Presentation is loading. Please wait.

Presentation is loading. Please wait.

Building Customized Dynamic Program Inspectors Derek Bruening Qin Zhao.

Published byWilfred Bryan Modified over 9 years ago

Similar presentations

Presentation on theme: "Building Customized Dynamic Program Inspectors Derek Bruening Qin Zhao."— Presentation transcript:

1 Building Customized Dynamic Program Inspectors Derek Bruening Qin Zhao

2 Motivation Profile, monitor, or inspect application binaries as they run Build customized dynamic program inspectors Target production workloads Profile or inspect actual deployed application with no overhead when not in inspection mode Target applications that include legacy components, third- party libraries, or dynamically-generated code Want to inspect whole program even if cannot recompile it all 2

3 Reach of Toolchain Control Points 3 runtime inspector

4 Dynamo @HP Labs on x86 DynamoRIO Dynamo + RIO  DynamoRIO 1999 Dynamo @HP Labs on PA-RISC RIO @MIT (Runtime Introspection and Optimization) 2001 late 1990’s2000 4

5 Google sponsors Dr. Memory DynamoRIO History 2001 VMware acquires Determina Determina security startup open-sourced BSD license binary releases DynamoRIO @MIT 200320072010 20022009 5

6 DynamoRIO Tool Platform Design Goals Efficient Near-native performance Transparent Match native behavior Comprehensive Control every instruction, in any application Customizable Adapt to satisfy disparate tool needs 6

7 Outline Base System: DynamoRIO Efficient Transparent Comprehensive Customizable Dynamic Program Inspectors Examples and Possibilities Case studies 7

8 Basic Interpreter interpreter fetchdecodeexecute ~300x Slowdown! application code bar()foo() A B C D E F 8

9 application code bar()foo() Improvement #1: Basic Block Cache A B C D E F DynamoRIO basic block cache A C D E F Slowdown: 300x 25x 9

10 application code bar()foo() Improvement #2: Linking Direct Branches A B C D E F DynamoRIO basic block cache A C D E F Slowdown: 300x 25x 3x 10

11 application code bar()foo() Improvement #3: Linking Indirect Branches A B C D E F DynamoRIO basic block cache A C D E F Slowdown: 300x 25x 3x 1.2x indirect branch lookup 11

12 application code bar()foo() Improvement #4: Trace Building A B C D E F DynamoRIO basic block cache A C D E F trace cache A C D E F ? Slowdown: 300x 25x 3x 1.2x 1.1x indirect branch lookup ind. br. stays on trace? 12

13 Base Performance: SPEC 2006 13

14 application code bar()foo() Time Breakdown for SPEC CPU INT A B C D E F DynamoRIO basic block cache A C D E F trace cache A C D E F ? indirect branch lookup ind. br. stays on trace? 0% 2% 94% 4% < 1% 14

15 Outline Base System: DynamoRIO Efficient Transparent Comprehensive Customizable Dynamic Program Inspectors Examples and Possibilities Case studies 15

16 Unavoidably Intrusive 16 process appcache process DynamoRIO thread operating system A C D E F look up A B C D E F thread

17 Outline Base System: DynamoRIO Efficient Transparent Comprehensive Customizable Dynamic Program Inspectors Examples and Possibilities Case studies 17

18 process appcache Above the Operating System process DynamoRIO thread 18 A C D E F look up A B C D E F thread E E operating system

19 Outline Base System: DynamoRIO Efficient Transparent Comprehensive Customizable Dynamic Program Inspectors Examples and Possibilities Case studies 19

20 basic block cache application code bar()foo() DynamoRIO + Client Program Inspector A B C D E F DynamoRIO C D E F trace cache C E F ? indirect branch lookup A A client code 20 D D

21 Primary Client Events: Code Stream Client has opportunity to inspect and potentially modify every single application instruction, immediately before it executes Entire application code stream Basic block creation event: can modify the block For comprehensive instrumentation tools Or, focus on hot code only Trace creation event: can modify the trace Custom trace creation: can determine trace end condition For optimization and profiling tools 21

22 application code bar()foo() Instrumentation Time vs Analysis Time A B C D E F DynamoRIO basic block cache C D E F trace cache C D E F ? indirect branch lookup A A client code instrumentation time 22 analysis time average instruction length call instruction execution count

23 Code Cache Threading Models thread application thread-shared code cache operating system thread-private code caches 23

