1 / 18

Dataflow Analysis in Dyninst

Dataflow Analysis in Dyninst. Xiaozhu Meng. Four Analyses in Dyninst. Liveness Analysis Determine which registers are live for each instruction Stack Analysis Calculate the height of a stack frame for each instruction Program Slicing

abla
Télécharger la présentation

Dataflow Analysis in Dyninst

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Dataflow Analysis in Dyninst XiaozhuMeng

  2. Four Analyses in Dyninst • Liveness Analysis • Determine which registers are live for each instruction • Stack Analysis • Calculate the height of a stack frame for each instruction • Program Slicing • Identify the subset of the program that affects or is affected by a statement (or instruction) • Symbolic Evaluation • Derive a symbolic expression that represents values of registers Dataflow Analysis in Dyninst

  3. Why are they useful? • Liveness Analysis • Save fewer registers in code generation (DyninstAPI) • Save fewer registers when using PatchAPI snippet interface (LLNL) • Stack Analysis • Return address checking (Emily Jacobson) • AnalysisStepper in StackwalkerAPI (ProcControlAPI Integration) • Program Slicing and Symbolic Evaluation • BLR can be a return instruction or an indirect branch (ParseAPI) • Sensitivity resistance analysis (Andrew Bernat/Kevin Roundy) • Detect call stack tampering (Kevin Roundy) • Unstrip binaries (Emily Jacobson/Nathan Rosenblum) • Root-cause analysis (Ignacio Laguna@Purdue and LLNL) • Analyze memory access strides in loop (XuLiu@Rice) Dataflow Analysis in Dyninst

  4. Which registers are live? <factorial> push %rbx mov $0x1,%rax mov %rdi,%rbx sub $0x190,%rsp test %rdi,%rdi je basecase lea -0x1(%rbx),%rdi mov %rsp,%rsi callq <factorial> imul %rbx,%rax basecase: add $0x190,%rsp pop %rbx retq Dataflow Analysis in Dyninst

  5. What is the Height of the Stack Frame? <foo> sub $0x10,%esp movl $0x1,0xc(%esp) cmpl $0xa,0x14(%esp) jle done sub $0x10,%esp mov 0x24(%esp),%eax mov%eax,0x18(%esp) mov %eax,0x1c(%esp) add $0x10,%esp done: mov0xc(%esp),%eax add $0x10,%esp ret 0x14 0x24 0x14 Ret Addr Return address Ret Addr 0x4 Parameter Dataflow Analysis in Dyninst

  6. Slice on an Instruction mflr r0 stw r0,20(r1) lwz r0,20(r1) mtlr r0 blr stwu r1,-16(r1) lis r9,4097 mflr r0 addi r3,r9,28404 stw r0,20(r1) lwz r0,28404(r9) cmpwi cr7,r0,0 beq- cr7,10002d38 lis r9,0 addi r9,r9,0 cmpwi cr7,r9,0 beq- cr7,10002d38 mtctr r9 bctrl lwz r0,20(r1) addi r1,r1,16 mtlr r0 blr Dataflow Analysis in Dyninst

  7. Symbolically Evaluate a Function eax=0xc(%ebp)=P2 edx=0x8(%ebp)=P1 eax=eax+edx=P1+P2 eax=0x10(%ebp)=P3 <sum> mov0xc(%ebp),%eax mov0x8(%ebp),%edx lea (%edx,%eax,1),%eax mov%eax,-0xc(%ebp) mov0x10(%ebp),%eax mov0xc(%ebp),%edx lea (%edx,%eax,1),%eax mov%eax,-0x8(%ebp) mov-0x8(%ebp),%eax mov-0xc(%ebp),%edx lea (%edx,%eax,1),%eax sub 0xc(%ebp),%eax mov%eax,-0x4(%ebp) ret P3 P1+P2+P3 P2+P3 P2 P1+2P2+P3 P1+P2 P1 P2 P1+P2 P1 P2 P3 eax=eax+edx=P1+2P2+P3 eax=eax-0xc(%ebp) =(P1+2P2+P3)-P2 =P1+P2+P3 edx=0xc(%ebp)=P2 eax=eax+edx=P2+P3 eax=-0x8(%ebp)=P2+P3 edx=-0xc(%ebp)=P1+P2 Dataflow Analysis in Dyninst

