using hardware performance events for instruction level
play

Using Hardware Performance Events for Instruction-Level Monitoring - PowerPoint PPT Presentation

Feb 18, 2024 •49 likes •759 views

Using Hardware Performance Events for Instruction-Level Monitoring on the x86 Architecture Sebastian Vogl and Claudia Eckert {vogls,eckertc}@in.tum.de Chair for IT Security Technische Universitt Mnchen Munich, Germany 10.04.2012 S. Vogl

  1. Using Hardware Performance Events for Instruction-Level Monitoring on the x86 Architecture Sebastian Vogl and Claudia Eckert {vogls,eckertc}@in.tum.de Chair for IT Security Technische Universität München Munich, Germany 10.04.2012 S. Vogl and C. Eckert (TUM) 10.04.2012 1 / 42

  2. Outline Motivation 1 Performance Monitoring Counters (PMCs) 2 PMC-based Instruction-level Monitoring (ILM) 3 Experiments & Results 4 Summary 5 S. Vogl and C. Eckert (TUM) 10.04.2012 2 / 42

  3. Outline Motivation 1 Performance Monitoring Counters (PMCs) 2 PMC-based Instruction-level Monitoring (ILM) 3 Experiments & Results 4 Summary 5 S. Vogl and C. Eckert (TUM) 10.04.2012 3 / 42

  4. Motivation ▸ Why Instructions-Level Monitoring (ILM) ? My Research Make use of full hardware virtualization to detect malware infections and exploitation attempts . S. Vogl and C. Eckert (TUM) 10.04.2012 4 / 42

  5. Motivation ▸ Why Instructions-Level Monitoring (ILM) ? Stack main DATA 400707: call 400584 <vulnerable> 40070c: mov 0x0, %EAX vulnerable 400584: push %rbp 400585: mov %rsp,%rbp 400588: sub $0x20,%rsp <vulnerable code> 4006b2: leave 4006b3: ret S. Vogl and C. Eckert (TUM) 10.04.2012 5 / 42

  6. Motivation ▸ Why Instructions-Level Monitoring (ILM) ? Stack main DATA 400707: call 400584 <vu 0x40070c (RET) vuln lner erab able le> 40070c: mov 0x0, %EAX vulnerable 400584: push %rbp 400585: mov %rsp,%rbp 400588: sub $0x20,%rsp <vulnerable code> 4006b2: leave 4006b3: ret S. Vogl and C. Eckert (TUM) 10.04.2012 6 / 42

  7. Motivation ▸ Why Instructions-Level Monitoring (ILM) ? Stack main DATA 400707: call 400584 <vulnerable> 0x40070c (RET) 40070c: mov 0x0, %EAX RBP vulnerable 400584: push %rbp 400585: mov %rsp,%rbp 400588: sub $0x20,%rsp <vulnerable code> 4006b2: leave 4006b3: ret S. Vogl and C. Eckert (TUM) 10.04.2012 7 / 42

  8. Motivation ▸ Why Instructions-Level Monitoring (ILM) ? Stack main DATA 400707: call 400584 <vulnerable> 0x40070c (RET) 40070c: mov 0x0, %EAX RBP vulnerable 400584: push %rbp 400585: mov %rsp,% ,%rbp 400588: sub $0x20,%rsp <vulnerable code> 4006b2: leave 4006b3: ret S. Vogl and C. Eckert (TUM) 10.04.2012 8 / 42

  9. Motivation ▸ Why Instructions-Level Monitoring (ILM) ? Stack main DATA 400707: call 400584 <vulnerable> 0x40070c (RET) 40070c: mov 0x0, %EAX RBP BUFFER vulnerable 400584: push %rbp 400585: mov %rsp,%rbp 400588: sub $0x20,%rsp <vulnerable code> 4006b2: leave 4006b3: ret S. Vogl and C. Eckert (TUM) 10.04.2012 9 / 42

