Add to collection(s) Add to saved
  1. No category

ppt

advertisement 
Introduction to the PatchAPI
Wenbin Fang, Drew Bernat
Paradyn Project
Paradyn / Dyninst Week
Madison, Wisconsin
May 2-3, 2011
Motivation: a confluence of two tools
Self-propelled instrumentation
(1st party instrumentation)
Dyninst
(3rd party instrumentation)
User
Mutator
Process
void foo () {
Snippet
DyninstAPI
}
void bar () {
Code
Patching
find point
insert
snippet
PatchAPI
delete snippet
Snippet
}
void baz () {
Process
void foo () {
Snippet
bar()
}
void bar () {
Snippet
baz()
}
void baz () {
Snippet
}
Snippet
}
Instrumenter.so
Code
Patching
PatchAPI
Introduction to the PatchAPI
2
Dyninst and the Components
= Existing Component
= New Component
= Proposed
AST
Code
Gen
Symtab
API
Parse
API
Process
Patch
API
Binary
Instruction
API
Binary
DataFlow
API
Stackwalker
API
Introduction to the PatchAPI
ProcControl
API
3
Self-propelled and the Components
= Existing Component
= New Component
Process
Binary Code
0101011
11001…
Symtab
API
Parse
API
Binary
Patch
API
Binary
Instruction
API
Introduction to the PatchAPI
4
Outline
o Overview
o Point + Snippet abstractions
o Design
o Challenges
o Public + Plugin interfaces
o Applications of PatchAPI
o Dyninst Reintegration
o Self-propelled instrumentation
Introduction to the PatchAPI
5
Abstraction in DyninstAPI
Snippet
FuncEntry
Basic Block
Point
Snippet
...
Function Exit
points = foo->findPoint(BPatch_entry);
Before Function Call
Basic Block
Basic Block
BPatch_addressSpace*
app = <GET ADDRESS SPACE>
During Edge
BPatch_function* foo = <GET FUNCTION>
BPatch_snippet*
snippet = <GET SNIPPET>
Block Entry
BPatch_Vector<BPatch_point*>* points = NULL;
Snippet
FuncExit
CFG of function foo
BPatchSnippetHandle* handle1 =
Before Instruction points,
User-defined
app->insertSnippet(snippet,
Function Entry
BPatch_callBefore);
Dyninst AST
points = foo->findPoint(BPatch_exit);
DynC
BPatchSnippetHandle* handle2 =
app->insertSnippet(snippet,
points,
Binary Code
BPatch_callAfter);
...
Introduction to the PatchAPI
6
Refined Interfaces in PatchAPI
Snippet
Basic Block
PatchMgrPtr patchMgr = <CREATE>
PatchFunction* foo = <GET FUNCTION>
EdgeDuring SnippetPtr snippet = <GET SNIPPET>
vector<PointPtr> points;
FilterFunc myfilter;
Snippet
Filter-based
FuncEntry
point query
Basic Block
Snippet
BlockExit
Basic Block
Snippet
FuncExit
CFG of function foo
patchMgr->findPoints(foo,
FuncEntry | FuncExit | EdgeDuring | BlockExit,
myfilter,
back_inserter(points));
patchMgr->batchStart();
for (int i = 0; i < points.size(); i++)
points[i]->push_back(snippet);
patchMgr->batchFinish();
Transactional
semantics
…
Introduction to the PatchAPI
7
Design Challenge 1: Backward Compatibility
o PatchAPI has refined interfaces for code patching.
o Integrating PatchAPI back to dyninst should keep dyninst
interfaces unchanged.
Dyninst
Compatibility Layer
Code Patching
PatchAPI
Functionality
Introduction to the PatchAPI
PatchAPI
8
Design Challenge 2: Flexibility
1st Party
Address Space
1st Party
3rd Party
Binary Rewriter
AST
Snippet
User-defined
DynC
User-defined
CFG Parsing
Instrumentation
Engine
Stored CFG
Out-of-line
Introduction to the PatchAPI
Online Parsing
Stored CFG
In-line
Out-of-line
9
PatchAPI Public Interface
PatchAPI
PatchMgr
Binary
Patching
Tools
Point
Public
Interface
Register plugins + Accept requests
Location + Container
Plugin
Internal
Interface
Snippet
Opaque handle
Instance
Snippet instance at point
Introduction to the PatchAPI
10
Patch Manager
o Register plugins
o Filter-based point query
o Enforce transactional semantics for patching
o batchStart / batchFinish
o Improve instrumentation performance
o Reduce # of IPCs for 3rd party instrumentation.