24 Secondary Client Events Application thread creation and deletion Application library load and unload Application exception/signal Client chooses whether to deliver, suppress, bypass the app handler, or redirect control Application pre- and post- system call Client can inspect/modify call number, params, or return value Bookkeeping: init, exit, cache management, etc. 24

25 DynamoRIO API: General Utilities Safe utilities for maintaining transparency Separate stack, memory allocation, file I/O Thread-local storage, synchronization Create client-only thread or private itimer Application control Suspend and resume all other threads Application inspection Address space querying Module iterator Processor feature identification 25

26 DynamoRIO API: Code Manipulation Clean calls to C or C++ code Automatically inlined for simple callees Full IA-32/AMD64 instruction representation Includes implicit operands, decoding, encoding State preservation Eflags, arith flags, floating-point state, MMX/SSE state Spill slots, TLS, CLS Dynamic instrumentation Replace code in the code cache 26

27 DynamoRIO Demo

28 Outline Base System: DynamoRIO Efficient Transparent Comprehensive Customizable Dynamic Program Inspectors Examples and Possibilities Case studies  Program shepherding  Dr. Memory 28

29 Examples and Possibilities Code Inspection Code coverage Path profiling Data Inspection Heap overflow detection Concurrency Inspection Cache contention detection 29

30 application code bar()foo() Code Inspection: Code Coverage (bbcov) A B C D E F DynamoRIO basic block cache E F trace cache A client code 30 A A C C D C ACDEF ACDEF Efficient code coverage C D E F A instrumentation time D D E E F F Hot/cold code discovery Cold start optimization

31 Code Inspection: Code Coverage (bbcov) void dr_init(client_id_t id) { … dr_register_bb_event(event_basic_block); … if (dr_using_all_private_caches()) bbcov_per_thread = true; } dr_emit_flags_t event_basic_block(void *dc, void *tag, instrlist_t *bb, bool trace, bool xl8) { … for (instr = instrlist_first(bb); instr != NULL; instr = instr_get_next(instr)) { … } … bb_table_entry_add(dc, data, start_pc, cbr_tgt, (end_pc - start_pc), num_instrs, trace); return DR_EMIT_DEFAULT; } 31

32 application code bar()foo() Code Inspection: Path Profiling (bbbuf) A B C D E F DynamoRIO basic block cache trace cache client code 32 A C ACD E ACD ACD E ACA D CDDEE analysis time

33 Code Inspection: Path Profiling (bbbuf) void dr_init(client_id_t id) { … dr_register_bb_event(event_basic_block); if (!dr_raw_tls_calloc(&tls_seg, &tls_offs, 1, 0)) DR_ASSERT(false); } dr_emit_flags_t event_basic_block(void *dc, void *tag, instrlist_t *bb, bool trace, bool xl8) { … /* load buffer pointer from TLS field */ MINS(bb, first, INSTR_CREATE_mov_ld (dc, opnd_create_reg(reg), opnd_create_far_base_disp(tls_seg, DR_REG_NULL, DR_REG_NULL, 0, tls_offs, OPSZ_PTR))); /* store bb's start pc into the buffer */ MINS (bb, first, INSTR_CREATE_mov_st (dc, OPND_CREATE_MEM32(reg, 0), OPND_CREATE_INT32(pc))); /* advance buffer, we use lea to avoid aflags save/restore */ MINS(bb, first, INSTR_CREATE_lea (dc, opnd_create_reg(reg_16), opnd_create_base_disp(reg, DR_REG_NULL, 0, sizeof(app_pc), OPSZ_lea))); /* save buffer pointer */ MINS(bb, first, INSTR_CREATE_mov_st (dc, opnd_create_far_base_disp(tls_seg, DR_REG_NULL, DR_REG_NULL, 0, tls_offs, OPSZ_PTR), opnd_create_reg(reg))); return DR_EMIT_DEFAULT; } 33 start_pc = 0xf771bb9b mov (%esp)  %ebx ret %esp (%esp)  %esp end_pc = 0xf771bb9f mov $0xf771bb9b  (%ebx) lea 0x04(%ebx)  %bx mov %ebx  %fs:0x4c mov (%esp)  %ebx ret %esp (%esp)  %esp mov %fs:0x4c  %ebx

