dynamic instrumentation techniques
play

Dynamic instrumentation techniques Ahmad shahnejat - PowerPoint PPT Presentation

Mar 04, 2023 •337 likes •662 views

Dynamic instrumentation techniques Ahmad shahnejat Michel Dagenais May, 06 1 OUTLINE INTRODUCTION to dynamic instrumentation Trap instruction INstruction punning technique Proposed compiler-assisted technique

  1. Dynamic instrumentation techniques Ahmad shahnejat Michel Dagenais May, 06 1

  2. OUTLINE ● INTRODUCTION to dynamic instrumentation ● Trap instruction ● INstruction punning technique ● Proposed compiler-assisted technique 1 ● Proposed Technique 2 ● Proposed Technique 3 ● Conclusion and FUTURE WORK 2

  3. INT3 (CC encoding) INT3 3

  4. Trap-based vs. jump-based probes Trap-based probes: use an interrupt handler ● encoded with single-bytes (INT3 in the x86 instruction set) that will fit at any probe site atomically. ● substantial slow down along instrumentation (interrupt and userspace to kernel space switching) ● Trap-based probes are usually efgective as a last option ● jump-based probes: redirects control flow directly to a trampoline rather than signal handlers. ● low invocation overhead ● Neighbor instructions will be overwritten, which is unsound If the probed instruction is smaller than the jump ● 4

  5. Fasttp vs. new techniques User space Trampoline jmp Tracing jmp Function Trap Kernel space Trap handler 5

  6. Jump-based tracepoints If the probe site holds an ● instruction of five-bytes in length 6

  7. Jump-based tracepoints If the probe site ● holds a five-byte plus instruction 7

  8. Jump-based tracepoints If the probe site ● holds an instruction shorter than 5 bytes 8

  9. Instruction punning technique By injecting a jump instruction, ● the relative ofgset of the jump serves simultaneously both as data and as a sequence of instruction(s). I1 I2 I3 I4 5b 48 89 c3 48 8d 45 80 53 89 c3 48 8d 45 80 e9 48 53 5 4 0 1 8 9 9

  10. Instruction punning technique If the probe site ● holds an instruction shorter than 5 bytes 10

  11. Instruction punning technique only one pun is ● available for the jump probe 11

  12. Instruction punning technique 12

  13. Fasttp technique ● Max usage of trap instructions I1 I2 I3 jmp I4 I5 I6 0 1 4 8 12 16 9 5 e9 CC ?? ?? CC int int 13

  14. Compiler-assisted Technique 1 Forcing the compiler to leave space between functions ● Compiler-assisted have a hidden cost ● placement F 1 F 1 Space left F 2 Functions between F 2 F 3 functions F 3 Normal placement 14

  15. 1- Save registers 2- Instrumentation 3- Restore registers 4- Executing original instructions 5- Jump back 1- Save registers 2- Instrumentation 3- Restore registers 4- Executing original instructions 5- Jump back 15

  16. 1- Save registers 2- Instrumentation 3- Restore registers 4- Executing original instructions 5- Jump back 0x0000000000013c8f <+0>: 55 push %rbp 0x0000000000013c90 <+1>: 48 89 e5 mov %rsp,%rbp 0x0000000000013c93 <+4>: 53 push %rbx 0x0000000000013cd8 <+73>: 8b 45 dc mov -0x24(%rbp),%eax 0x0000000000013cdb <+76>: 89 c7 mov %eax,%edi 0x0000000000013cdd <+78>: e8 2e 88 ff ff callq 0xc510 <exit@plt> 1- Save registers 2- Instrumentation 3- Restore registers 4- Original instructions 5- Jump back 16

  17. 0x0000000000013c13 <-124>: 1- Save registers 2- Instrumentation 3- Restore registers 4- Executing original instructions 5- Jump back 0x0000000000013c8f <+0>: eb //Entry 0x0000000000013c90 <+1>: 80 89 e5 //Probe 0x0000000000013c93 <+4>: 53 push %rbx 0x0000000000013cd8 <+73>: 8b 45 dc mov -0x24(%rbp),%eax 0x0000000000013cdb <+76>: 89 c7 mov %eax,%edi 0x0000000000013cdd <+78>: eb 03 88 ff ff //Exit probe 0x0000000000013d5f <+83>: 1- Save registers 2- Instrumentation 3- Restore registers 4- Original instructions 5- Jump back 17

