1 / 50

The Deconstruction of Dyninst : Experiences and Future Directions

The Deconstruction of Dyninst : Experiences and Future Directions. Drew Bernat , Madhavi Krishnan, Bill Williams, Bart Miller Paradyn Project. Why components?. Share tools Build new tools quickly. Share Tools. Paraver. 3. Dyninst Components. DyninstAPI. ProcControl API.

summer
Télécharger la présentation

The Deconstruction of Dyninst : Experiences and Future Directions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Deconstruction of Dyninst:Experiences and Future Directions Drew Bernat, Madhavi Krishnan, Bill Williams, Bart Miller Paradyn Project

  2. Why components? Share tools Build new tools quickly

  3. Share Tools Paraver 3

  4. Dyninst Components DyninstAPI ProcControl API StackwalkerAPI Instruction API Patch API Parse API CodeGenAPI Symtab API DynC API Dataflow API

  5. Dyninst Component Users Cray ATP StackwalkerAPI A Dyninst Component SymtabAPI A Dyninst Component

  6. Build New Tools Quickly: Dataflow Analysis compiler • PowerPC jump tables and return instruction detection • Malware return address tampering • Behavior-preserving relocation

  7. Build New Tools Quickly: Binary Rewriter SymtabAPI A Dyninst Component

  8. Build New Tools Quickly: Unstrip kill getpid targ8057220 targ805ee40 Symbol Table Data 011000101…110101101…011101…1101110101 targ8056f50 targ805c3bd0 ParseAPI A Dyninst Component SymtabAPI A Dyninst Component compiler

  9. Down The Memory Lane SymtabAPI – version 1.0 DynStackwalker – coming soon InstructionAPI – proposed BinInst – proposed

  10. Dyninst Components Timeline Design and Implementation DynCAPI Beta Release DataflowAPI First Release ProcControlAPI A Dyninst Component PatchAPI ParseAPI A Dyninst Component Integration into Dyninst ParseAPI PatchAPI A Dyninst Component InstructionAPI A Dyninst Component DynC API A Dyninst Component DataflowAPI A Dyninst Component StackwalkerAPI A Dyninst Component ProcControlAPI SymtabAPI A Dyninst Component InstructionAPI StackwalkerAPI SymtabAPI 2006 2007 2008 2009 2010 2011

  11. Componentization: Design Decisions Define the scope of the component ParseAPI CFG model Dyninst CFG model Edge Block Cached register liveness info InstPoints Instrumentability Function

  12. Componentization: Design Decisions Balance internal and external user requirement StackwalkerAPI A Dyninst Component

  13. Componentization: Design Decisions Refine requirements PatchAPI A Dyninst Component

  14. Componentization: Design Decisions Create right level of abstractions libelf libbfd SymtabAPI A Dyninst Component

  15. Componentization: Design Decisions Design extensible and adaptable interfaces • Stack frame stepper • Standard frame • Debug frame • Signal frame StackwalkerAPI A Dyninst Component PatchAPI A Dyninst Component ParseAPI A Dyninst Component

  16. Componentization: Design Decisions Plan for reintegration StackwalkerAPI A Dyninst Component ProcControlAPI A Dyninst Component

  17. Ongoing Research

  18. Ongoing Research • Lightweight, Self-Propelled Instrumentation • Wenbin Fang • Binary Editing • Andrew Bernat • Malware Analysis and Instrumentation • Kevin Roundy • Binary Provenance and Authorship • Nate Rosenblum • Instrumenting Virtualized Environments • Emily Jacobson

  19. Lightweight Instrumentation • Analyze intermittent bugs and fine-grained performance problems • Autonomy • Little perturbation • High level of detail • Rapid activation • Ability to analyze black-box systems • User level and kernel level

  20. Self-Propelled Instrumentation User Mutator Snippet PatchAPI A Dyninst Component Snippet

  21. How it Works Process void foo() { { bar() } void bar() { baz() } ProcControlAPI A Dyninst Component Snippet PatchAPI A Dyninst Component Snippet Instrumenter.so

  22. Binary Instrumentation ParseAPI A Dyninst Component PatchAPI A Dyninst Component

  23. Binary Editing Predicate switching Insert error checking and handling Dynamic patching Code surgery

  24. Malware Analysis and Instrumentation Address Space Sensitive Unpacking Code Overwriting Code Self-Checksumming

  25. SR-Dyninst ProcControlAPI A Dyninst Component ParseAPI A Dyninst Component Parse Reachable Code Dynamic Code Discovery Catch Exceptions Overcome Sensitivity PatchAPI A Dyninst Component DataflowAPI A Dyninst Component

  26. CFG of Conficker A

  27. 010111010110... I C++ Binary Provenance and Authorship

  28. LEARNING FRAMEWORK Provenance System Overview BINARY ANALYSIS TOOL TRAINING DATA 01110101101010101010111010100101101 01110101101010101010111010100101101 01110101101010101010111010100101101 01110101101010101010111010100101101 provenance model ParseAPI A Dyninst Component 0111010110101010101110101110101001101101 PROGRAM

  29. LO HI 175 programs 2,686 binaries 955k functions x Language Optimization Version Compiler .999 .993 .910 .998 Provenance Evaluation Acc.