  10. Motivation ▸ Why Instructions-Level Monitoring (ILM) ? Stack main * /bin/bash DATA exit 400707: call 400584 <vulnerable> system 40070c: mov 0x0, %EAX DATA (EBP) vulnerable DATA 400584: push %rbp 400585: mov %rsp,%rbp 400588: sub $0x20,%rsp <vulnerable code> 4006b2: leave 4006b3: ret S. Vogl and C. Eckert (TUM) 10.04.2012 10 / 42

  11. Motivation ▸ Why Instructions-Level Monitoring (ILM) ? Stack main * /bin/bash DATA exit 400707: call 400584 <vulnerable> system 40070c: mov 0x0, %EAX DATA (EBP) vulnerable 400584: push %rbp 400585: mov %rsp,%rbp 400588: sub $0x20,%rsp <vulnerable code> 4006b2: : leave 4006b3: ret S. Vogl and C. Eckert (TUM) 10.04.2012 11 / 42

  12. Motivation ▸ Why Instructions-Level Monitoring (ILM) ? Stack main * /bin/bash DATA exit 400707: call 400584 <vulnerable> 40070c: mov 0x0, %EAX system vulnerable 400584: push %rbp 400585: mov %rsp,%rbp 400588: sub $0x20,%rsp <vulnerable code> 4006b2: leave 4006b3: ret system S. Vogl and C. Eckert (TUM) 10.04.2012 12 / 42

  13. Motivation ▸ Why Instructions-Level Monitoring (ILM) ? One possible Solution Make use of a Shadow Stack to verify the target of return instructions. S. Vogl and C. Eckert (TUM) 10.04.2012 13 / 42

  14. Motivation ▸ Why Instructions-Level Monitoring (ILM) ? Stack main DATA 400707: call 400584 <vulnerable> 40070c: mov 0x0, %EAX vulnerable 400584: push %rbp 400585: mov %rsp,%rbp 400588: sub $0x20,%rsp <vulnerable code> Shadow Stack 4006b2: leave 4006b3: ret S. Vogl and C. Eckert (TUM) 10.04.2012 14 / 42

  15. Motivation ▸ Why Instructions-Level Monitoring (ILM) ? Stack main DATA 400707: call 400584 <vu 0x40070c (RET) vuln lner erab able le> 40070c: mov 0x0, %EAX vulnerable 400584: push %rbp 400585: mov %rsp,%rbp 400588: sub $0x20,%rsp <vulnerable code> Shadow Stack 4006b2: leave 4006b3: ret 0x40070c (RET) S. Vogl and C. Eckert (TUM) 10.04.2012 15 / 42

  16. Motivation ▸ Why Instructions-Level Monitoring (ILM) ? Stack main * /bin/bash DATA exit 400707: call 400584 <vu vuln lner erab able le> 40070c: mov 0x0, %EAX system vulnerable 400584: push %rbp 400585: mov %rsp,%rbp 400588: sub $0x20,%rsp <vulnerable code> Shadow Stack 4006b2: leave 4006b3: ret 0x40070c (RET) system EIP: system S. Vogl and C. Eckert (TUM) 10.04.2012 16 / 42

  17. Motivation ▸ Why Instructions-Level Monitoring (ILM) ? Observation A Shadow Stack for return addresses can be implemented on the hypervisor-level by only trapping call and return instructions. S. Vogl and C. Eckert (TUM) 10.04.2012 17 / 42

  18. Motivation ▸ Why Instructions-Level Monitoring (ILM) ? Observation A Shadow Stack for return addresses can be implemented on the hypervisor-level by only trapping call and return instructions. ILM Requirements Based on full hardware virtualization 1 S. Vogl and C. Eckert (TUM) 10.04.2012 17 / 42