34 Code Inspection Profiling Instruction/edge/path/inter-procedural profiling Hot/cold code Control-flow/call graph Debugging Execution recording Software breakpoint Security Program shepherding Code de-obfuscation 34

35 Examples and Possibilities Code Inspection Code coverage Path profiling Data Inspection Heap overflow detection Concurrency Inspection Cache contention detection 35

36 Data Inspection: Heap Overflow Detection Catch heap underflow and overflow: Wrap allocation routines Keep track of malloc chunks. Insert redzones between application malloc chunks and put special value (pattern) like 0xf1fd in the redzone. Instrumentation Check value before every memory access: look for 0xf1fd. If found, check whether address is in redzone. 36 malloc header requested size for application data malloc padding pre- redzone post- redzone

37 Instrumentation void pattern_insert_cmp_jne_ud2a(void *dc, instrlist_t *ilist, instr_t *app, opnd_t ref, opnd_t pattern) { instr_t *label; app_pc pc = instr_get_app_pc(app); label = INSTR_CREATE_label(drcontext); /* cmp ref, pattern */ PREXL8M(ilist, app, INSTR_XL8 (INSTR_CREATE_cmp(dc, ref, pattern), pc)); /* jne label */ PRE(ilist, app, INSTR_CREATE_jcc_short (dc, OP_jne_short, opnd_create_instr(label))); /* illegal instr */ PREXL8M(ilist, app, INSTR_XL8(INSTR_CREATE_ud2a(dc), pc)); /* label */ PRE(ilist, app, label); } void dr_init(client_id_t id) { … #ifdef LINUX dr_register_signal_event(event_signal); #else dr_register_exception_event(event_exception); #endif } 37 mov 0x00000084(%eax)  %edx test %edx %edx jz $0xf77e6ea2 cmp 0x00000084(%eax) $0xf1fdf1fd jnz ud2a mov 0x1c(%esp)  %eax

38 Data Inspection Profiling Memory tracing  Cache simulation, data layout/prefetch optimization, etc. System call tracing Heap state inspection Debugging Memory bug detection  Uninit error, buffer overflow/underflow, memory leak, etc. Software watchpoint Security Dynamic data-flow tracking (taint-trace) 38

39 Examples and Possibilities Code Inspection Code coverage Path profiling Data Inspection Heap overflow detection Concurrency Inspection Cache contention detection 39

40 Concurrency Inspection: Cache Contention 40 P $ P $ $ P $ P $ $ Motivating example: uint64 local_sum[2]; uint64 global_sum; parallel_sum(int myid, int start, int end) { for (int i = start; i < end; i++) local_sum[myid] += buf[i]; lock(); global_sum += local_sum[myid]; unlock(); } # Threads12 same coredistinct cores minmax Time(s): no padding4.7984.8423.8835.219 Time(s): padding4.7804.8172.4512.473 Network memory I/O local_sum[2] Xeon X5460 @ 3.16GHz, 2x Quad core

41 Hardware Performance Counter Hardware limitation Limited events: must deduce from supported counter Hardware specific Cache configuration, particular cache line size, cache size, etc. Thread-CPU binding Flexibility Limited to sampling Hard to reconfigure 41

42 Software Shadow Memory Store meta-data Track properties of application memory Update via instrumented code 42 a.out stack libc application memory heap a.out stack libc shadow memory heap process address space

43 ownership bitmap (32 bits) shadow memory T1 T32 T2 Cache Contention Detection Cacheline mapped to thread ownership bitmap Memory reference: Test and set thread bit (cache miss) Memory write: Compare and set only own bit (cache invalidation) application memory cache lines (16 words each) 43

44 Concurrency Inspection Profiling Cache contention False sharing Multi-thread communication Debugging Data race detection Deterministic record and replay Security Deterministic scheduling 44

45 Other Possible Applications Performance Cross-architectural performance estimation Debugging Integration with debugger with reverse execution Security Sandboxing Others Dynamic translation 45

46 Outline Base System: DynamoRIO Efficient Transparent Comprehensive Customizable Dynamic Program Inspectors Examples and Possibilities Case studies  Program shepherding  Dr. Memory 46

47 Anatomy of a Memory-Based Attack system and application memory kernel network ENTER CORRUPT DATA HIJACK PROGRAM COUNTER COMPROMISE 47