  30. Instrumenting Virtualized Environments

  31. Status Update

  32. Dyninst 7.0.1 Major new features: • New platforms for binary rewriter • x86 and x86_64 - statically linked binaries • ppc32 and BlueGene/P - dynamically linked binaries • Improvements to parsing speed • Reductions in memory usage • Deprecated Solaris and IA64 platforms • AIX pending due to support difficulties

  33. Component Status Update • SymtabAPI7.0.1 • Speed and space optimizations • InstructionAPI 7.0.1 • PowerPC (ppc32, ppc64) platform • Full integration with Dyninst • ParseAPI 7.0.1 - Platform independent API for parsing binaries • Control flow graph representation • Interprocedural edges (call and return) • Built on InstructionAPI and SymtabAPI • Full integration with Dyninst

  34. Component Status Update • StackwalkerAPI 2.1 • Significant reduction in memory usage • ProcControlAPI1.0.1 - Platform independent interface for creating, monitoring and controlling processes • High level abstraction for process control, breakpoints and callbacks for process events • DynC API 1.0.1 - Instrumentation language for specifying snippets • C like instrumentation snippets for easy and more legible mutator • Handles creation and destruction of snippet-local variables

  35. Dyninst 8.0 • ProcControl API - Windows and BlueGene • Stackwalker API - Windows and VxWorks • Stackwalker & ProcControl integration into Dyninst • PatchAPI and integration into Dyninst • SR Dyninst for tamper resistant and obfuscated binaries • New platforms for binary rewriter • Dynamically linked binaries on ppc64 and Windows • Statically linked binaries on ppc32 and BlueGene/P • Dataflow API official release

  36. MRNet 3.0.1 • Support for loading several filters from the same library • Lightweight MRNet back-end support for non-blocking receives • CrayXTsupport for staging files using ALPS tool helper • Improved build structure that permits configuration for multiple platforms from a single source distribution • Numerous bug fixes and enhancements

  37. Software and Manuals • Dyninst 7.0.1, MRNet 3.0.1: available now! • Downloads: http://www.paradyn.org/html/downloads.html http://www.paradyn.org/html/manuals.html • Dyninst 8.0 – 4th quarter, 2011 • MRNet 3.0.2 – coming soon!

  38. New Environments • Virtual Machines • Whole-system profiling (guest + VMM) using instrumentation • VMM-level information to understand how and why an application's performance is affected by the virtualized environment • Expand performance profiling in the virtualized environment, where traditional approaches do not work or may not be sufficient • Mobile environments – VxWorks, ARM • GPUs

  39. Questions

  40. unstrip: Restoring Function Information to Stripped Binaries Unstrip: Semantic Descriptors • We take a semantic approach • Record information that is likely to be invariant across multiple versions of the function • <accept>: • mov %ebx, %edx • mov %0x66,%eax • mov $0x5,%ebx • lea 0x4(%esp),%ecx • int $0x80 • mov %edx, %ebx • cmp %0xffffff83,%eax • jae 8048300 • ret • mov %esi,%esi mov %0x66,%eax mov $0x5,%ebx {<socketcall >} , 5 int $0x80

  41. unstrip: Restoring Function Information to Stripped Binaries Identifying Functions in a Stripped Binary • For each wrapper function { • 1. Build the semantic descriptor. • 2. Search the database for a match (two stages). • 3. Add label to symbol table. • } stripped binary Descriptor Database unstripped binary unstrip

  42. Introduction to the PatchAPI Performance: Capturing Fine-grained behavior Self-propelled instrumentation (1st party instrumentation) Dyninst (3rd party instrumentation) User Mutator Process void foo () { } void bar () { } void baz () { } Process void foo () { bar() } void bar () { baz() } void baz () { } Snippet Snippet DyninstAPI Snippet PatchAPI find point insert snippet delete snippet Snippet Snippet Snippet Instrumenter.so PatchAPI

  43. Introduction to the PatchAPI New Component: PatchAPI Dyninst Public Interface Internal Plugin Interface PatchAPI Address Space Snippet CFG Parsing Instrumentation Engine

  44. Dyninst is a toolbox for analysts Analysis tool library injection function replace- ment loop, block, function, instruction instrument- ation symbol table reading, writing Mutator forward & backward slices machine language parsing CFG CFG • Specifies instrumentation • Gets callbacks for runtime events • Builds high-level analysis loop analysis call stack walking Dyninst Dyninst binary rewriting program binary 7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e 80 89 08 27 c0 73 1c 88 48 6a d8 6a d0 56 4b fe 92 57 af 40 0c b6 f2 64 32 f5 07 b6 66 21 Control flow analyzer Data flow analyzer Instrumenter process control

  45. What we could do because of components? • SymtabAPI & StackwalkerAPI • DyninstAPIInstrumentor • ROSE semantics engine • Tools we developed - quickly • Binary rewriter, unstrip

  46. Componentization • Trade-offs • Internal requirements vs. external requirements • Early feedback vs. interface stability • Development time vs. scope • Structured vs. organic • Lesson learned • Keep the project details where they belong • Change code incrementally • Test new interfaces

  47. Binary rewriter • Read binary file format from disk • Parse binary code and build CFG • Generate code for instrumentation • Patch code • Emit new binary file SymtabAPI ParseAPI DyninstAPI PatchAPI

  48. Binary rewriter ProcControlAPI A Dyninst Component ParseAPI A Dyninst Component PatchAPI A Dyninst Component DataflowAPI A Dyninst Component StackwalkerAPI A Dyninst Component SymtabAPI A Dyninst Component

  49. Componentization: Design decisions • Define the scope of the component • Balance internal and external user requirement • Refine the assumptions • Create right level of abstractions • Build from scratch or improve existing code • Early feedback vs. interface stability StackwalkerAPI A Dyninst Component ProcControlAPI A Dyninst Component SymtabAPI A Dyninst Component libelf InstructionAPI A Dyninst Component PatchAPI A Dyninst Component

  50. Dyninst and the components DynCAPI ProcControl API StackwalkerAPI InstructionAPI Patch API Parse API CodeGenAPI Symtab API DyninstAPI AST Dataflow API Symtab API Symtab API Process Binary Binary

More Related