  19. Motivation ▸ Why Instructions-Level Monitoring (ILM) ? Observation A Shadow Stack for return addresses can be implemented on the hypervisor-level by only trapping call and return instructions. ILM Requirements Based on full hardware virtualization 1 Secure 2 S. Vogl and C. Eckert (TUM) 10.04.2012 17 / 42

  20. Motivation ▸ Why Instructions-Level Monitoring (ILM) ? Observation A Shadow Stack for return addresses can be implemented on the hypervisor-level by only trapping call and return instructions. ILM Requirements Based on full hardware virtualization 1 Secure 2 Flexible 3 S. Vogl and C. Eckert (TUM) 10.04.2012 17 / 42

  21. Motivation ▸ Why a new ILM mechanism? Existing Approaches Page-Fault (PF) -based ILM 1 Debug Register (DR) -based ILM 2 Trap Flag (TF) -based ILM 3 S. Vogl and C. Eckert (TUM) 10.04.2012 18 / 42

  22. Motivation ▸ Why a new ILM mechanism? Existing Approaches Page-Fault (PF) -based ILM 1 Debug Register (DR) -based ILM 2 3 Trap Flag (TF)-based ILM S. Vogl and C. Eckert (TUM) 10.04.2012 19 / 42

  23. Motivation ▸ Why a new ILM mechanism? Existing Approaches Page-Fault (PF) -based ILM 1 Debug Register (DR) -based ILM 2 3 Trap Flag (TF)-based ILM ▸ Insecure S. Vogl and C. Eckert (TUM) 10.04.2012 19 / 42

  24. Motivation ▸ Why a new ILM mechanism? Existing Approaches Page-Fault (PF) -based ILM 1 Debug Register (DR) -based ILM 2 3 Trap Flag (TF)-based ILM ▸ Insecure ▸ Incomplete S. Vogl and C. Eckert (TUM) 10.04.2012 19 / 42

  25. Motivation ▸ Why a new ILM mechanism? Existing Approaches Page-Fault (PF) -based ILM 1 Debug Register (DR) -based ILM 2 3 Trap Flag (TF)-based ILM ▸ Insecure ▸ Incomplete ▸ Inflexible S. Vogl and C. Eckert (TUM) 10.04.2012 19 / 42

  26. Motivation ▸ Why a new ILM mechanism? Existing Approaches Page-Fault (PF) -based ILM 1 Debug Register (DR) -based ILM 2 3 Trap Flag (TF)-based ILM ▸ Insecure ▸ Incomplete ▸ Inflexible ⇒ None of the existing methods can provide the desired flexbility . S. Vogl and C. Eckert (TUM) 10.04.2012 19 / 42

  27. Outline Motivation 1 Performance Monitoring Counters (PMCs) 2 PMC-based Instruction-level Monitoring (ILM) 3 Experiments & Results 4 Summary 5 S. Vogl and C. Eckert (TUM) 10.04.2012 20 / 42

  28. Performance Monitoring Counters (PMCs) ▸ Overview Performance Monitoring on the x86 architecture Performance Events S. Vogl and C. Eckert (TUM) 10.04.2012 21 / 42

  29. Performance Monitoring Counters (PMCs) ▸ Overview Performance Monitoring on the x86 architecture Performance Events PMCs that count these events S. Vogl and C. Eckert (TUM) 10.04.2012 21 / 42

  30. Performance Monitoring Counters (PMCs) ▸ Overview Performance Monitoring on the x86 architecture Performance Events PMCs that count these events ▸ Which event is counted can be programmed. S. Vogl and C. Eckert (TUM) 10.04.2012 21 / 42

  31. Performance Monitoring Counters (PMCs) ▸ Overview Performance Monitoring on the x86 architecture Performance Events PMCs that count these events ▸ Which event is counted can be programmed. ▸ Can be set to raise an interrupt on overflow. S. Vogl and C. Eckert (TUM) 10.04.2012 21 / 42

