generating low overhead dynamic binary translators
play

Generating Low-Overhead Dynamic Binary Translators Mathias Payer - PowerPoint PPT Presentation

Oct 11, 2023 •36 likes •326 views

Generating Low-Overhead Dynamic Binary Translators Mathias Payer and Thomas R. Gross Department of Computer Science ETH Z rich Motivation Binary Translation (BT) well known technique for late transformations Extend or add

  1. Generating Low-Overhead Dynamic Binary Translators Mathias Payer and Thomas R. Gross Department of Computer Science ü ETH Z rich

  2. Motivation “ ”  Binary Translation (BT) well known technique for late transformations  Extend or add features on the fly  Flexibility of dynamic software BT incurs runtime overhead  Complexity of transformations can be a challenge  Offer a high-level interface at compile time, compile into effective translation tables ü 2010-05-26 ETH Z rich / LST / Mathias Payer 2

  3. Outline  Introduction  Design and Implementation  Table generation  Translator  Optimization  Conclusion ü 2010-05-26 ETH Z rich / LST / Mathias Payer 3

  4. Binary Translation in a Nutshell Instrumented program Original program Static translation 0' 0 1' 1 2' 3' 2 3 What about: ● Self modifying code? ? 4' 4 ● Shared libraries? ● Obfuscated Code? ü 2010-05-26 ETH Z rich / LST / Mathias Payer 4

  5. Binary Translation in a Nutshell Instrumented program Original program Dynamic translation 0' 0 1' 1 2' 3' 2 3 Features: ● Translates all executed ... ... ... code 4 ● Captures all indirect control flow transfers ● Just in time translation ü 2010-05-26 ETH Z rich / LST / Mathias Payer 5

  6. Binary Translation in a Nutshell Original program Code cache Translator Gen. opcode 1' 0 table 1 3' 2 3 Table generator 2' supplies generated opcode tables ... 4 at compile time ü 2010-05-26 ETH Z rich / LST / Mathias Payer 6

  7. Binary Translation in a Nutshell Original program Code cache Translator Gen. opcode 1' 0 table 1 3' Trampoline to translate 4 2 3 2' Mapping 3 3' ... 4 1 1' 2 2' ü 2010-05-26 ETH Z rich / LST / Mathias Payer 7

  8. fastBT  Prototype for a dynamic BT system  Machine-independent, OS-independent  Focus of this talk: IA32, Linux ü 2010-05-26 ETH Z rich / LST / Mathias Payer 8

  9. Table Generation  Translation tables describe individual instructions and are used to select the correct adapter functions  Manual table construction is hard & cumbersome  Many instructions, write machine-code tables by hand  Use automation and high level description!  Information about opcodes, possible encodings, and properties  Specify default translation actions Table generator Intel IA32 Optimized ● High level interface opcode translator ● Adapter functions tables table ü 2010-05-26 ETH Z rich / LST / Mathias Payer 9

  10. Table Generation  Use table generator to offer high-level interface  Transforming opcode tables into runtime translation tables  Add analysis functions to control the table generation  Memory access?  What are src, dst, aux parameters?  FPU usage?  What kind of opcode?  What opcode class (load, store, arithmetic, control flow, ...)?  Immediate value as pointer?  etc. ü 2010-05-26 ETH Z rich / LST / Mathias Payer 10

  11. Translator implementation  Translator uses an iterator based approach and per- instruction actions  Fundamentals to master low overhead:  Code cache  Inlining  Master (indirect) control transfers ü 2010-05-26 ETH Z rich / LST / Mathias Payer 11

  12. Optimization  Indirect control flow transfers are expensive  Runtime lookup and patching required  Indirect control transfer replaced by software trap  Optimizations in fastBT:  Local branch prediction  Inlining a fast lookup into the code cache  Building on-the-fly shadow jump tables ü 2010-05-26 ETH Z rich / LST / Mathias Payer 12

  13. Optimization: Branch prediction  Cache the last one or two targets  If there is a cache hit  No lookup is needed  Results in 3 to 5 instructions  If there is a cache miss  Lookup the target and cache it for future use  Updating the cache costs additional instructions ü 2010-05-26 ETH Z rich / LST / Mathias Payer 13

