dynamic binary instrumentation
play

Dynamic Binary Instrumentation: Introduction to Pin Instrumentation - PowerPoint PPT Presentation

Jan 21, 2023 •305 likes •773 views

Dynamic Binary Instrumentation: Introduction to Pin Instrumentation A technique that injects instrumentation code into a binary to collect run-time information 2 Instrumentation A technique that injects instrumentation code into a binary to

  1. Dynamic Binary Instrumentation: Introduction to Pin

  2. Instrumentation A technique that injects instrumentation code into a binary to collect run-time information 2

  3. Instrumentation A technique that injects instrumentation code into a binary to collect run-time information – It executes as a part of the normal instruction stream – It doesn’t modify the semantics of the program 3

  4. Instrumentation A technique that injects instrumentation code into a binary to collect run-time information – It executes as a part of the normal instruction stream – It doesn’t modify the semantics of the program 4

  5. Instrumentation A technique that injects instrumentation code into a binary to collect run-time information – It executes as a part of the normal instruction stream – It doesn’t modify the semantics of the program 5

  6. Instrumentation A technique that injects instrumentation code into a binary to collect run-time information – It executes as a part of the normal instruction stream – It doesn’t modify the semantics of the program 6

  7. Instrumentation A technique that injects instrumentation code into a binary to collect run-time information – It executes as a part of the normal instruction stream – It doesn’t modify the semantics of the program 7

  8. When is instrumentation useful? • Profiling for compiler optimization/performance profiling: – Instruction profiling – Basic block count – Value profile • Bug detection/Vulnerability identification/Exploit generation: – Find references to uninitialized, unallocated addresses – Inspect arguments at a particular function call – Inspect function pointers and return addresses – Record & replay • Architectural research: processor and cache simulation, trace collection 8

  9. Instrumentation • Static instrumentation – instrument before runtime – Source code instrumentation • Instrument source programs (e.g., clang’s source -to-source transformation) – IR instrumentation • Instrument compiler-generated IR (e.g., LLVM) – Binary instrumentation • Instrument executables directly by inserting additional assembly instructions (e.g., Dyninst) • Dynamic binary instrumentation – instrument at runtime – Instrument code just before it runs (Just in time – JIT) – E.g., Pin, Valgrind, DynamoRIO, QEMU 9

  10. Why binary instrumentation • Libraries are a big pain for source/IR-level instrumentation – Proprietary libraries: communication (MPI, PVM), linear algebra (NGA), database query (SQL libraries) • Easily handles multi-lingual programs – Source code level instrumentation is heavily language dependent. • Worms and viruses are rarely provided with source code • Turning off compiler optimizations can maintain an almost perfect mapping from instructions to source code lines 10

  11. Dynamic binary instrumentation • Pros – No need to recompile or relink – Discovers code at runtime – Handles dynamically generated code – Attaches to running processes (some tools) • Cons – Usually higher performance overhead – Requires a framework which can be detected by malware 11

  12. Pin A Dynamic Binary Instrumentation Tool 1. What can we do with Pin? 2. How does it work? 3. Examples (original Pin examples) 4. Performance overhead 5. Debugging pintools 12

  13. Pin • Pin is a tool for the instrumentation of programs. It supports Linux* and Windows* executables for x86, x86_64, and IA-64 architectures. • Pin allows a tool to insert arbitrary code (written in C or C++) in arbitrary places in the executable. The code is added dynamically while the executable is running. This also makes it possible to attach Pin to an already running process. 13

  14. What can we do with Pin? • Fully examine any (type of) x86 instruction – Insert a call to your own function which gets called when that instruction executes • Parameters: register values (including IP), memory addresses, memory contents… • Track function calls, including library calls and syscalls – Examine/change arguments – Insert function hooks: replace application/library functions with your own • Track application threads • And more ☺ If Pin doesn ’ t have it, you don ’ t want it ;) 14