  18. Technique 2 256 B Short JMP Binary overlapping ● 4 GB Why not using 2-byte short jump? ● eb ?? How far the range of a jump could be? ● 0 1 Landing on another jump/Call ● JMP Callq 0x55555556c456 e8 e9 43 00 00 e9 ?? ?? ?? ?? e9 43 00 00 48 Jmp 0x48000048 0 1 4 5 18

  19. e9 43 00 00 48 jmp 0x48000048 e8 64 48 33 04 call 0x4334869 19

  20. e9 43 00 00 48 jmp 0x48000048 e8 64 48 33 04 call 0x4334869 20

  21. Technique 2 0x0000555555568068 <+225>: e8 e9 43 00 00 callq 0x55555556c456 0x000055555556806d <+230>: 48 89 c1 mov %rax,%rcx 74 bytes 0x00005555555680b1 <+298>: e8 18 d0 ff ff callq 0x5555555650ce 91 bytes 0x000055555556810b <+388>: 48 8b 45 e8 mov -0x18(%rbp),%rax 0x000055555556810f <+392>: 64 48 33 04 25 28 00 00 00 xor %fs:0x28,%rax 21

  22. Technique 2 0x0000555555568068 <+225>: e8 e9 43 00 00 callq 0x55555556c456 0x000055555556806d <+230>: 48 89 c1 mov %rax,%rcx 74 bytes 0x00005555555680b1 <+298>: eb b4 d0 ff ff callq 0x5555555650ce 0x000055555556810b <+388>: 48 8b 45 e8 mov -0x18(%rbp),%rax 0x000055555556810f <+392>: 64 48 33 04 25 28 00 00 00 xor %fs:0x28,%rax 22

  23. Technique 2 0x0000555555568068 <+225>: e8 e9 43 00 00 callq 0x55555556c456 0x000055555556806d <+230>: 48 89 c1 mov %rax,%rcx 0x00005555555680b1 <+298>: eb 59 d0 ff ff callq 0x5555555650ce 91 bytes 0x000055555556810b <+388>: 48 8b 45 e8 mov -0x18(%rbp),%rax 0x000055555556810f <+392>: 64 48 33 04 25 28 00 00 00 xor %fs:0x28,%rax 23

  24. Technique 3 Instrumentation of a five-byte ● location with multiple instructions. I1 I2 I3 I4 reusing the suffjx of an ● instruction as a distinct 5b 48 89 c3 48 8d 45 80 53 instruction is used mainly in code obfuscation. e9 48 89 c3 48 8d 45 80 53 1st: instruction punning ● 0 1 4 8 9 5 2nd: ? JMP 24

  25. Technique 3 (1) (2) (3) e9 48 89 c3 48 8d 45 80 53 0 1 8 9 4 5 JMP Need to be validated (1): E9 48 89 c3 48 = jmp 0x48c3894d (2): 48 89 c3 = dec eax mov ebx,eax Original instructions (3): 48 8d 45 80 = dec eax lea eax,[ebp-0x80] 25

  26. Technique 3 (1) (2) (3) e9 e9 89 c3 e9 8d 45 80 53 0 1 8 4 5 (1): e9 e9 ?? ?? e9 2 bytes available to manipulate (2): e9 ?? ?? e9 ?? (3): e9 ?? ?? ?? 53 3 bytes available to manipulate 26

  27. Technique 3 (1) 2¹ ⁶ 2 alternatives MSB e9 e9 ?? ?? e9 0 2² ⁴ e9 ?? ?? e9 ?? alternatives 1 e9 ?? ?? ?? 53 (2) 8 (3) 4 5 2 MSB In practice it typically takes no more than 7 attempts(for the two significant bytes) to map memory for a ● trampoline, while we have at least 256 alternatives in this cases. 27

