an analysis of call site patching without strong hardware
play

An Analysis of Call-site Patching Without Strong Hardware Support - PowerPoint PPT Presentation

Aug 16, 2022 •110 likes •266 views

An Analysis of Call-site Patching Without Strong Hardware Support for Self-Modifying-Code Tim Hartley, Foivos Zakkak, first.last@manchester.ac.uk Christos Kotselidis, Mikel Lujan MPLR19 2019-10-22 Call-Sites Direct branching Indirect

  1. An Analysis of Call-site Patching Without Strong Hardware Support for Self-Modifying-Code Tim Hartley, Foivos Zakkak, first.last@manchester.ac.uk Christos Kotselidis, Mikel Lujan MPLR’19 2019-10-22

  2. Call-Sites Direct branching Indirect branching Method A Method A call/jmp <offset> ld target, 0xabcd Memory call/jmp target Method B Method B Method C Method C 2019-10-22 MPLR’19 @foivoszakkak 2

  3. Call-Site Patching § Tiered compilation § De-optimization § Etc. 2019-10-22 MPLR’19 @foivoszakkak 3

  4. JIT compilation and Caches Main Memory 1 Code-stream vs Data-stream I-CACHE 001010101010110 010101010100101 0 11 00 1 00 11 00 111 1. Code gets fetched to I-Cache 3 1 000 1 0 1 0 1 0 1 0 1 00 1 000 1 0 1 0 1 0 1 0 111 2. Data get fetched to D-Cache 1 000 1 0 1 0 1 0 1 0 1 00 0 11 00 1 00 11 00 111 3. CPU executes code from I-Cache CPU 010101010101010 111110101010100 4. CPU writes data to D-Cache 6 010100100010101 100110010000011 5. D-Cache writes-back to memory 100110010000011 8 7 4 11 000 1 00 111 00 1 0 6. D-Cache fetches code to be edited 1 0 1 0 1 0 1 00 1 00 1 0 1 1 0 1 0 111 00 1 00 111 7. CPU writes code to D-Cache 1 0 1 0 1 0 1 00 1 00 1 0 1 11 00 1 0 1 00 1 00 1 0 1 D-CACHE 8. D-Cache writes-back code 111110101010100 5 2 2019-10-22 MPLR’19 @foivoszakkak 4

  5. Low-power architectures and call-site patching § Fixed size instructions – Limit the range of direct branches/calls • +- 128MiB on AArch64 • +- 1MiB on RISC-V – Require multiple instructions to perform long-range calls AArch64 128MiB x86-64 240MiB 2019-10-22 MPLR’19 @foivoszakkak 5

  6. Low-power architectures and call-site patching (cont.) § Weak memory models and self-modifying-code (SMC) support – SW explicitly issues memory barriers – Code-stream handled separately from data-stream (need to sync them) § Not all instructions are safe to patch – ARM (armv7 and armv8) and IBM (Power) limit the instructions that are safe to be patched while executing • Even if using atomic writes 2019-10-22 MPLR’19 @foivoszakkak 6

  7. Patchable call-site implementations in AArch64 Direct Branching (short-range only) Relative-Load Indirect Branching B TARGET CALLEE_1 : .quad 0 x0123456789ABCDEF ... CALLEE_N : .quad 0 x01234ABCDEF56789 START : ... LDR X16, CALLEE_1 BLR X16 Absolute-Load Indirect Branching Trampolines (OpenJDK approach) MOVZ X16, #0xABCD ; Craft the address L: LDR X16, CALLEE MOVK X16, #0xEF89, lsl #16 ; holding BR X16 ; Don 't link MOVK X16, #0x7654, lsl #32 ; the CALLEE: .quad 0 x0123456789ABCDEF MOVK X16, #0x0213, lsl #48 ; target START: ... LDR X16, [X16] BL SHORT_TARGET ; or L BLR X16 2019-10-22 MPLR’19 @foivoszakkak 7

  8. Comparison of call-site implementation approaches 2019-10-22 MPLR’19 @foivoszakkak 8

  9. Evaluation Setup § Odroid-C2 – Quad-core Cortex-A53 @ 1.54GHz (pinned) • 8-stage pipelined processor with 2-way superscalar, in-order pipeline – 2 GB DDR3 RAM – Ubuntu 18.04.02 LTS – Kernel: Odroid 3.16..68-41 – GCC 8.3.0 – MaxineVM 2.8.0 – OpenJDK 8 u212 2019-10-22 MPLR’19 @foivoszakkak 9