  14. Optimization: Fast lookup  Emit an inlined fast lookup into the code cache  Uses the mapping table to translate the target  Optimized for direct hit in the mapping table  Results in 13 or 14 instructions ü 2010-05-26 ETH Z rich / LST / Mathias Payer 14

  15. Optimization: Shadow jump table  Build a shadow jump table, iff the original indirect control transfer uses a jump table  Initialize all entries with catch-all function  Lazy lookup and write-back in catch-all  Results in 5 instructions if the target is translated ü 2010-05-26 ETH Z rich / LST / Mathias Payer 15

  16. Optimization: Problem  Each optimization is only effective for some program locations and a specific program behavior  Low number of targets, few changes  Use a cache  High number of targets, many changes  Use fast lookup  Location has many different targets, all close to each other  Use a shadow jump-table  An adaptive runtime optimization can select the best optimization for each indirect control transfer ü 2010-05-26 ETH Z rich / LST / Mathias Payer 16

  17. Adaptive Optimization  fastBT offers an adaptive optimization for indirect control transfers  Start with a prediction for 1 or 2 locations, count misses  Recover to a fast lookup, if count exceeds threshold  Construct a shadow jump-table, if the control transfer uses a jump table  Adaptive optimizations bring competitive performance! ü 2010-05-26 ETH Z rich / LST / Mathias Payer 17

  18. Benchmarks: Setup  Used null-transformation to show translation overhead  Used SPEC CPU2006 benchmarks to evaluate performance  We use the Test dataset for short running programs and the Ref dataset for long running programs  Machine: E6850 Intel Core2Duo @ 3.00GHz ü 2010-05-26 ETH Z rich / LST / Mathias Payer 18

  19. Related work  HDTrans  S. Sridhar et al. HDTrans: a low-overhead dynamic translator. SIGARCH'07  Table based dynamic BT, no high level interface  DynamoRIO  D. Bruening et al. Design and implementation of a dynamic optimization framework for windows. In ACM Workshop Feedback- directed Dyn. Opt. (FDDO-4) (2001).  IR based optimizing BT, does not export a translation interface  PIN  C.-K. Luk et al. Pin: building customized program analysis tools with dynamic instrumentation. In PLDI'05  High overhead, offers high level interface ü 2010-05-26 ETH Z rich / LST / Mathias Payer 19

  20. Benchmarks: Ref dataset 126% 100% 90% 80% 70% 60% fastBT Overhead HDTrans 50% PIN 40% dynamoRIO 30% 20% 10% 0% 400.perlbench 445.gobmk 483.xalancbmk 447.dealII Average ü 2010-05-26 ETH Z rich / LST / Mathias Payer 20

  21. Benchmarks: Ref dataset Benchmark Function inlined Indirect jmptbl pred Indirect pred calls 1) jumps 1) calls 1) 400.perlbench 25'814 8.1% 21'930 93.7% 6.3% 3'903 7.4% 445.gobmk 18'001 1.3% 93 1.0% 99.0% 185 4.1% 483.xalancbmk 28'888 10.6% 2'627 27.0% 63.6% 9'161 96.1% 447.dealII 52'756 54.5% 21'147 1.7% 98.3% 540 98.4% 1) All numbers are *10 6 ü 2010-05-26 ETH Z rich / LST / Mathias Payer 21

  22. Benchmarks: Test dataset 1415% 3481% 308% 745% 140% 120% 100% fastBT Overhead 80% HDTrans PIN 60% dynamoRIO 40% 20% 0% 400.perlbench 445.gobmk 483.xalancbmk 447.dealII Average ü 2010-05-26 ETH Z rich / LST / Mathias Payer 22

  23. Benchmarks: Ref vs. Test Dataset Ref dataset Test dataset Benchmark no BT [s] fastBT no BT[s] fastBT 400.perlbench 486 56% 4 29% 445.gobmk 611 18% 21 18% 483.xalancbmk 371 24% <1 56% 447.dealII 552 44% 25 36% Average 839 6% 8 10% ü 2010-05-26 ETH Z rich / LST / Mathias Payer 23