48 Critical Data: Control Flow Indirection Subroutine calls Return address and activation records on visible stack Dynamic library linking Function exports and imports Object oriented polymorphism: dynamic dispatch Vtables Callbacks – registered function pointers Event dispatch, atexit Exception handling Any problem in computer science can be solved with another layer of indirection. - David Wheeler 48

49 Critical Data: Control Flow Exploits Return address overwrite Classic buffer overflow GOT overwrite Object pointer overwrite or uninitialized use Function pointer overwrite Heap, stack, data, PEB Exception handler overwrites SEH exploits Any problem in computer science can be solved with another layer of indirection. But that usually will create another problem. - David Wheeler 49

50 Preventing Data Corruption Is Difficult Stored program addresses legitimately manipulated by many different entities Dynamic linker, language runtime Intermingled with regular data Return addresses on stack Vtables in heap Even if could distinguish a good write from a bad write, too expensive to monitor all data writes 50

51 Insight: Hijack Violates Execution Model Hardware Interface Typical Application Execution Model Security Attack 51

52 Goal: Shrink Hardware Interface Typical Application Execution Model Security Attack Constrained Hardware Interface 52

53 Program Shepherding Monitor all control-flow transfers during program execution DynamoRIO is in perfect position to do this Validate that each transfer satisfies security policy based on execution model Application Binary Interface (ABI): calling convention, library invocation The application may be damaged by data corruption, but the system will not be compromised by hijacking control flow 53

54 program shepherding application code unmodified code modified code Technique 1: Restricted Code Origins E D basic block cache A C D trace cache indirect branch lookup instrumen- tation time 54

55 program shepherding application code Technique 2: Restricted Control Transfers basic block cache A C D trace cache indirect branch lookup E F D E F ? bar()foo() A B C D E F call A C instrumen- tation time 55 return jump

56 application code bar()foo() basic block cache Technique 3: Un-circumventable Sandboxing A B pre-check system call post-check C jump A B system call C jump pre-check system call post-check C E F 56

57 Minimal False Positives Carefully crafted security policies Automated exemption generation: ‘staging mode’ Determina, Inc: 50 customers, 10,000 machines No false positives in MSFT apps <50 unique false positives in 3rd party libraries We treated these false positives as bugs rather than customer driven policies Radically different from other security products 57

58 Outline Base System: DynamoRIO Efficient Transparent Comprehensive Customizable Dynamic Program Inspectors Examples and Possibilities Case studies  Program shepherding  Dr. Memory 58

59 Memory Bugs Memory bugs are challenging to detect and fix Memory corruption, reading uninitialized memory, memory leaks Observable symptoms resulting from memory bugs are often delayed and non-deterministic Errors are difficult to discover during regular testing Testing usually relies on randomly happening to hit visible symptoms The sources of these bugs are painful and time-consuming to track down from observed crashes Memory bugs often remain in shipped products and can show up in customer usage 59

60 Dr. Memory Detects unaddressable memory accesses Wild access to invalid address Use-after-free Buffer and array overflow and underflow Read beyond top of stack Invalid free, double free Detects uninitialized memory reads Detects memory leaks 60

61 Implementation Strategy Track the state of application memory using shadow memory Track whether allocated and whether defined Monitor every memory-related action by the application: System call Malloc, realloc, calloc, free, mmap, mumap, mremap Memory read or write Stack adjustment At exit or on request, scan memory to check for leaks 61

62 Shadow each byte of memory + registers with 1 of 3 states: Shadow Metadata definedunaddressableuninitialized allocate: malloc, stack deallocate write deallocate allocate: mmap, calloc 62

63 Shadow Memory defined unaddr uninit defined Shadow Stack Stack Shadow Heap Heap header malloc header padding unaddr defined uninit defined freed unaddr 63 redzone unaddr

64 The Uninitialized Whole Word Problem Sub-word variables are moved around as whole words Sub-word field often initialized as sub-word yet copied as whole word Reads involved in copying should not raise errors Solution: report errors on “meaningful” reads only Use in compare, conditional branch, address register, or system call Requires propagating metadata and shadowing registers Shadow metadata mirrors application data flow byte 3 byte 0 byte 1 byte 2 init uninit init Initialize 16 bits init uninit init Copy 32 bits init uninit init Compare 16 bits 64

