Presentation is loading. Please wait.

Presentation is loading. Please wait.

Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin April 29 - May 1, 2013 Using Dyninst for Program Binary Analysis and Instrumentation Emily Jacobson.

Published byClaribel Chapman Modified over 9 years ago

Similar presentations

Presentation on theme: "Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin April 29 - May 1, 2013 Using Dyninst for Program Binary Analysis and Instrumentation Emily Jacobson."— Presentation transcript:

1 Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin April 29 - May 1, 2013 Using Dyninst for Program Binary Analysis and Instrumentation Emily Jacobson

2 No Source Code — No Problem With Dyninst we can: o Find (stripped) code o in program binaries o in live processes o Analyze code o functions o control-flow-graphs o loop, dominator analyses o Instrument code o statically (rewrite binary) o dynamically (instrument live process) Using Dyninst for Analysis and Instrumentation Libraries Executables a.out Live Process Executable Library 1 Library N … lib.so prog.exe lib.dll 2

3 Static RewritingDynamic Instrumentation o Amortize parsing and instrumentation time. o Execute instrumentation at a particular time (oneTimeCode). o Potential to generate more efficient modified binaries. o Insert and remove instrumentation at run time. o 3 rd party response to runtime events o 1 st party response to runtime events 3 Using Dyninst for Analysis and Instrumentation Choice of Static vs. Dynamic Instrumentation

4 Find memory leaks Add printfs to malloc, free Stackwalk malloc calls that are not freed 4 Example Dyninst Program Using Dyninst for Analysis and Instrumentation ChaosPro ver 3.1

5 Dyninst Components Using Dyninst for Analysis and Instrumentation Binary Code Code Generator Instrumenter Stack Walker (Stackwalker- API) Process Controller (ProcControl- API) Symbol Table Parser (SymtabAPI) Code Parser (ParsingAPI Instruction Decoder (Instruction- API) Instrumentation Requests Stack Walk Requests Analysis Requests 5

6 Process Control Several supported OS’s Using Dyninst for Analysis and Instrumentation Linux Windows Process Controller 6

7 Process Control Several supported OS’s Broad functionality Attach/create process Monitor process status changes Callbacks for fork/exec/exit Mutatee operations: malloc, load library, inferior RPC Uses debugger interface Using Dyninst for Analysis and Instrumentation Analyst Program (Mutator) Dyninst Library Monitored Process (Mutatee) Dyninst Runtime Lib Process Controller Debugger Interface 7

8 ... Dyninst’s Process Interface Using Dyninst for Analysis and Instrumentation http://paradyn.org/html/manuals.html 8

9 Example: Create a ChaosPro.exe Process BPatch bpatch; static void exitCallback(BPatch_thread*,BPatch_exitType) { printf(“About to exit\n”); } int main(int argc, char *argv[]) { if (argc < 2) { fprintf(stderr, "Usage: %s prog_filename\n", argv[0]); return 1; } BPatch_process *proc = bpatch.processCreate( argv[1], argv+1 ); bpatch.registerExitCallback( exitCallback ); proc->continueExecution(); while ( ! proc->isTerminated() ) bpatch.waitForStatusChange(); return 0; } > mutator.exe C:\Chaos\ChaosPro.exe 9 Using Dyninst for Analysis and Instrumentation

10 Unified Abstractions Using Dyninst for Analysis and Instrumentation 10 BPatch_processBPatch_binaryEdit a.out libc.so Live Process BPatch_addressSpace a.out libc.so Add/remove instrumentation, lookups by address, allocate variables in mutatee Process state, threads, one-time instrument- ation write file

11 Symbol Table Parsing Using Dyninst for Analysis and Instrumentation Mutatee Code Generator InstrumenterStack Walker Process Controller Symbol Table Parser Code Parser Instruction Decoder chaospro.exe Runtime Lib msvcrt.dll Where are malloc, free? Mutator Dyninst Library 11