  28. Conclusion & Future worK 28

  29. Conclusion & Future work ● The key goal is interpreting data as code. this technique is called instruction punning. ● 1st approach: Instruction punning ● 2nd approach: Proposed techniques ● last approach: Trap instruction(s) ● Trampoline placement ● Prototype under development 29

  30. Questions?! :) 30

  31. References 1- B. Chamith, B. J. Svensson, L. Dalessandro, and R. R. Newton. Instruction punning: Lightweight instrumentation for x86-64. In Proceedings of the 38th ACM SIGPLAN Conference on Programming Language Design and Implementation, 2017. 2- Zhao, Valerie, "Evaluation of Dynamic Binary Instrumentation Approaches: Dynamic Binary Translation vs. Dynamic Probe Injection" (2018). 31

Recommend

VEX: Where next for Valgrind's dynamic VEX: Where next for Valgrind's dynamic instrumentation

VEX: Where next for Valgrind's dynamic VEX: Where next for Valgrind's dynamic instrumentation

VEX: Where next for Valgrind's dynamic VEX: Where next for Valgrind's dynamic instrumentation infrastructure? instrumentation infrastructure? Julian Seward, jseward@acm.org 4 February 2017. FOSDEM. Brussels. Overview How it works (roughly)

581 views • 17 slides
State-based Testing Using Dynamic Instrumentation Vijay Upadya Microsoft Agenda What is

State-based Testing Using Dynamic Instrumentation Vijay Upadya Microsoft Agenda What is

State-based Testing Using Dynamic Instrumentation Vijay Upadya Microsoft Agenda What is dynamic instrumentation? Applications of dynamic instrumentation How does it work? Simulating different states and transitions

1.25k views • 21 slides
PIN Dynamic instrumentation framework PIN: Building Customized Goals: Program Analysis

PIN Dynamic instrumentation framework PIN: Building Customized Goals: Program Analysis

PIN Dynamic instrumentation framework PIN: Building Customized Goals: Program Analysis Tools with Easy-to-use Dynamic Instrumentation Portable Transparent Luk et al PLDI 2005 Efficient Presented by Godmar Back

223 views • 5 slides
Dynamic Binary Instrumentation: Introduction to Pin Instrumentation A technique that injects

Dynamic Binary Instrumentation: Introduction to Pin Instrumentation A technique that injects

Dynamic Binary Instrumentation: Introduction to Pin Instrumentation A technique that injects instrumentation code into a binary to collect run-time information 2 Instrumentation A technique that injects instrumentation code into a binary to

773 views • 46 slides
Principals, Instrumentation and Uses Biomedical Research Techniques Erasmus University Medical

Principals, Instrumentation and Uses Biomedical Research Techniques Erasmus University Medical

Magnetic Resonance Imaging Principals, Instrumentation and Uses Biomedical Research Techniques Erasmus University Medical Center the Netherlands Aim The aim of the lecture is to obtain a basic understanding on MRI physics and instrumentation

693 views • 44 slides
Cross-ISA Machine Instrumentation Cross-ISA Machine Instrumentation using Fast and Scalable

Cross-ISA Machine Instrumentation Cross-ISA Machine Instrumentation using Fast and Scalable

Cross-ISA Machine Instrumentation Cross-ISA Machine Instrumentation using Fast and Scalable using Fast and Scalable Dynamic Binary Translation Dynamic Binary Translation Emilio G. Cota Columbia University Luca P. Carloni VEE'19 April 14,

1.05k views • 45 slides
Instrumentation available for portable/transportable X-ray spectrometry techniques A. Migliori

Instrumentation available for portable/transportable X-ray spectrometry techniques A. Migliori

Instrumentation available for portable/transportable X-ray spectrometry techniques A. Migliori a.migliori@iaea.org Joint ICTP-IAEA Advanced Workshop on Portable X-Ray Spectrometry Techniques for Characterization of Valuable Archaeological/Art

