604 views • 32 slides
Technology Solutions Whats out there .... ? In-house .... Excel and paper based forms Call

Technology Solutions Whats out there .... ? In-house .... Excel and paper based forms Call

Technology Solutions Whats out there .... ? In-house .... Excel and paper based forms Call recorder quality software Simplistic quality assurance solutions Hardware people with cross sector experience Voice Analytics Talk analysis Word

133 views • 11 slides
Restructuring Scientific Software using Semantic Patching with Coccinelle Michele MARTONE

Restructuring Scientific Software using Semantic Patching with Coccinelle Michele MARTONE

Restructuring Scientific Software using Semantic Patching with Coccinelle Michele MARTONE Leibniz Supercomputing Centre Garching bei M unchen, Germany Potsdam, de-RSE Conference June 4, 2019 (@LRZ.de) 1 / 57 Description de-RSE@Potsdam,

854 views • 64 slides

More recommend