12 Symbol Table Parsing Using Dyninst for Analysis and Instrumentation Where are malloc, free? Mutatee Symbol Table Parser PE ELF XCOFF Program Headers Shared Object Dependencies Type Information Exception Information Symbols Symbol Versions Section Headers Section Data Dynamic Segment Information Relocations Local variable Information Line Number Information SymbolAddress func1 func20x0804cd1d variable1 0x0804cc84 0x0804cd00 Size 100 4 500 Runtime Lib 12 chaospro.exe msvcrt.dll

13 int main(int argc, char *argv[]) {... BPatch_image* image = proc->getImage(); BPatch_module* libc = image->findModule( “msvcrt” ); vector * funcs = libc->findFunction( “malloc” ); BPatch_function * bp_malloc = (*funcs)[0]; Address start = bp_malloc->getBaseAddr(); Address size = bp_malloc->getSize(); printf( “malloc: [%x %x]\n", start, start + size );... } Example: Find malloc Using Dyninst for Analysis and Instrumentation Mutatee Mutator Dyninst Library Runtime Lib 13 chaospro.exe msvcrt.dll

14 Decoding and Parsing of Binary Code Using Dyninst for Analysis and Instrumentation Mutatee Code Generator InstrumenterStack Walker Code Parser Instruction Decoder Mutator Dyninst Library Runtime Lib Process Controller Symbol Table Parser 14 chaospro.exe msvcrt.dll Get parameters, return values for malloc, free

15 Instruction Decoding Using Dyninst for Analysis and Instrumentation Instruction Decoder Abstract Syntax Tree mov eax -> [ebx * 4 + ecx] deref add mult moveax[ebx * 4 + ecx] ecx ebx4 IA32 AMD64 POWER Mutatee 8b 04 99 20 e9 3d e0 09 e8 68 c0 45 be 79 5e 80 89 08 27 c0 73 1c 88 48 6a d8 6a d0 56 4b fe 92 57 af 40 0c b6 f2 64 32 f5 07 57 af 40 0c b6 f2 64 32 f5 07 b6 66 21 0c 85 a5 94 2b 20 fd 5b 15

16 Parsing Identify basic blocks, functions Builds control-flow graph Operate on stripped code, but use symbol information opportunistically Using Dyninst for Analysis and Instrumentation Instruction Decoder Mutatee 8b 04 99 20 e9 3d e0 09 e8 68 c0 45 be 79 5e 80 89 08 27 c0 73 1c 88 48 6a d8 6a d0 56 4b fe 92 57 af 40 0c b6 f2 64 32 f5 07 57 af 40 0c b6 f2 64 32 f5 07 b6 66 21 0c 85 a5 94 2b 20 fd 5b Code Parser mov eax -> [ebx * 4 + ecx] deref add multecx ebx4 moveax[ebx * 4 + ecx]  Parse-time analyses: 16 IA32 AMD64 POWER

17 Binary Code Parsing Task: instrument malloc at its entry and exit points, instrument free at its entry point Subtask: find malloc and parse it Using Dyninst for Analysis and Instrumentation Code Parser Instruction Decoder Process Controller Symbol Table Parser chaospro.exe Mutatee 84 04 99 20 e9 3d e0 09 e8 68 c0 45 be 79 5e 80 89 08 27 c0 73 1c 88 48 6a d8 6a d0 56 4b fe 92 57 af 40 0c b6 f2 64 32 f5 07 57 af 40 0c b6 f2 64 32 f5 07 b6 66 21 0c 85 a5 94 2b 20 fd 5b msvcrt.dll malloc 77C2C407 free 77C2C21B atoi 77C1BE7B strcpy 77C46030 memmove 77C472B0 mov eax -> [ebx * 4 + ecx] deref add multecx ebx4 moveax[ebx * 4 + ecx] 17