  32. Performance Monitoring Counters (PMCs) ▸ Performance Events All instructions ▸ All branch instructions ▸ All conditional branch instructions ▸ All near call instructions ▸ All near return instructions ▸ All far branch instructions ▸ S. Vogl and C. Eckert (TUM) 10.04.2012 22 / 42

  33. Outline Motivation 1 Performance Monitoring Counters (PMCs) 2 PMC-based Instruction-level Monitoring (ILM) 3 Experiments & Results 4 Summary 5 S. Vogl and C. Eckert (TUM) 10.04.2012 23 / 42

Recommend

CS356 Unit 4 x86 Instruction Set 4.2 Why Learn Assembly Understand hardware limitations

CS356 Unit 4 x86 Instruction Set 4.2 Why Learn Assembly Understand hardware limitations

4.1 CS356 Unit 4 x86 Instruction Set 4.2 Why Learn Assembly Understand hardware limitations Understand performance Use HW options that high-level languages don't allow (e.g., operating systems, utilizing special HW features, etc.)

1.11k views • 94 slides
Instruction Set Design Instruction Set Architecture: to what purpose? ISA provides the level

Instruction Set Design Instruction Set Architecture: to what purpose? ISA provides the level

Instruction Set Design Instruction Set Architecture: to what purpose? ISA provides the level of abstraction between the software and the hardware One of the most important abstraction in CS Its narrow, well-defined, and mostly

401 views • 39 slides
PERFORMANCE OPTIMISATION Adrian Jackson adrianj@epcc.ed.ac.uk Hardware design Image from Colfax

PERFORMANCE OPTIMISATION Adrian Jackson adrianj@epcc.ed.ac.uk Hardware design Image from Colfax

PERFORMANCE OPTIMISATION Adrian Jackson adrianj@epcc.ed.ac.uk Hardware design Image from Colfax training material Pipeline Simple five stage pipeline: 1. Instruction fetch get instruction from instruction cache 2. Instruction decode

759 views • 44 slides
PERFORMANCE OPTIMISATION Adrian Jackson adrianj@epcc.ed.ac.uk @adrianjhpc Hardware design

PERFORMANCE OPTIMISATION Adrian Jackson adrianj@epcc.ed.ac.uk @adrianjhpc Hardware design

PERFORMANCE OPTIMISATION Adrian Jackson adrianj@epcc.ed.ac.uk @adrianjhpc Hardware design Image from Colfax training material Pipeline Simple five stage pipeline: 1. Instruction fetch get instruction from instruction cache 2.

966 views • 44 slides
Overview Instruction level parallelism Dynamic Scheduling Techniques Scoreboarding

Overview Instruction level parallelism Dynamic Scheduling Techniques Scoreboarding

Overview Instruction level parallelism Dynamic Scheduling Techniques Scoreboarding Chapter 2 Tomasulos Algorithm Reducing Branch Cost with Dynamic Hardware Reducing Branch Cost with Dynamic Hardware Prediction

274 views • 6 slides
Introduction CPU performance factors Instruction count

Introduction CPU performance factors Instruction count

Morgan Kaufmann Publishers 22 March, 2012 4.1 Introduction Introduction CPU performance factors Instruction count Determined by ISA and compiler CPI and Cycle time Determined by CPU hardware

959 views • 22 slides
Instruction-Level Parallelism (ILP) Fine-grained parallelism Obtained by: instruction

Instruction-Level Parallelism (ILP) Fine-grained parallelism Obtained by: instruction

Instruction-Level Parallelism (ILP) Fine-grained parallelism Obtained by: instruction overlap in a pipeline executing instructions in parallel (later, with multiple instruction issue) ILP hindered by: data dependence : arises

340 views • 21 slides
ProfileMe : Hardware-Support for Instruction-Level Profiling on Out-of-Order Processors Jeffrey

ProfileMe : Hardware-Support for Instruction-Level Profiling on Out-of-Order Processors Jeffrey