  10. Microbenchmark § Generates inline call-sites § Callers are ret-only methods § To patch we call a patcher method instead of a ret-only § Patcher always patches the next call-site (allows us to control number of patches § Patcher performs the necessary barriers as it would in a real system 2019-10-22 MPLR’19 @foivoszakkak 10

  11. Microbenchmark results 2019-10-22 MPLR’19 @foivoszakkak 11

  12. Dacapo and MaxineVM § We take the best two performing approaches (Direct and Relative-Load Indirect) and evaluate them with DaCapo using MaxineVM § We had to tweak Relative-Load Indirect to make it work with MaxineVM – Due to its metacircular nature, MaxineVM can only operate with offsets (relative branches), since at boot image creation the absolute targets are not known yet Indirect-Maxine ADR X17, CALL ; Get address of BLR LDR X16, OFFSET ; Load offset ADD X16, X16 , X17 ; Add them B #8 ; Jump over inline offset OFFSET: .int CALL - CALLEE_1 CALL: BLR X16 2019-10-22 MPLR’19 @foivoszakkak 12

  13. Indirect-Maxine in Microbenchmark results 2019-10-22 MPLR’19 @foivoszakkak 13

  14. DaCapo Results 2019-10-22 MPLR’19 @foivoszakkak 14

  15. Conclusions § OpenJDK’s method seems the best for AArch64 since it penalizes only long-range branches and avoids explicit instruction cache invalidations on callers. – If you have a higher #"#$%&'($%) *(""+ #+,#'-&'($%) *(""+ ratio then maybe Relative-Load is better § The most promising approach in theory would be combining the following gadgets Indirect (long-rang) Direct (short-range only) ADRP X16, CALLEE ADD X16, X16, :lo12:CALLEE B TARGET BLR X16 – On AArch64 this is not possible though since ADRP and ADD cannot be safely overwritten if they are being executed concurrently with the modifications. 2019-10-22 MPLR’19 @foivoszakkak 15

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

A Site Analysis Site Conditions: Seismic Challenges Strong Winds Average Temperature

A Site Analysis Site Conditions: Seismic Challenges Strong Winds Average Temperature

A Site Analysis Site Conditions: Seismic Challenges Strong Winds Average Temperature 69 San Francisco A Site Analysis A Engineering School of San Francisco Requirements 2015 Innovative Design Gold LEED

964 views • 75 slides
Android patching From a Mobile Device Management perspective Cedric Van Bockhaven

Android patching From a Mobile Device Management perspective Cedric Van Bockhaven

Introduction Background information SNE Research Project 2 Kernel patching Evaluation Android patching from the MDM Proof of concept Android patching From a Mobile Device Management perspective Cedric Van Bockhaven cbockhaven@os3.nl

466 views • 20 slides
PenPlace Aurora Highlands Civic Association January 31, 2013 Presentation Outline Site

PenPlace Aurora Highlands Civic Association January 31, 2013 Presentation Outline Site

PenPlace Aurora Highlands Civic Association January 31, 2013 Presentation Outline Site Analysis Process To-Date Project Overview 2 Site Analysis Location Site Analysis Site Analysis 4 Existing Condition Site Analysis Site

912 views • 37 slides
MODULAR KITCHEN 01 Site 02 Construction 03 Kitchen 01 Site Analysis Generic Site Diagrams

MODULAR KITCHEN 01 Site 02 Construction 03 Kitchen 01 Site Analysis Generic Site Diagrams

CAC.C STUDIO V MODULAR KITCHEN 01 Site 02 Construction 03 Kitchen 01 Site Analysis Generic Site Diagrams Site Analysis Location - South Carolina - Charleston County - Johns Island Parcel Information GAP Shed Parcel # 3160000123

483 views • 26 slides
User Space Live Patching Joo Moreira SUSE Labs User Space Live Patching Joo Moreira

User Space Live Patching Joo Moreira SUSE Labs User Space Live Patching Joo Moreira

User Space Live Patching Joo Moreira SUSE Labs User Space Live Patching Joo Moreira (formerly at) SUSE Labs joao.moreira@lsc.ic.unicamp.br Software has bugs, and bugs have to be fixed + security issues + execution degradation + undefined

941 views • 46 slides
Hardware Accelerated Graphics Group #6 Stephen Just - Stefan Martynkiw - Mason Strong Purpose

Hardware Accelerated Graphics Group #6 Stephen Just - Stefan Martynkiw - Mason Strong Purpose

Hardware Accelerated Graphics Group #6 Stephen Just - Stefan Martynkiw - Mason Strong Purpose Build a platform capable of providing high-speed graphics support to a variety of applications Make use of FPGA (hardware) to speed up

353 views • 14 slides
Bayes factors: A re-volution in psychology Geoff Patching Department of Psychology

Bayes factors: A re-volution in psychology Geoff Patching Department of Psychology

Bayes factors: A re-volution in psychology Geoff Patching Department of Psychology E-mail: geoffrey.patching@psy.lu.se The Bayes Factor The Bayes factor ( BF ) is the likelihood ratio of the evidences given the hypotheses ! # | % !