  24. Benchmarks: Summary  High overhead:  Many indirect control transfers  Function calls incur high overhead, even with optimizations  Indirect control transfers without caches or jump tables add overhead  High collision rate in mapping table  Expensive recoveries, try different rescheduling strategies  Low overhead:  Few indirect control transfers  Cost of indirect control transfers is reduced through optimizations ü 2010-05-26 ETH Z rich / LST / Mathias Payer 24

  25. Conclusion  fastBT shows that it is possible to combine ease of use with efficient binary translation  Adaptive optimizations select best optimization for individual locations  Adaptive optimizations are necessary for low overhead in table based binary translators ü 2010-05-26 ETH Z rich / LST / Mathias Payer 25

  26. Thanks for your attention! ?  fastBT project page: http://nebelwelt.net/fastBT  Contact: mathias.payer@inf.ethz.ch  Kudos to:  Marcel Wirth, Peter Suter, Stephan Classen, and Antonio Barresi for code contributions  My colleagues for endless comments and reviews ü 2010-05-26 ETH Z rich / LST / Mathias Payer 26

  27. Table Generation: Analysis Function bool isMemOp (const unsigned char* opcode, const instr& disInf, std::string& action) { bool res; /* check for memory access in instr. */ res = mayOpAccessMem(disInf.dstFlags); res |= mayOpAccessMem(disInf.srcFlags); res |= mayOpAccessMem(disInf.auxFlags); /* change the default action */ if (res) { action = "handleMemOp"; } return res; } // in main function: addAnalysFunction(isMemOp); ü 2010-05-26 ETH Z rich / LST / Mathias Payer 27

Recommend

Automatic Generation of Efficient Dynamic Binary Translators Fr ed eric P etrot, Luc

Automatic Generation of Efficient Dynamic Binary Translators Fr ed eric P etrot, Luc

Introduction DBT principle Design flow Intermediate Representation Generation Conclusion Automatic Generation of Efficient Dynamic Binary Translators Fr ed eric P etrot, Luc Michel and Nicolas Fournel Tima Laboratory , Grenoble,

686 views • 25 slides
Fast dynamic and partial reconfiguration Data Path with low Hardware overhead on Xilinx FPGAs

Fast dynamic and partial reconfiguration Data Path with low Hardware overhead on Xilinx FPGAs

Fast dynamic and partial reconfiguration Data Path with low Hardware overhead on Xilinx FPGAs with low Hardware overhead on Xilinx FPGAs Michael Hbner 1 , Diana Ghringer 2 , Juanjo Noguera 3 , Jrgen Becker 1 1 Karlsruhe Institute of

370 views • 16 slides
Analysis of Overhead in Dynamic Java Performance Monitoring Vojtch Hork, Jaroslav Kotr,

Analysis of Overhead in Dynamic Java Performance Monitoring Vojtch Hork, Jaroslav Kotr,

Analysis of Overhead in Dynamic Java Performance Monitoring Vojtch Hork, Jaroslav Kotr, Peter Libi and Petr Tma Charles University in Prague Context: Dynamic Monitoring of Production Systems Dynamic Monitoring of Production Systems

999 views • 61 slides
Type Systems: Big Idea Static vs. Dynamic Typing Expressiveness (+ Dynamic) Dont have

Type Systems: Big Idea Static vs. Dynamic Typing Expressiveness (+ Dynamic) Dont have

Type Systems: Big Idea Static vs. Dynamic Typing Expressiveness (+ Dynamic) Dont have to worry about types (+ Dynamic) Dependent on input (- Dynamic) Runtime overhead (- Dynamic) Serve as documentation (+ Static)

572 views • 24 slides
PAGURUS: Low-Overhead Dynamic Information Flow Tracking on Loosely Coupled Accelerators Luca

PAGURUS: Low-Overhead Dynamic Information Flow Tracking on Loosely Coupled Accelerators Luca

ACM/IEEE CODES+ISSS 2018, Turin, Italy PAGURUS: Low-Overhead Dynamic Information Flow Tracking on Loosely Coupled Accelerators Luca Piccolboni, Giuseppe Di Guglielmo and Luca P. Carloni Columbia University, NY, USA Systems-on-Chip (SoCs) Are

851 views • 50 slides
Reconfiguration Overhead in Dynamic Task-Based Implementations on FPGAs Padmini Nagaraj