ProfileMe : Hardware-Support for Instruction-Level Profiling on Out-of-Order Processors Jeffrey Dean Jamey Hicks Carl Waldspurger Jeffrey Dean Jamey Hicks Carl Waldspurger William Weihl George Chrysos Digital

340 views • 21 slides
Chapter 3 Instruction-Level Parallelism and its Exploitation (Part 3) ILP vs. Parallel

Chapter 3 Instruction-Level Parallelism and its Exploitation (Part 3) ILP vs. Parallel

Chapter 3 Instruction-Level Parallelism and its Exploitation (Part 3) ILP vs. Parallel Computers Dynamic Scheduling (Section 3.4, 3.5) Dynamic Branch Prediction (Section 3.3, 3.9, and Appendix C) Hardware Speculation and Precise Interrupts

656 views • 28 slides
Chapter 3 Instruction-Level Parallelism and its Exploitation (Part 3) ILP vs. Parallel

Chapter 3 Instruction-Level Parallelism and its Exploitation (Part 3) ILP vs. Parallel

Chapter 3 Instruction-Level Parallelism and its Exploitation (Part 3) ILP vs. Parallel Computers Dynamic Scheduling (Section 3.4, 3.5) Dynamic Branch Prediction (Section 3.3, 3.9, and Appendix C) Hardware Speculation and Precise Interrupts

733 views • 24 slides
Instruction Set Architecture 9/20/16 Overview How to directly interact with hardware

Instruction Set Architecture 9/20/16 Overview How to directly interact with hardware

Instruction Set Architecture 9/20/16 Overview How to directly interact with hardware Instruction set architecture (ISA) Interface between programmer and CPU Established instruction format (assembly lang) Assembly programming

696 views • 45 slides
LogCA: A High-Level Performance Model for Hardware Accelerators Muhammad Shoaib Bin Altaf* David

LogCA: A High-Level Performance Model for Hardware Accelerators Muhammad Shoaib Bin Altaf* David

Everything should be made as simple as possible, but not simplerAlbert Einstein LogCA: A High-Level Performance Model for Hardware Accelerators Muhammad Shoaib Bin Altaf* David A. Wood University of Wisconsin-Madison * Now at AMD Research,

329 views • 19 slides
Motivations Instruction cache (icache) misses can FICO drastically decrease code performance a

Motivations Instruction cache (icache) misses can FICO drastically decrease code performance a

Motivations Instruction cache (icache) misses can FICO drastically decrease code performance a Fast Instruction Cache Optimizer The problem is even more important for 1-level direct mapped caches Author: Marco Garatti On Lx ST210 the icache

477 views • 4 slides
Lecture 3 Hardware and Software 3. Hardware and Softw are 4. High Level Languages 5.

Lecture 3 Hardware and Software 3. Hardware and Softw are 4. High Level Languages 5.

1. Introduction 2. Binary Representation Lecture 3 Hardware and Software 3. Hardware and Softw are 4. High Level Languages 5. Standard input and output Hardware has been defined as 6. Operators, expression and statem ents the

238 views • 3 slides
Hardware Support for Hardware Support for Out-of-Order Instruction Out-of-Order Instruction

Hardware Support for Hardware Support for Out-of-Order Instruction Out-of-Order Instruction

Hardware Support for Hardware Support for Out-of-Order Instruction Out-of-Order Instruction Profiling on Alpha 21264a Profiling on Alpha 21264a Lance Berc Berc &amp; Mark Vandevoorde &amp; Mark Vandevoorde Lance Joint work with: Jennifer

342 views • 21 slides
Chapter 2 Chapter 2 Instruction-Level Parallelism and Its Exploitation p 1 Overview

Chapter 2 Chapter 2 Instruction-Level Parallelism and Its Exploitation p 1 Overview