  15. Advantages of Pin • Easy-to-use Instrumentation: – Uses dynamic instrumentation • Does not need source code, recompilation, post-linking • Programmable Instrumentation: – Provides rich APIs to write in C/C++ your own instrumentation tools (called Pintools) • Multiplatform : – Supports x86, x86_64 – Supports Linux, Windows binaries • Robust : – Instruments real-life applications: Database, web browsers,. . . – Instruments multithreaded applications – Supports signals • Efficient : – Applies compiler optimizations on instrumentation code 15

  16. Usage of Pin at Intel • Profiling and analysis products – Intel Parallel Studio • Amplifier (Performance Analysis) GUI Algorithm – Lock and waits analysis PinTool – Concurrency analysis Pin • Inspector (Correctness Analysis) – Threading error detection (data race and deadlock) – Memory error detection • Architectural research and enabling – Emulating new instructions (Intel SDE) – Trace generation – Branch prediction and cache modeling

  17. Pin usage outside Intel • Popular and well supported – 100,000+ downloads, – 3,500+ citations – (as of 2018) • Free DownLoad – www.pintool.org – Includes: Detailed user manual, source code for 100s of Pin tools • Pin User Group (PinHeads) – http://tech.groups.yahoo.com/group/pinheads/ – Pin users and Pin developers answer questions

  18. Architecture overview 18

  19. ./test test Operating System Hardware 19

  20. ./pin – t pintool -- test pintool - instrumentation routines Pin test - unmodified code Operating System Hardware 20

  21. ./pin – t pintool -- test pintool - instrumentation routines Pin Virtual machine Code Dispatcher JIT compiler cache test - unmodified code Emulation unit Operating System Hardware 21

  22. JIT compilation JIT compiler Dispatcher Translated Execute Unmodified code code code Cache translated code If instruction not yet translated 22

  23. Example 1: docount - instruction counting tool 23

  24. Instruction counting tool #include “ pin.h ” uint64_t icount = 0; void docount () { icount++; } void Instruction(INS ins, void *v) { INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR) docount , IARG_END); } void Fini (INT32 code, void *v) { std::cerr << “Count: ” << icount << endl; } int main(int argc, char **argv) { PIN_Init(argc, argv); INS_AddInstrumentFunction(Instruction, 0); PIN_Add Fini Function(Fini, 0); PIN_StartProgram(); // never returns return 0; 24 }

  25. Instruction counting tool #include “ pin.h ” uint64_t icount = 0; void docount () { icount++; } void Instruction(INS ins, void *v) { INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR) docount , IARG_END); } void Fini (INT32 code, void *v) { std::cerr << “Count: ” << icount << endl; } Initialize PIN int main(int argc, char **argv) { PIN_Init(argc, argv); INS_AddInstrumentFunction(Instruction, 0); PIN_Add Fini Function(Fini, 0); PIN_StartProgram(); // never returns return 0; 25 }

  26. Instruction counting tool #include “ pin.h ” INS is valid only uint64_t icount = 0; inside this routine. void docount () { icount++; } void Instruction ( INS ins , void *v) { Instrumentation INS_InsertCall(ins, IPOINT_BEFORE, routine; called (AFUNPTR) docount , IARG_END); during jitting of INS. } void Fini (INT32 code, void *v) { std::cerr << “Count: ” << icount << endl; } int main(int argc, char **argv) { PIN_Init(argc, argv); Register instruction INS _AddInstrumentFunction( Instruction , 0); instrumentation PIN_Add Fini Function(Fini, 0); routine PIN_StartProgram(); // never returns return 0; 26 }

  27. Instruction counting tool #include “ pin.h ” Analysis routine; uint64_t icount = 0; Executes each time jitted INStruction void docount () { icount++; } executes. void Instruction ( INS ins , void *v) { INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR) docount , IARG_END); } void Fini (INT32 code, void *v) { std::cerr << “Count: ” << icount << endl; } int main(int argc, char **argv) { PIN_Init(argc, argv); INS _AddInstrumentFunction( Instruction , 0); PIN_Add Fini Function(Fini, 0); PIN_StartProgram(); // never returns return 0; 27 }