325 views • 19 slides
Mapping CSP Networks to MPI Clusters Using Channel Graphs and Dynamic Instrumentation Gabriella

Mapping CSP Networks to MPI Clusters Using Channel Graphs and Dynamic Instrumentation Gabriella

Mapping CSP Networks to MPI Clusters Using Channel Graphs and Dynamic Instrumentation Gabriella Azzopardi Kevin Vella Adrian Muscat University of Malta Outline Introduction 1. CSP-Library 2. Configuration Language 3. CSP-based

354 views • 20 slides
InsectJ: A Generic Instrumentation Framework for Collecting Dynamic Information within Eclipse

InsectJ: A Generic Instrumentation Framework for Collecting Dynamic Information within Eclipse

InsectJ: A Generic Instrumentation Framework for Collecting Dynamic Information within Eclipse Arjan Seesing and Alessandro Orso Georgia Institute of Technology This work was supported in part by an IBM Eclipse Innovation Grant.

859 views • 24 slides
Instrew: Leveraging LLVM for High Performance Dynamic Binary Instrumentation Alexis Engelke

Instrew: Leveraging LLVM for High Performance Dynamic Binary Instrumentation Alexis Engelke

Instrew: Leveraging LLVM for High Performance Dynamic Binary Instrumentation Alexis Engelke Martin Schulz Chair of Computer Architecture and Parallel Systems TUM Department of Informatics Technical University of Munich VEE 2020, virtual

396 views • 25 slides
Dynamic Binary Instrumentation-based Framework for Malware Defense Najwa Aaraj , Anand

Dynamic Binary Instrumentation-based Framework for Malware Defense Najwa Aaraj , Anand

Dynamic Binary Instrumentation-based Framework for Malware Defense Najwa Aaraj , Anand Raghunathan , and Niraj K. Jha Department of Electrical Engineering, Princeton University, Princeton, NJ 08544, USA NEC Labs America,

410 views • 25 slides
Gravitational-Wave Astronomy 1060-711: Astronomical Observational Techniques and Instrumentation

Gravitational-Wave Astronomy 1060-711: Astronomical Observational Techniques and Instrumentation

Gravitational-Wave Physics Gravitational-Wave Detectors Gravitational-Wave Astronomy Gravitational-Wave Astronomy 1060-711: Astronomical Observational Techniques and Instrumentation Guest Lecturer: Prof. John T. Whelan 2013 May 1

1.95k views • 59 slides
Dynamic Slicing Techniques for Petri Nets M. Llorens, J. Oliver, J. Silva, S. Tamarit, G. Vidal

Dynamic Slicing Techniques for Petri Nets M. Llorens, J. Oliver, J. Silva, S. Tamarit, G. Vidal

Motivation Dynamic Slicing in PN from an initial marking Dynamic Slicing in PN from a firing sequence Conclusions and Future Work Dynamic Slicing Techniques for Petri Nets M. Llorens, J. Oliver, J. Silva, S. Tamarit, G. Vidal Dep. of

378 views • 35 slides
Instrumentation best practices in Brewing Slide 1 Ola Wesstrom Instrumentation best practices in

Instrumentation best practices in Brewing Slide 1 Ola Wesstrom Instrumentation best practices in

Products Solutions Services Instrumentation best practices in Brewing Slide 1 Ola Wesstrom Instrumentation best practices in Brewing What we will cover Endress+Hauser overview Best Practice application examples Instrumentation for

384 views • 35 slides
Programming Techniques CHAPTER 10 SECTION 1 A DYNAMIC PHOTO GALLERY OBJECTIVES Planning

Programming Techniques CHAPTER 10 SECTION 1 A DYNAMIC PHOTO GALLERY OBJECTIVES Planning

Programming Techniques CHAPTER 10 SECTION 1 A DYNAMIC PHOTO GALLERY OBJECTIVES Planning the layout of a dynamic gallery Displaying a fixed number of results in a table row Limiting the number of records retrieved at a time

665 views • 40 slides
Overview Instruction level parallelism Dynamic Scheduling Techniques Scoreboarding