Chapter 2 Chapter 2 Instruction-Level Parallelism and Its Exploitation p 1 Overview Instruction level parallelism Dynamic Scheduling Techniques D namic Sched ling Techniq es Scoreboarding Tomasulos Algorithm

611 views • 36 slides
Chapter 2 Instruction-Level Parallelism and Its E Exploitation l it ti 1 Overview

Chapter 2 Instruction-Level Parallelism and Its E Exploitation l it ti 1 Overview

Chapter 2 Instruction-Level Parallelism and Its E Exploitation l it ti 1 Overview Instruction level parallelism Dynamic Scheduling Techniques Scoreboarding Tomasulos Algorithm Reducing Branch Cost with Dynamic

507 views • 18 slides
MLP yes! Definitions ILP no ! MLP ILP = Instruction Level = Memory Level Parallelism Work

MLP yes! Definitions ILP no ! MLP ILP = Instruction Level = Memory Level Parallelism Work

MLP yes! Definitions ILP no ! MLP ILP = Instruction Level = Memory Level Parallelism Work on memory level parallelism. Parallelism IPC metric misleading Stop worrying about IPC. = Number cache misses (Inst. per Clock) simultaneously

407 views • 8 slides
PerfMiner: Cluster-Wide Collection, Storage and Presentation of Application Level Hardware

PerfMiner: Cluster-Wide Collection, Storage and Presentation of Application Level Hardware

PerfMiner: Cluster-Wide Collection, Storage and Presentation of Application Level Hardware Performance Data Philip J. Mucci, Daniel Ahlin Lars Malinowski, Per Ekman, Johan Danielsson Center for Parallel Computers (PDC), Royal Institute of

880 views • 50 slides
Process Abstraction Physical Hardware Instruction Memory I/O Devices Set Registers MMU

Process Abstraction Physical Hardware Instruction Memory I/O Devices Set Registers MMU

Process Abstraction Physical Hardware Instruction Memory I/O Devices Set Registers MMU Virtual Memory Operating System System Calls CS 140 Lecture Notes: Virtual Machines Slide 1 Process Abstraction Physical Hardware Instruction

60 views • 4 slides
High Performance Hardware, High Performance Hardware, Memory &amp; CPU Memory &amp; CPU Step

High Performance Hardware, High Performance Hardware, Memory &amp; CPU Memory &amp; CPU Step

High Performance Hardware, High Performance Hardware, Memory &amp; CPU Memory &amp; CPU Step Back, Look Inside, Many Dont Insight, not numbers! Face real world 6 GB/s CPU B K 2 3 cache 2 GB Rubin H. Landau Rubin H. Landau RAM 2

671 views • 13 slides
Lecture 4: MIPS Instruction Set No class on Tuesday Todays topic: MIPS

Lecture 4: MIPS Instruction Set No class on Tuesday Todays topic: MIPS

Lecture 4: MIPS Instruction Set No class on Tuesday Todays topic: MIPS instructions Code examples 1 Instruction Set Understanding the language of the hardware is key to understanding the hardware/software interface

371 views • 24 slides
Unit 8: Superscalar Pipelines Then: Static &amp; dynamic scheduling Extract much more

Unit 8: Superscalar Pipelines Then: Static &amp; dynamic scheduling Extract much more

A Key Theme: Parallelism Previously: pipeline-level parallelism Work on execute of one instruction in parallel with decode of next CIS 501: Computer Architecture Next: instruction-level parallelism (ILP) Execute multiple independent

441 views • 7 slides
Hardware-Software Codesign 10. Performance Analysis of Distributed Embedded Systems Lothar

Hardware-Software Codesign 10. Performance Analysis of Distributed Embedded Systems Lothar

Hardware-Software Codesign 10. Performance Analysis of Distributed Embedded Systems Lothar Thiele 10 - 1 System Design Specification System Synthesis Estimation SW-Compilation Instruction Set HW-Synthesis Intellectual Intellectual

854 views • 59 slides

More recommend