Introduction to the PatchAPI
11
Patch Manager (Cont.)
o Filter-based point query
o Scope
o function, block, edge, or instruction
o Point type
o FuncEntry, BlockExit, BeforeCall, BeforeInsn …
o Filter function
o User-implemented
o Fine grained control
o e.g., Function calls with function name MPI_*
o e.g., “push” instructions
o…
Introduction to the PatchAPI
12
Example
Basic Block
BlockExit
Basic Block
BlockExit
Basic Block
BlockExit
FuncExit
CFG of function foo
// Find Points at Function Exits and Block Exits of
// those having two outgoing edges
class MyFilterFunc {
bool operator() (PointPtr pt) {
if (pt->type() == FuncExit) return true;
PatchBlock* block = <GET BLOCK Containing pt>
If (block->targets().size() == 2) return true;
return false;
}
};
vector<PointPtr> output;
MyFilterFunc myfilter;
PatchFunction* foo = <GET FUNCTION>
patchMgr->findPoints (foo,
BlockExit | FuncExit,
myfilter,
back_inserter(output));
Introduction to the PatchAPI
13
Point, Snippet, and Instance
o Snippet insertion
foo () {
Instance push_back(Snippet);
Instance push_front(Snippet);
Point
Instance
Snippet
Instance
Snippet
Instance
Snippet
o Instance iterator
instance_iterator begin();
instance_iterator end();
o Snippet removal
}
bool remove(Instance);
Introduction to the PatchAPI
14
PatchAPI Plugin Interface
1st
party,
3rd
PatchAPI
party, binary rewriter
Address Space
AST, DynC, user-defined code …
Snippet
Binary
Public
Plugin
Patching
Internal
Interface
Interface
Tools
Online parsing, reuse stored CFG
CFG Parsing
In-line, out-of-line
Introduction to the PatchAPI
Instrumentation
Engine
15
Address Space
o Memory management primitives
o malloc / realloc / free
o write / read
o Example
o 3rd party instrumentation uses ptrace
o 1st party instrumentation uses libc
Introduction to the PatchAPI
16
Snippet
DynC
AST
Provided by us:
if (x == 0) {
inf ‘printf("x == 0\n");
} else if (x > 3) {
inf ‘printf("x > 3\n");
} else {
inf ‘printf("x < 3 but x != 0\n");
}
User-defined:
Binary Code
55
48 89 e5
48 83 ec 20
47 45 ec 00 00 00 00
eb 39
b8 00 00 00 00
e8 a8 f5 df ff
…
Introduction to the PatchAPI
17
CFG Parsing
User Mutator
User Mutator
PatchAPI
PatchAPI
Parse CFG info
Reuse CFG info
On demand
parsing
Patching
Process
Reuse
Patching
Stored
CFG
info
Process
Offlne
Parser
Introduction to the PatchAPI
18
Dyninst Reintegration
3rd
PatchAPI
Address Space
party, binary rewriter
Snippet
Will support DynC in the future
Public
Dyninst
Interface
Parse CFG during the runtime
of instrumentation
Relocate a group of code,
embed snippet
Internal
Plugin
Interface
CFG Parsing
Instrumentation
Engine
Introduction to the PatchAPI
Dyninst Address
Space
AST
ParseAPI
In-line
19
Self-propelled instrumentation
1st
PatchAPI
Address Space
party instrumentation
A small set of instructions
SelfPublic
propelled
Interface
Reuse stored CFG information
Out-of-line + In-line
Internal
libc
Snippet
Binary code
Plugin
Interface
CFG Parsing
Stored CFG
Instrumentation
Engine
Introduction to the PatchAPI
Hybrid
20
Status
Conception
Interface Design
Code Refactoring
Dyninst
Reintegration
Build Selfpropelled
instrumentation
Introduction to the PatchAPI
21
Summary
o PatchAPI from/back to Dyninst
o Point and Snippet
o Design of PatchAPI
o Public Interface
oFilter-based Point Query
oTransactional Semantics
o Plugin Interface
oCustomizing Instrumentation
o To be released with Dyninst 8.0
Introduction to the PatchAPI
22
Question?
Introduction to the PatchAPI
23
Related documents
Power Point Slides - OU Campus Support
Power Point Slides - OU Campus Support
ppt, 434kb
ppt, 434kb
Web Analytics API - DevNet
Web Analytics API - DevNet
Convert::Binary::C module
Convert::Binary::C module
- ArchitectNow
- ArchitectNow
the role of critical friends in continuing development
the role of critical friends in continuing development
Malware - Cal Poly SWIFT
Malware - Cal Poly SWIFT
Download
advertisement