Reconfiguration Overhead in Dynamic Task-Based Implementations on FPGAs Padmini Nagaraj

Reconfiguration Overhead in Dynamic Task-Based Implementations on FPGAs Padmini Nagaraj University of California, Berkeley, Distributed Mentor Program, Researcher Summer 2004 Professor Elaheh Bozorgzadeh University of California, Irvine,

415 views • 13 slides
Generating Top-N Recommendations from Binary Profile Data Michael Hahsler Marketing Research and

Generating Top-N Recommendations from Binary Profile Data Michael Hahsler Marketing Research and

Generating Top-N Recommendations from Binary Profile Data Michael Hahsler Marketing Research and e-Business Adviser Hall Financial Group, Frisco, Texas, USA Hall Wines, St. Helena, California, USA Berufungsvortrag Wirtschaftsinformatik,

721 views • 38 slides
Algorithms Theory 14 Dynamic Programming (3) Optimal binary search trees Prof. Dr. S.

Algorithms Theory 14 Dynamic Programming (3) Optimal binary search trees Prof. Dr. S.

Algorithms Theory 14 Dynamic Programming (3) Optimal binary search trees Prof. Dr. S. Albers Winter term 07/08 Method of dynamic programming Recursive approach: Solve a problem by solving several smaller analogous subproblems of the same

559 views • 16 slides
Neutrino-driven explosions of ultra-stripped type Ic supernovae generating binary neutron stars

Neutrino-driven explosions of ultra-stripped type Ic supernovae generating binary neutron stars

Neutrino-driven explosions of ultra-stripped type Ic supernovae generating binary neutron stars Yudai Suwa 1, 2 1 Yukawa Institute for Theoretical Physics, Kyoto U. 2 Max Planck Institute for Astrophysics, Garching Collaboration with: T. Yoshida,

199 views • 18 slides
Reconfiguration Overhead in Dynamic Task-Based Implementations on FPGAs Padmini Nagaraj UCB,

Reconfiguration Overhead in Dynamic Task-Based Implementations on FPGAs Padmini Nagaraj UCB,

Reconfiguration Overhead in Dynamic Task-Based Implementations on FPGAs Padmini Nagaraj UCB, Distributed Mentor Program, Researcher Summer 2004 Professor Elaheh Bozorgzadeh UCI, Distributed Mentor Program, Mentor Outline I. Introduction

607 views • 27 slides
An Ontological Approach for Generating Useful Discrete-Event Dynamic System Models Ken Keefe PhD

An Ontological Approach for Generating Useful Discrete-Event Dynamic System Models Ken Keefe PhD

An Ontological Approach for Generating Useful Discrete-Event Dynamic System Models Ken Keefe PhD Qualifying Examination - 2020 Talk Overview Introduction Problem Description Manual Model Development Approach Ontologies and

623 views • 26 slides
Binary Search Trees ! A data structures with efficient support for many dynamic set operations:

Binary Search Trees ! A data structures with efficient support for many dynamic set operations:

Binary Search Trees ! A data structures with efficient support for many dynamic set operations: Search/Find Minimum/findMin Maximum/findMax Binary Search Trees Predecessor Successor Insert Delete/Remove ! All

83 views • 4 slides
Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or

Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or

Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or binary code are used by computers and digital devices to talk to each other. It is used to give commands to the computer or a way to enter data

165 views • 12 slides
HI-CFG: Construction by Dynamic Binary Analysis, and Application to Attack Polymorphism Dan

HI-CFG: Construction by Dynamic Binary Analysis, and Application to Attack Polymorphism Dan

HI-CFG: Construction by Dynamic Binary Analysis, and Application to Attack Polymorphism Dan Caselden, Alex Bazhanyuk, Mathias Payer , Stephen McCamant, Dawn Song, UC Berkeley Recovering Information Knowledge of information (data) flow and

694 views • 32 slides
Tiddle: A Trace Description Language for Generating Concurrent Benchmarks to Test Dynamic

Tiddle: A Trace Description Language for Generating Concurrent Benchmarks to Test Dynamic