  28. Instruction counting tool #include “ pin.h ” Question: which function uint64_t icount = 0; gets executed more void docount () { icount++; } often? void Instruction ( INS ins , void *v) { INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR) docount , IARG_END); } void Fini (INT32 code, void *v) { std::cerr << “Count: ” << icount << endl; } int main(int argc, char **argv) { PIN_Init(argc, argv); INS _AddInstrumentFunction( Instruction , 0); PIN_Add Fini Function(Fini, 0); PIN_StartProgram(); // never returns return 0; 28 }

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Cross-ISA Machine Instrumentation Cross-ISA Machine Instrumentation using Fast and Scalable

Cross-ISA Machine Instrumentation Cross-ISA Machine Instrumentation using Fast and Scalable

Cross-ISA Machine Instrumentation Cross-ISA Machine Instrumentation using Fast and Scalable using Fast and Scalable Dynamic Binary Translation Dynamic Binary Translation Emilio G. Cota Columbia University Luca P. Carloni VEE'19 April 14,

1.05k views • 45 slides
Instrew: Leveraging LLVM for High Performance Dynamic Binary Instrumentation Alexis Engelke

Instrew: Leveraging LLVM for High Performance Dynamic Binary Instrumentation Alexis Engelke

Instrew: Leveraging LLVM for High Performance Dynamic Binary Instrumentation Alexis Engelke Martin Schulz Chair of Computer Architecture and Parallel Systems TUM Department of Informatics Technical University of Munich VEE 2020, virtual

396 views • 25 slides
Dynamic Binary Instrumentation-based Framework for Malware Defense Najwa Aaraj , Anand

Dynamic Binary Instrumentation-based Framework for Malware Defense Najwa Aaraj , Anand

Dynamic Binary Instrumentation-based Framework for Malware Defense Najwa Aaraj , Anand Raghunathan , and Niraj K. Jha Department of Electrical Engineering, Princeton University, Princeton, NJ 08544, USA NEC Labs America,

410 views • 25 slides
VEX: Where next for Valgrind's dynamic VEX: Where next for Valgrind's dynamic instrumentation

VEX: Where next for Valgrind's dynamic VEX: Where next for Valgrind's dynamic instrumentation

VEX: Where next for Valgrind's dynamic VEX: Where next for Valgrind's dynamic instrumentation infrastructure? instrumentation infrastructure? Julian Seward, jseward@acm.org 4 February 2017. FOSDEM. Brussels. Overview How it works (roughly)

581 views • 17 slides
State-based Testing Using Dynamic Instrumentation Vijay Upadya Microsoft Agenda What is

State-based Testing Using Dynamic Instrumentation Vijay Upadya Microsoft Agenda What is

State-based Testing Using Dynamic Instrumentation Vijay Upadya Microsoft Agenda What is dynamic instrumentation? Applications of dynamic instrumentation How does it work? Simulating different states and transitions

1.25k views • 21 slides
PIN Dynamic instrumentation framework PIN: Building Customized Goals: Program Analysis

PIN Dynamic instrumentation framework PIN: Building Customized Goals: Program Analysis

PIN Dynamic instrumentation framework PIN: Building Customized Goals: Program Analysis Tools with Easy-to-use Dynamic Instrumentation Portable Transparent Luk et al PLDI 2005 Efficient Presented by Godmar Back

223 views • 5 slides
Dynamic instrumentation techniques Ahmad shahnejat Michel Dagenais May, 06 1

Dynamic instrumentation techniques Ahmad shahnejat Michel Dagenais May, 06 1

Dynamic instrumentation techniques Ahmad shahnejat Michel Dagenais May, 06 1 OUTLINE INTRODUCTION to dynamic instrumentation Trap instruction INstruction punning technique Proposed compiler-assisted technique