  8. Dyninst Components Instruction API A Dyninst Component Symtab API A Dyninst Component Dyninst Parse API A Dyninst Component Dataflow API A Dyninst Component DynC A Dyninst Component Stack Walker API A Dyninst Component Proc Control API A Dyninst Component Patch API A Dyninst Component Codegen A Dyninst Component Dataflow Analysis in Dyninst

  9. class LivenessAnalyzer bool query(ParseAPI::Location, Type, bitArray&); Return livenessas a bitArrayfor the given location intgetIndex(MachRegister); Get the index of given MachRegister in bitArray bool query(ParseAPI::Location, Type, MachRegister, bool&); Return liveness as a bool at the given location for the given register Dataflow Analysis in Dyninst

  10. Saving Fewer Registers <factorial> push %rbx mov $0x1,%rax mov %rdi,%rbx sub $0x190,%rsp test %rdi,%rdi je basecase lea -0x1(%rbx),%rdi mov %rsp,%rsi callq <factorial> imul %rbx,%rax basecase: add $0x190,%rsp pop %rbx retq pushf add $0x1 [601001] popf We only need to save registers that are both written by snippets and live Dataflow Analysis in Dyninst

  11. Liveness Analysis Code Example ParseAPI::Location loc(FuncEntry(func)); LivenessAnalyzer live(ADDR_LEN_X86_64); boolflagLive; if (live.query(loc, ParseAPI::Before, x86_64::flags, flagLive)){ if (flagLive){ SaveFlag(); } } Dataflow Analysis in Dyninst

  12. class StackAnalysis Height represents integer values or “unknown” Height findSP(ParseAPI::Location, Type); Get the height of the stack pointer Height find(ParseAPI::Location, Type, MachRegister); Get the height of an alias of the stack pointer Dataflow Analysis in Dyninst

  13. Checking Return Address • Some attacks change the return address to force programs to return to malicious code. • Stack analysis identifies the return address, enabling other analyses to check its validity sp Original Code Attack! Height Return Address Return Address Malicious Code Dataflow Analysis in Dyninst

  14. Checking Return Address StackAnalysissa(func); ParseAPI::Location loc(func, block, currAddr); StackAnalysis::Height height; height=sa.findSP(loc, ParseAPI::Before); if (height.isBottom()) return; Address retAddr; retAddr=getStackContent(getSP()+height.val()); if (isNotCallerReturnAddr(retAddr)) reportAttack(); Dataflow Analysis in Dyninst

  15. class Slicer The Predicates class tunes slicing behavior, determining • Slicing end points • Whether to slice into a caller or callee • When to “widen” Graph::PtrforwardSlice(Predicates); Return a Graph representation of forward slicing Graph::PtrbackwardSlice(Predicates); Return a Graph representation of backward slicing Dataflow Analysis in Dyninst

  16. class SymEval static boolexpand(Graph::Ptr, SymEval::Result& ); Symbolically evaluate the provided slice Dataflow Analysis in Dyninst

  17. Return or Jump Table? stwu r1,-16(r1) lis r9,4097 mflr r0 addi r3,r9,28404 stw r0,20(r1) lwz r0,28404(r9) cmpwi cr7,r0,0 beq- cr7,10002d38 lis r9,0 addi r9,r9,0 cmpwi cr7,r9,0 beq- cr7,10002d38 mtctr r9 bctrl lwz r0,20(r1) addi r1,r1,16 mtlr r0 blr mflr r0 stw r0,20(r1) lwz r0,20(r1) mtlr r0 blr stwu r1,-32(r1) stw r31,28(r1) mr r31,r1 stw r3,8(r31) lwz r0,8(r31) cmplwi cr7,r0,5 bgt- cr7,1000052c lwz r0,8(r31) rlwinm r11,r0,2,0,29 lis r9,4096 addi r0,r9,2364 add r9,r11,r0 lwz r11,0(r9) lis r9,4096 addi r0,r9,2364 add r0,r11,r0 mtlr r0 blr lwz r0,8(r1) rlwinm r11,r0,2,0,29 lis r9,4096 addi r0,r9,2364 add r9,r11,r0 lwz r11,0(r9) add r0,r11,r0 mtlr r0 blr • Slice on blr • Symbolic evaluate remaining code • Check the expression of PC PC=<return address> PC=<jump table entry> blr is a return instruction blr is a jump table Dataflow Analysis in Dyninst

  18. Summary • Dataflow analysis is an effective method to extract hidden information in programs. • Dataflow API is a tool box containing four strong dataflow analysis tools. • Currently in beta status. Dataflow Analysis in Dyninst

More Related