Tiddle: A Trace Description Language for Generating Concurrent Benchmarks to Test Dynamic Analyses Caitlin Sadowski Jaeheon Yi July 20, 2009 University of California at Santa Cruz Monday, July 20, 2009 1 Some

570 views • 28 slides
Generating Model Transformations for Mending Dynamic Constraint Violations in Cyber Physical

Generating Model Transformations for Mending Dynamic Constraint Violations in Cyber Physical

Arizona s First University. Generating Model Transformations for Mending Dynamic Constraint Violations in Cyber Physical Systems Sean Whitsitt and Jonathan Sprinkle Introduction: Cyber Physical Systems Electrical and Computer Engineering

599 views • 23 slides
ATA Conference 2011 1 ATA Conference 2011 2 In case you wonder: I.I.A.B.D.F.I. = If it ain't

ATA Conference 2011 1 ATA Conference 2011 2 In case you wonder: I.I.A.B.D.F.I. = If it ain't

SESSION ABSTRACT: The completely redesigned Trados Studio 2009 offers several efficient new features. However, its incomplete backwards compatibility keeps many translators and LSPs from upgrading, and even those translators who upgrade seem to

410 views • 13 slides
Binary Rewriting at Runtime for Efficient Dynamic Domain Map Implementations 3 rd CHIUW Workshop,

Binary Rewriting at Runtime for Efficient Dynamic Domain Map Implementations 3 rd CHIUW Workshop,

Technische Universitt Mnchen Binary Rewriting at Runtime for Efficient Dynamic Domain Map Implementations 3 rd CHIUW Workshop, Chicago, May 27, 2016 Josef Weidendorfer, Jens Breitbart Chair for Computer Architecture Department of

258 views • 8 slides
BSP-Net: Generating Compact Meshes via Binary Space Partitioning Zhiqin Chen Andrea Tagliasacchi

BSP-Net: Generating Compact Meshes via Binary Space Partitioning Zhiqin Chen Andrea Tagliasacchi

BSP-Net: Generating Compact Meshes via Binary Space Partitioning Zhiqin Chen Andrea Tagliasacchi Hao (Richard) Zhang Simon Fraser University Google Research Simon Fraser University Presented by Zhiqin

544 views • 33 slides
Dynamic Binary Instrumentation: Introduction to Pin Instrumentation A technique that injects

Dynamic Binary Instrumentation: Introduction to Pin Instrumentation A technique that injects

Dynamic Binary Instrumentation: Introduction to Pin Instrumentation A technique that injects instrumentation code into a binary to collect run-time information 2 Instrumentation A technique that injects instrumentation code into a binary to

773 views • 46 slides
Goals for Today Learning Objective: Understand challenges in Static/Dynamic Binary

Goals for Today Learning Objective: Understand challenges in Static/Dynamic Binary

Goals for Today Learning Objective: Understand challenges in Static/Dynamic Binary Translation Announcements, etc: Midterm debrief forthcoming on Friday MP2 extension: now due on March 23rd Reminder : Please put away devices

684 views • 12 slides
Recursive Definitions Generating Functions Lecture 18 Generating Functions A generating

Recursive Definitions Generating Functions Lecture 18 Generating Functions A generating

Recursive Definitions Generating Functions Lecture 18 Generating Functions A generating function is an alternate representation of an infinite sequence, which allows making useful deductions about the sequence (including, possibly, a closed

865 views • 17 slides
Instrew: Leveraging LLVM for High Performance Dynamic Binary Instrumentation Alexis Engelke

Instrew: Leveraging LLVM for High Performance Dynamic Binary Instrumentation Alexis Engelke

Instrew: Leveraging LLVM for High Performance Dynamic Binary Instrumentation Alexis Engelke Martin Schulz Chair of Computer Architecture and Parallel Systems TUM Department of Informatics Technical University of Munich VEE 2020, virtual

396 views • 25 slides
Dynamic Binary Optimization Introduction Application profiling Optimizing translation

Dynamic Binary Optimization Introduction Application profiling Optimizing translation

Dynamic Binary Optimization Introduction Application profiling Optimizing translation blocks Compatibility Code reordering Other code optimizations 1 EECS 768 Virtual Machines Optimization Overview Identify frequently

822 views • 40 slides

More recommend