65 Memory Leaks Dr. Memory uses reachability-based leak detection A leak is memory that is no longer reachable by the application Memory that is never freed is not considered a leak  Acceptable to not free memory whose lifetime matches process lifetime At exit time, or on request, perform leak analysis Similar to mark-and-sweep garbage collection Dr. Memory divides all allocated memory into categories based on how it can be reached by live application pointers Any pointer-aligned and initialized pointer-sized word is considered a potential pointer 65

66 Heap Usage and Staleness Memory usage statistics Snapshots of memory usage spaced uniformly across execution Drill down by allocation callstack “Staleness” information Record the time at which each allocation was last accessed Helps identify "logical memory leaks", where memory is still reachable but is no longer needed Also identifies “hotness” of heap objects Approach Shadow memory state is touched or not touched Periodically sample shadow state and update timestamps 66

67 Fastpath and Slowpath Fastpath = carefully hand-crafted machine-code kernels Obtain shadow metadata, combine, and propagate: inlined Handle stack pointer updates: lean procedure Slowpath = clean call to C code Unaligned memory references Complex instructions Allocation library routine and system call handling Error reporting 67

68 Performance Comparison Valgrind failed 68

69 Outline Base System: DynamoRIO Efficient Transparent Comprehensive Customizable Dynamic Program Inspectors Examples and Possibilities Case studies Wrap-up 69

70 More Information Web http://dynamorio.org http://drmemory.org Email http://groups.google.com/group/dynamorio-users http://groups.google.com/group/drmemory-users 70

Download ppt "Building Customized Dynamic Program Inspectors Derek Bruening Qin Zhao."

Similar presentations

Integrity & Malware Dan Fleck CS469 Security Engineering Some of the slides are modified with permission from Quan Jia. Coming up: Integrity – Who Cares?

Integrity & Malware Dan Fleck CS469 Security Engineering Some of the slides are modified with permission from Quan Jia. Coming up: Integrity – Who Cares?
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Comprehensive Kernel Instrumentation via Dynamic Binary Translation Peter Feiner, Angela Demke Brown, Ashvin Goel University of Toronto Presenter: Chuong.

Comprehensive Kernel Instrumentation via Dynamic Binary Translation Peter Feiner, Angela Demke Brown, Ashvin Goel University of Toronto Presenter: Chuong.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.

Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
Computer Organization and Architecture

Computer Organization and Architecture
Overview Motivations Basic static and dynamic optimization methods ADAPT Dynamo.

Overview Motivations Basic static and dynamic optimization methods ADAPT Dynamo.
Computer Organization and Architecture

Computer Organization and Architecture
Computer Organization and Architecture

Computer Organization and Architecture
Hastings Purify: Fast Detection of Memory Leaks and Access Errors.

Hastings Purify: Fast Detection of Memory Leaks and Access Errors.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.

1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
Pipelined Profiling and Analysis on Multi-core Systems Qin Zhao Ioana Cutcutache Weng-Fai Wong PiPA.

Pipelined Profiling and Analysis on Multi-core Systems Qin Zhao Ioana Cutcutache Weng-Fai Wong PiPA.
CS 326 Programming Languages, Concepts and Implementation Instructor: Mircea Nicolescu Lecture 18.

CS 326 Programming Languages, Concepts and Implementation Instructor: Mircea Nicolescu Lecture 18.
Chapter 8 Runtime Support. How program structures are implemented in a computer memory? The evolution of programming language design has led to the creation.

Chapter 8 Runtime Support. How program structures are implemented in a computer memory? The evolution of programming language design has led to the creation.
Continuously Recording Program Execution for Deterministic Replay Debugging.

Continuously Recording Program Execution for Deterministic Replay Debugging.
TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.

TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.
File Management Systems

File Management Systems
Contiki A Lightweight and Flexible Operating System for Tiny Networked Sensors Presented by: Jeremy Schiff.

Contiki A Lightweight and Flexible Operating System for Tiny Networked Sensors Presented by: Jeremy Schiff.
Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus Microsoft Research Brandon Baker Microsoft Carl Hartung CSCI 7143:

Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus Microsoft Research Brandon Baker Microsoft Carl Hartung CSCI 7143:
Aarhus University, 2005Esmertec AG1 Implementing Object-Oriented Virtual Machines Lars Bak & Kasper Lund Esmertec AG

Aarhus University, 2005Esmertec AG1 Implementing Object-Oriented Virtual Machines Lars Bak & Kasper Lund Esmertec AG
LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.

LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.

Similar presentations

Ads by Google