662 views • 31 slides
Pin Tutorial What is Instrumentation? A technique that inserts extra code into a program to

Pin Tutorial What is Instrumentation? A technique that inserts extra code into a program to

Pin Tutorial What is Instrumentation? A technique that inserts extra code into a program to collect runtime information Instrumentation approaches: Source instrumentation: Instrument source programs Binary instrumentation :

626 views • 40 slides
Mapping CSP Networks to MPI Clusters Using Channel Graphs and Dynamic Instrumentation Gabriella

Mapping CSP Networks to MPI Clusters Using Channel Graphs and Dynamic Instrumentation Gabriella

Mapping CSP Networks to MPI Clusters Using Channel Graphs and Dynamic Instrumentation Gabriella Azzopardi Kevin Vella Adrian Muscat University of Malta Outline Introduction 1. CSP-Library 2. Configuration Language 3. CSP-based

354 views • 20 slides
InsectJ: A Generic Instrumentation Framework for Collecting Dynamic Information within Eclipse

InsectJ: A Generic Instrumentation Framework for Collecting Dynamic Information within Eclipse

InsectJ: A Generic Instrumentation Framework for Collecting Dynamic Information within Eclipse Arjan Seesing and Alessandro Orso Georgia Institute of Technology This work was supported in part by an IBM Eclipse Innovation Grant.

859 views • 24 slides
Binary Instrumentation Support for Measuring Performance in OpenMP Programs Mustafa Elfituri

Binary Instrumentation Support for Measuring Performance in OpenMP Programs Mustafa Elfituri

Binary Instrumentation Support for Measuring Performance in OpenMP Programs Mustafa Elfituri Jeanine Cook Jonathan Cook New Mexico State University SECSE 2013 @ ICSE 2013 May 18, 2013 SSCA2 (GraphAnalysis.org) double findSubGraphs(graph*

531 views • 19 slides
Algorithms Theory 14 Dynamic Programming (3) Optimal binary search trees Prof. Dr. S.

Algorithms Theory 14 Dynamic Programming (3) Optimal binary search trees Prof. Dr. S.

Algorithms Theory 14 Dynamic Programming (3) Optimal binary search trees Prof. Dr. S. Albers Winter term 07/08 Method of dynamic programming Recursive approach: Solve a problem by solving several smaller analogous subproblems of the same

559 views • 16 slides
Generating Low-Overhead Dynamic Binary Translators Mathias Payer and Thomas R. Gross Department

Generating Low-Overhead Dynamic Binary Translators Mathias Payer and Thomas R. Gross Department

Generating Low-Overhead Dynamic Binary Translators Mathias Payer and Thomas R. Gross Department of Computer Science ETH Z rich Motivation Binary Translation (BT) well known technique for late transformations Extend or add

326 views • 29 slides
spin Static instrumentation for binary reverse-engineering David Guillen Fandos Tarragona

spin Static instrumentation for binary reverse-engineering David Guillen Fandos Tarragona

spin Static instrumentation for binary reverse-engineering David Guillen Fandos Tarragona Spain david@davidgf.net davidgf.net github.com/davidgfnet Reverse-engineering What are we talking about? Discover how a software program

261 views • 23 slides
Binary Search Trees ! A data structures with efficient support for many dynamic set operations:

Binary Search Trees ! A data structures with efficient support for many dynamic set operations:

Binary Search Trees ! A data structures with efficient support for many dynamic set operations: Search/Find Minimum/findMin Maximum/findMax Binary Search Trees Predecessor Successor Insert Delete/Remove ! All

83 views • 4 slides
Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or

Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or

Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or binary code are used by computers and digital devices to talk to each other. It is used to give commands to the computer or a way to enter data

165 views • 12 slides
Mining Minds Platform Open Source Presentation Service Orchestrator is released as a part of

Mining Minds Platform Open Source Presentation Service Orchestrator is released as a part of