601 views • 13 slides
Strong Authentication without Tamper-Resistant Hardware and Application to Federated Identities

Strong Authentication without Tamper-Resistant Hardware and Application to Federated Identities

Strong Authentication without Tamper-Resistant Hardware and Application to Federated Identities Zhenfeng Zhang , Yuchen Wang , Kang Yang Institute of Software, Chinese Academy of Sciences; The Joint Academy of Blockchain

869 views • 25 slides
IESO Report Site Refresh New Report Site Changes October 10, 2014 R. Jovic Introduction The

IESO Report Site Refresh New Report Site Changes October 10, 2014 R. Jovic Introduction The

IESO Report Site Refresh New Report Site Changes October 10, 2014 R. Jovic Introduction The current IESO Report Site faces a number of issues: Report Site Performance and Capacity The IESO Report Site is built upon aging hardware

227 views • 7 slides
CrypTech October 2018 Barcelona Hardware Security Module From Wikipedia: A hardware security

CrypTech October 2018 Barcelona Hardware Security Module From Wikipedia: A hardware security

CrypTech October 2018 Barcelona Hardware Security Module From Wikipedia: A hardware security module (HSM) is a physical computing device that safeguards and manages digital keys for strong authentication and provides crypto processing. These

977 views • 34 slides
Filling the Gaps and Patching the Cracks Connected Care for Home Health Care Agencies Barbara

Filling the Gaps and Patching the Cracks Connected Care for Home Health Care Agencies Barbara

Filling the Gaps and Patching the Cracks Connected Filling the Gaps and Patching the Cracks Connected Care for Home Health Care Agencies Barbara Katz, RN, MSN President, BK Healthcare Consulting, LLC www.bkhealthconsulting.com Learning

596 views • 32 slides
Zalando. The Starting Point for Fashion. Q3 / 2019 Earnings Call October 31, 2019 Highlights

Zalando. The Starting Point for Fashion. Q3 / 2019 Earnings Call October 31, 2019 Highlights

Zalando. The Starting Point for Fashion. Q3 / 2019 Earnings Call October 31, 2019 Highlights and Business Update Strong financial performance driven by outstanding traffic and active customer growth Starting point strategy: Site visits

601 views • 20 slides
Hardware Parametric Energy Consumption Analysis - Joint TACLe EACO Workshop on Analysis

Hardware Parametric Energy Consumption Analysis - Joint TACLe EACO Workshop on Analysis

Hardware Parametric Energy Consumption Analysis - Joint TACLe EACO Workshop on Analysis Techniques for Energy-Aware Computing - Marko van Eekelen Paolo Parisen Toldin, Rody Kersten, Bernard van Gastel Marc Schoolderman, Jascha Neutelings,

446 views • 21 slides
Hardware Design and Analysis of Efficient Loop Coarsening and Border Handling for Image

Hardware Design and Analysis of Efficient Loop Coarsening and Border Handling for Image

Hardware Design and Analysis of Efficient Loop Coarsening and Border Handling for Image Processing M. Akif zkan, Oliver Reiche, Frank Hannig, and Jrgen Teich Hardware/Software Co-Design, Friedrich-Alexander University Erlangen-Nrnberg

891 views • 65 slides
Chasing Zero Infections Coaching Call Strategies to Reduce Surgical Site Infections March 14,

Chasing Zero Infections Coaching Call Strategies to Reduce Surgical Site Infections March 14,

Chasing Zero Infections Coaching Call Strategies to Reduce Surgical Site Infections March 14, 2018 Agenda Welcome &amp; FHA Mission to Care HIIN Trends and Progress: Surgical Site Infections Cheryl Love, RN, BSN, BS-HCA, MBA, LHRM,

713 views • 52 slides
Site Plan Analysis diAGrAMMATiC SiTE PlAN Design Form 2 14 . . Architecture

Site Plan Analysis diAGrAMMATiC SiTE PlAN Design Form 2 14 . . Architecture

Site Plan Analysis diAGrAMMATiC SiTE PlAN Design Form 2 14 . . Architecture Interiors Project Management Aerial Perspective ProJECT SiTE 15 Ground Floor Plan SChEMATiC drAWiNGS Design Form 2 16 . .