18 Control Flow Traversal Parsing Function symbols may be sparse Executables must provide only one function address Libraries provide symbols for exported functions Parsing finds additional functions by following call edges Using Dyninst for Analysis and Instrumentation _start [80483b0 80483fa] _init [8048354 804836b] _fini [8048580 804859c] main [8048480 80484cf] targ3d4 [80483d4 80483fa] targ400 [8048400 804843e] targ440 [8048440 8048468] 18

19 Control Flow Graph Using Dyninst for Analysis and Instrumentation E C E E CR R R R 19 Address pointAddr; BPatch_procedureLocation type; enum {BPatch_entry, BPatch_exit, BPatch_subroutine, BPatch_address } Graph elements: BPatch_function BPatch_basicBlock BPatch_edge Instrumentation points: BPatch_point

20 Example: Find malloc’s Exit Points vector * funcs; funcs = bp_image->getProcedures(); funcs = bp_image->findFunction(“malloc”); Using Dyninst for Analysis and Instrumentation E C E E CR R R R Mutatee chaospro.exe msvcrt.dll Parsing is triggered automatically as needed malloc kernel32.dll 20

21 Example: Find malloc’s Exit Points vector * funcs; funcs = bp_image->findFunction(“malloc”); funcs = libc_mod->findFunction(“malloc”); Using Dyninst for Analysis and Instrumentation E C E E CR R R R Mutatee chaospro.exe msvcrt.dll Parsing is triggered automatically as needed malloc kernel32.dll 21

22 BPatch_function * bp_malloc = (*funcs)[0]; vector * points = BPatch_entry bp_malloc->findPoints BPatch_subroutine ; BPatch_exit Example: Find malloc’s Exit Points Using Dyninst for Analysis and Instrumentation E C E E C R R R R Mutatee malloc 22 chaospro.exe msvcrt.dll kernel32.dll

23 Instrumentation (at last!) Using Dyninst for Analysis and Instrumentation Code Generator InstrumenterStack Walker Code Parser Instruction Decoder Mutatee chaospro.exe Mutator Dyninst Library Runtime Lib msvcrt.dll Process Controller Symbol Table Parser 23

24 Instrument- ation Points Abstract Syntax Tree Snippet Specifying Instrumentation Requests Using Dyninst for Analysis and Instrumentation Instrumentation Requests Code Generator Instrumenter R R what where 24

25 BPatch_Snippet Subclasses BPatch_sequence( vector items ) BPatch_variableExpr() int value BPatch_constExpr char* value void* value BPatch_ifExpr( BPatch_boolExpr condition, BPatch_Snippet then_clause, BPatch_Snippet else_clause ) BPatch_funcCallExpr( BPatch_function * func, vector args ) BPatch_paramExpr( int param_number ) BPatch_retExpr() Using Dyninst for Analysis and Instrumentation 25

26 BPatch_Snippet Classes Using Dyninst for Analysis and Instrumentation 26

27 Example: Forming printf Snippet Using Dyninst for Analysis and Instrumentation printf( “free(%x)\n”, arg0 ); BPatch_funcCallExpr BPatch_paramExpr arg0(0) Bpatch_function bp_printf E free(ptr) vector “free(%x)\n” BPatch_constExpr BPatch_funcCallExpr ( BPatch_function * func, vector args ) 27

28 Example: Instrument free w/ call to printf Using Dyninst for Analysis and Instrumentation BPatch_function * bp_free; vector entryPoints;... BPatch_constExpr arg0 ( “free(%x)\n” ); BPatch_paramExpr arg1 (0); vector printf_args; printf_args.push_back( & arg0 ); printf_args.push_back( & arg1 ); BPatch_funcCallExpr callPrintf( *bp_printf, printfArgs ); bpatch.beginInsertionSet(); for ( int idx =0; idx < entryPoints.size(); idx++ ) proc->insertSnippet( callPrintf, *entryPoints[idx] ); bpatch.finalizeInsertionSet(); BPatch_funcCallE xpr BPatch_paramExpr arg0(0) bp_printf vector “free(%x)\n” BPatch_constExpr E free(ptr) 28