Overview Instruction level parallelism Dynamic Scheduling Techniques Scoreboarding

Overview Instruction level parallelism Dynamic Scheduling Techniques Scoreboarding Chapter 2 Tomasulos Algorithm Reducing Branch Cost with Dynamic Hardware Reducing Branch Cost with Dynamic Hardware Prediction

274 views • 6 slides
Pin Tutorial What is Instrumentation? A technique that inserts extra code into a program to

Pin Tutorial What is Instrumentation? A technique that inserts extra code into a program to

Pin Tutorial What is Instrumentation? A technique that inserts extra code into a program to collect runtime information Instrumentation approaches: Source instrumentation: Instrument source programs Binary instrumentation :

626 views • 40 slides
TECHNIQUES Sample Preparation Digestion techniques Chromatography SPE

TECHNIQUES Sample Preparation Digestion techniques Chromatography SPE

6/19/2015 LABORATORY PROCESS Scientist Method Development Sample BecA ILRI Hub Laboratory Management and Equipment Operations (LMEO) workshop RUBONA, Rwanda Testing Sample Preparation Instrument TOPIC: LABORATORY INSTRUMENTATION th

164 views • 5 slides
GT14: Instrumentation et detection GT14: Instrumentation et detection Tracking detectors

GT14: Instrumentation et detection GT14: Instrumentation et detection Tracking detectors

GT14: Instrumentation et detection GT14: Instrumentation et detection Tracking detectors perspectives in France Giovanni Calderini (LPNHE Paris) Journes Prospectives IN2P3/IRFU Giens 2012 1 Huge subject in terms of detection principles /

319 views • 30 slides
Dynamic Programming (Chapter 6) Algorithm Design Techniques Greedy Divide and Conquer Dynamic

Dynamic Programming (Chapter 6) Algorithm Design Techniques Greedy Divide and Conquer Dynamic

Dynamic Programming (Chapter 6) Algorithm Design Techniques Greedy Divide and Conquer Dynamic Programming Network Flows Algorithm Design Divide and Dynamic Greedy Conquer Programming Formulate problem ? ? ? Design algorithm less

527 views • 36 slides
Loom Weaving Instrumentation for Program Analysis Brian Kidney (Presenter) Jonathan Anderson

Loom Weaving Instrumentation for Program Analysis Brian Kidney (Presenter) Jonathan Anderson

Loom Weaving Instrumentation for Program Analysis Brian Kidney (Presenter) Jonathan Anderson Memorial University But Instrumentation is done, right? Why another instrumentation tool There are lots of instrumentation tools Intel

394 views • 13 slides
Using AOP for Detailed Runtime Monitoring Instrumentation Jonathan E Cook, joncook@nmsu.edu

Using AOP for Detailed Runtime Monitoring Instrumentation Jonathan E Cook, joncook@nmsu.edu

Using AOP for Detailed Runtime Monitoring Instrumentation Jonathan E Cook, joncook@nmsu.edu Amjad Nusayr, anusayr@cs.nmsu.edu The 2009 Workshop on Dynamic Analysis New Mexico State University Runtime Monitoring The act of observing an

590 views • 23 slides
Cryogenic Instrumentation and Controls Cryogenic Instrumentation and Controls of String 2 of

Cryogenic Instrumentation and Controls Cryogenic Instrumentation and Controls of String 2 of

experience with the experience with the Cryogenic Instrumentation and Controls Cryogenic Instrumentation and Controls of String 2 of String 2 Paulo Gomes for the ACR-IN team with the precious contributions of D. Bozzini, L. Serio, his

389 views • 14 slides
What is the kernel upto? Powerful tracing techniques Joel Fernandes

What is the kernel upto? Powerful tracing techniques Joel Fernandes

What is the kernel upto? Powerful tracing techniques Joel Fernandes &lt;joel@linuxinternals.org&gt; Concepts: Tracing: Static vs Dynamic tracepoints Static: Tracepoint events Dynamic: kprobes Static tracepoints: Methodology Define

380 views • 33 slides

More recommend