SCL Service Orchestrator Mining Minds Platform Open Source Presentation Service Orchestrator is released as a part of Recommendation Builder ( RB ) and Recommendation Interpreter ( RI ). The open source 10 step process can be observed in the RB

344 views • 12 slides
DOLFIN Dynamic Object-oriented Library for FINite element computation Johan Hoffman and Anders

DOLFIN Dynamic Object-oriented Library for FINite element computation Johan Hoffman and Anders

DOLFIN Dynamic Object-oriented Library for FINite element computation Johan Hoffman and Anders Logg hoffman@math.chalmers.se logg@math.chalmers.se Chalmers Finite Element Center CAM Seminar April 12 2002 DOLFIN p.1/48 Introduction An

1.15k views • 48 slides
POTENTIAL STABILITY ISSUES THAT COULD AFFECT PERFORMANCE OF BRIDGE FOUNDATION UNITS Short Term:

POTENTIAL STABILITY ISSUES THAT COULD AFFECT PERFORMANCE OF BRIDGE FOUNDATION UNITS Short Term:

POTENTIAL STABILITY ISSUES THAT COULD AFFECT PERFORMANCE OF BRIDGE FOUNDATION UNITS Short Term: Bearing Failure due to Imposed Loading Long Term: Ground Loss into Shafts or Mine Voids erosion of shaft plugs dissolution of

996 views • 73 slides
Philosophy by Rog Mogale Void Acoustics designs, manufactures and distributes We employ a

Philosophy by Rog Mogale Void Acoustics designs, manufactures and distributes We employ a

THE COMPANY INTRODUCTION Philosophy by Rog Mogale Void Acoustics designs, manufactures and distributes We employ a no-compromise approach when designing we do. Company-wide, we take after-sales support seriously and manufacturing our products.

203 views • 5 slides
Volaris: the leading ULCC airline serving Mexico, USA and Central America March 2018 1

Volaris: the leading ULCC airline serving Mexico, USA and Central America March 2018 1

Volaris: the leading ULCC airline serving Mexico, USA and Central America March 2018 1 Disclaimer The information (&quot;Confidential Information&quot;) contained in this presentation is confidential and is provided by Controladora Vuela

547 views • 27 slides
LAUP Update A Presentation to the Research Advisory Committee Dec. 14, 2006 Funded by: Master

LAUP Update A Presentation to the Research Advisory Committee Dec. 14, 2006 Funded by: Master

LAUP Update A Presentation to the Research Advisory Committee Dec. 14, 2006 Funded by: Master Plan Vision Master Plan Vision By June 30, 2014 the Los Angeles County Universal Preschool System will: Be recognized as a leader in high

468 views • 11 slides
INCENDIOS FORESTALES EN PUERTO RICO: NATUALES O ANTROPOGENICOS ? Rafael Mndez Tejeda, Ph.D. UPR

INCENDIOS FORESTALES EN PUERTO RICO: NATUALES O ANTROPOGENICOS ? Rafael Mndez Tejeda, Ph.D. UPR

INCENDIOS FORESTALES EN PUERTO RICO: NATUALES O ANTROPOGENICOS ? Rafael Mndez Tejeda, Ph.D. UPR Carolina Dra. Mara Santos-Corrada Sergio Ortiz Morales Oscar Claudio Vargas Universidad del Turabo MAPAS DE PUERTO RICO INCENDIO FORESTAL

767 views • 32 slides
Corporate Presentation Miami, FL February 25th, 2015 AGENDA LATAM Airlines in figures

Corporate Presentation Miami, FL February 25th, 2015 AGENDA LATAM Airlines in figures

Corporate Presentation Miami, FL February 25th, 2015 AGENDA LATAM Airlines in figures Cargo Unit Business Update The Company We are one of the ten largest passenger and cargo airlines in the world. PAX: 135+ destinations in 22

591 views • 24 slides

More recommend