368 views • 4 slides
Advances in Real-Time Automotive Visualisation Ch ris OCo n n o r I n t r o d u c t i o n At

Advances in Real-Time Automotive Visualisation Ch ris OCo n n o r I n t r o d u c t i o n At

Z e r o L i g h t a t G T C p r e s e n t s Advances in Real-Time Automotive Visualisation Ch ris OCo n n o r I n t r o d u c t i o n At ZeroLight, weve created the market -leading visualisation and data platform for the au autom

648 views • 63 slides
Iron-based superconductors La[O 1 - x F x ]FeAs Kamihara et al. [2008] 1

Iron-based superconductors La[O 1 - x F x ]FeAs Kamihara et al. [2008] 1

14 th Young Researchers Conference Materials Science and Engineering Hyperfine interactions in superconducting KFe 2 Se 2 I. Madjarevic a , V. Koteski a , V. Ivanovski a , C. Petrovic b a Laboratory of Nuclear and Plasma Physics, University

853 views • 14 slides
ENGINEERING AT ILLINOIS Leadership, Collaboration, Impact Click to edit subtitle 1 A BRIEF

ENGINEERING AT ILLINOIS Leadership, Collaboration, Impact Click to edit subtitle 1 A BRIEF

ENGINEERING AT ILLINOIS Leadership, Collaboration, Impact Click to edit subtitle 1 A BRIEF OVERVIEW OF OUR COLLEGE 2 OUR LEGENDS John Bardeen Tony Leggett Nick Holonyak Transistor Superfluidity LED Superconductivity Quantum-well

467 views • 33 slides
Scott Technology Ltd Medium to LongTerm Growth Objectives &amp; Strategies September 2016

Scott Technology Ltd Medium to LongTerm Growth Objectives &amp; Strategies September 2016

Forsyth Barr Emerging Companies Conference Scott Technology Ltd Medium to LongTerm Growth Objectives &amp; Strategies September 2016 Presentation 1. Company Overview 2. JBS Shareholding 3. Growth Objectives &amp; Strategies 4. Future

426 views • 20 slides
My Itinerary to L-Band Moonbouncing... By Bertrand Zauhar, VE2ZAZ ve2zaz@rac.ca

My Itinerary to L-Band Moonbouncing... By Bertrand Zauhar, VE2ZAZ ve2zaz@rac.ca

My Itinerary to L-Band Moonbouncing... By Bertrand Zauhar, VE2ZAZ ve2zaz@rac.ca http://ve2zaz.net VE2ZAZ October 2010 THIS PRESENTATION WHY MOONBOUNCE? THE HISTORY A REAL CHALLENGE THE BANDS HOW SMALL A STATION

624 views • 17 slides
INTEGRATION OF DALI WITH TENSORRT ON XAVIER Josh Park (joshp@nvidia.com), Manager - Automotive Deep

INTEGRATION OF DALI WITH TENSORRT ON XAVIER Josh Park (joshp@nvidia.com), Manager - Automotive Deep

INTEGRATION OF DALI WITH TENSORRT ON XAVIER Josh Park (joshp@nvidia.com), Manager - Automotive Deep Learning Solutions Architect at NVIDIA Anurag Dixit(anuragd@nvidia.com), Deep Learning SW Engineer at NVIDIA Backgrounds TensorRT Contents DALI

633 views • 32 slides
Analysis of Large Networks Pajek with Pajek Network visualization Properties Important

Analysis of Large Networks Pajek with Pajek Network visualization Properties Important

Large Networks V. Batagelj Analysis of Large Networks Pajek with Pajek Network visualization Properties Important Vladimir Batagelj subnetworks Multiplication University of Ljubljana ESNA Pajek ESSIR 2011 8th European Summer School

838 views • 45 slides
Dynamic Control Of Magnified Image For Low Vision Observers R.B. Goldstein 1 , E.Peli 1 ,

Dynamic Control Of Magnified Image For Low Vision Observers R.B. Goldstein 1 , E.Peli 1 ,

1 Dynamic Control Of Magnified Image For Low Vision Observers R.B. Goldstein 1 , E.Peli 1 , H.Apfelbaum 1 , R.Hier 2 . 1 Schepens Eye Research Institute, Boston, MA; 2 DigiVision, Inc., San Diego, CA. Poster Board Number: B787 Grant Identification:

152 views • 4 slides

More recommend