29 Using Variables Find / create variable bp_image->findVariable(“global1”); bp_proc->malloc(bp_image->findType(“int”)); Initialization instrumentation e.g., assignment at entry point of main Manipulation instrumentation e.g., arithmetic assignment expression Gather / print out values e.g., through callback instrumentation Using Dyninst for Analysis and Instrumentation 29 malloc instrumentation: save argument in a variable

30 Example: Instrumenting malloc Using Dyninst for Analysis and Instrumentation void * malloc ( size_t size ) { MALLOC_ARG = size;... if (MALLOC_ARG > 1000) printf(“%x = malloc(%x)\n”, retnValue, MALLOC_ARG); } E R R malloc BPatch_assign BPatch_arithExpr MALLOC_ARGBPatch_constExpr 1 30

31 vector Example: Instrumenting malloc Using Dyninst for Analysis and Instrumentation BPatch_ifExpr Bpatch_boolExpr E R R malloc BPatch_constExpr(100) MALLOC_ARG BPatch_gt BPatch_funcCallExpr BPatch_function bp_printf “%x = malloc(.)\n” BPatch_retExpr retnValue BPatch_constExpr 31 void * malloc ( size_t size ) { MALLOC_ARG = size;... if (MALLOC_ARG > 100) printf(“%x = malloc(%x)\n”, retnValue, MALLOC_ARG); }

32 Generating the Instrumentation Code Using Dyninst for Analysis and Instrumentation Code Generator Instrumenter BPatch_funcCallExpr BPatch_paramExpr arg0(0) bp_printf vector “free(%x)\n” BPatch_constExpr mov eax -> [ebx * 4 + ecx] deref add multecx ebx4 moveax[ebx * 4 + ecx] Instrumentation snippet Code at the instrumented point IA32 AMD64 POWER 32

33 Stack Walking Using Dyninst for Analysis and Instrumentation Code Generator InstrumenterStack Walker Code Parser Instruction Decoder Mutatee chaospro.exe Mutator Dyninst Library Runtime Lib msvcrt.dll Process Controller Symbol Table Parser 33

34 Example: Stack Walk of malloc Call Callback triggers stackwalk BPatch_thread:: getCallStack(…) Using Dyninst for Analysis and Instrumentation Mutatee chaospro.exe Mutator Dyninst Library Runtime Lib msvcrt.dll  Choose instrumentation point the exit points of malloc  Insert callback instrumentation use stopThreadExpr snippet Stack Walker E R R malloc 34

35 Implementation Session Code Coverage Create a mutator that counts function invocations See description of the lab at http://www.paradyn.org/tutorial/ Using Dyninst for Analysis and Instrumentation 35

Download ppt "Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin April 29 - May 1, 2013 Using Dyninst for Program Binary Analysis and Instrumentation Emily Jacobson."

Similar presentations

CPSC 388 – Compiler Design and Construction

CPSC 388 – Compiler Design and Construction
Dynamic Memory Allocation in C.  What is Memory What is Memory  Memory Allocation in C Memory Allocation in C  Difference b\w static memory allocation.

Dynamic Memory Allocation in C.  What is Memory What is Memory  Memory Allocation in C Memory Allocation in C  Difference b\w static memory allocation.
Chapter 7 Process Environment Chien-Chung Shen CIS, UD

Chapter 7 Process Environment Chien-Chung Shen CIS, UD
Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin April 29 - May 1, 2013 DynC: High Level Instrumentation With Dyninst Emily Jacobson DynC and.

Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin April 29 - May 1, 2013 DynC: High Level Instrumentation With Dyninst Emily Jacobson DynC and.
Paradyn. Paradyn Goals Performance measurement tool that –scales to long-running programs on large parallel and distributed systems –automates much of.

Paradyn. Paradyn Goals Performance measurement tool that –scales to long-running programs on large parallel and distributed systems –automates much of.
Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin May 2-4, 2011 ProcControlAPI and StackwalkerAPI Integration into Dyninst Todd Frederick and Dan.

Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin May 2-4, 2011 ProcControlAPI and StackwalkerAPI Integration into Dyninst Todd Frederick and Dan.
Paradyn Project Paradyn / Dyninst Week College Park, Maryland March 26-28, 2012 Paradyn Project Upcoming Features in Dyninst and its Components Bill Williams.

Paradyn Project Paradyn / Dyninst Week College Park, Maryland March 26-28, 2012 Paradyn Project Upcoming Features in Dyninst and its Components Bill Williams.
Paradyn Project Paradyn / Dyninst Week College Park, Maryland March 26-28, 2012 Self-propelled Instrumentation Wenbin Fang.

Paradyn Project Paradyn / Dyninst Week College Park, Maryland March 26-28, 2012 Self-propelled Instrumentation Wenbin Fang.
Kernighan/Ritchie: Kelley/Pohl:

Kernighan/Ritchie: Kelley/Pohl:
Memory allocation CSE 2451 Matt Boggus. sizeof The sizeof unary operator will return the number of bytes reserved for a variable or data type. Determine:

Memory allocation CSE 2451 Matt Boggus. sizeof The sizeof unary operator will return the number of bytes reserved for a variable or data type. Determine:
Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin May 2-3, 2011 Introduction to the PatchAPI Wenbin Fang, Drew Bernat.

Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin May 2-3, 2011 Introduction to the PatchAPI Wenbin Fang, Drew Bernat.
© 2006 Barton P. MillerFebruary 2006Binary Code Analysis and Editing A Framework for Binary Code Analysis, and Static and Dynamic Patching Barton P. Miller.

© 2006 Barton P. MillerFebruary 2006Binary Code Analysis and Editing A Framework for Binary Code Analysis, and Static and Dynamic Patching Barton P. Miller.
Memory Image of Running Programs Executable file on disk, running program in memory, activation record, C-style and Pascal-style parameter passing.

Memory Image of Running Programs Executable file on disk, running program in memory, activation record, C-style and Pascal-style parameter passing.
ספטמבר 04Copyright Meir Kalech1 C programming Language Chapter 3: Functions.

ספטמבר 04Copyright Meir Kalech1 C programming Language Chapter 3: Functions.
1 Homework Reading –PAL, pp 201-216, 297-312 Machine Projects –Finish mp2warmup Questions? –Start mp2 as soon as possible Labs –Continue labs with your.

1 Homework Reading –PAL, pp , Machine Projects –Finish mp2warmup Questions? –Start mp2 as soon as possible Labs –Continue labs with your.
. Memory Management. Memory Organization u During run time, variables can be stored in one of three “pools”  Stack  Static heap  Dynamic heap.

. Memory Management. Memory Organization u During run time, variables can be stored in one of three “pools”  Stack  Static heap  Dynamic heap.
Process. Process Concept Process – a program in execution Textbook uses the terms job and process almost interchangeably A process includes: – program.

Process. Process Concept Process – a program in execution Textbook uses the terms job and process almost interchangeably A process includes: – program.
AutoHacking with Phoenix Enabled Data Flow Analysis Richard Johnson |

AutoHacking with Phoenix Enabled Data Flow Analysis Richard Johnson |
Paradyn Project Dyninst/MRNet Users’ Meeting Madison, Wisconsin August 7, 2014 The Evolution of Dyninst in Support of Cyber Security Emily Gember-Jacobson.

Paradyn Project Dyninst/MRNet Users’ Meeting Madison, Wisconsin August 7, 2014 The Evolution of Dyninst in Support of Cyber Security Emily Gember-Jacobson.
University of Maryland parseThat: A Robust Arbitrary-Binary Tester for Dyninst Ray Chen.

University of Maryland parseThat: A Robust Arbitrary-Binary Tester for Dyninst Ray Chen.

Similar presentations

Ads by Google