generating low overhead dynamic binary translators
play

Generating Low-Overhead Dynamic Binary Translators Mathias Payer - PowerPoint PPT Presentation

Oct 11, 2023 •36 likes •326 views

Generating Low-Overhead Dynamic Binary Translators Mathias Payer and Thomas R. Gross Department of Computer Science ETH Z rich Motivation Binary Translation (BT) well known technique for late transformations Extend or add

  1. Generating Low-Overhead Dynamic Binary Translators Mathias Payer and Thomas R. Gross Department of Computer Science ü ETH Z rich

  2. Motivation “ ”  Binary Translation (BT) well known technique for late transformations  Extend or add features on the fly  Flexibility of dynamic software BT incurs runtime overhead  Complexity of transformations can be a challenge  Offer a high-level interface at compile time, compile into effective translation tables ü 2010-05-26 ETH Z rich / LST / Mathias Payer 2

  3. Outline  Introduction  Design and Implementation  Table generation  Translator  Optimization  Conclusion ü 2010-05-26 ETH Z rich / LST / Mathias Payer 3

  4. Binary Translation in a Nutshell Instrumented program Original program Static translation 0' 0 1' 1 2' 3' 2 3 What about: ● Self modifying code? ? 4' 4 ● Shared libraries? ● Obfuscated Code? ü 2010-05-26 ETH Z rich / LST / Mathias Payer 4

  5. Binary Translation in a Nutshell Instrumented program Original program Dynamic translation 0' 0 1' 1 2' 3' 2 3 Features: ● Translates all executed ... ... ... code 4 ● Captures all indirect control flow transfers ● Just in time translation ü 2010-05-26 ETH Z rich / LST / Mathias Payer 5

  6. Binary Translation in a Nutshell Original program Code cache Translator Gen. opcode 1' 0 table 1 3' 2 3 Table generator 2' supplies generated opcode tables ... 4 at compile time ü 2010-05-26 ETH Z rich / LST / Mathias Payer 6

  7. Binary Translation in a Nutshell Original program Code cache Translator Gen. opcode 1' 0 table 1 3' Trampoline to translate 4 2 3 2' Mapping 3 3' ... 4 1 1' 2 2' ü 2010-05-26 ETH Z rich / LST / Mathias Payer 7

  8. fastBT  Prototype for a dynamic BT system  Machine-independent, OS-independent  Focus of this talk: IA32, Linux ü 2010-05-26 ETH Z rich / LST / Mathias Payer 8

  9. Table Generation  Translation tables describe individual instructions and are used to select the correct adapter functions  Manual table construction is hard & cumbersome  Many instructions, write machine-code tables by hand  Use automation and high level description!  Information about opcodes, possible encodings, and properties  Specify default translation actions Table generator Intel IA32 Optimized ● High level interface opcode translator ● Adapter functions tables table ü 2010-05-26 ETH Z rich / LST / Mathias Payer 9

  10. Table Generation  Use table generator to offer high-level interface  Transforming opcode tables into runtime translation tables  Add analysis functions to control the table generation  Memory access?  What are src, dst, aux parameters?  FPU usage?  What kind of opcode?  What opcode class (load, store, arithmetic, control flow, ...)?  Immediate value as pointer?  etc. ü 2010-05-26 ETH Z rich / LST / Mathias Payer 10

  11. Translator implementation  Translator uses an iterator based approach and per- instruction actions  Fundamentals to master low overhead:  Code cache  Inlining  Master (indirect) control transfers ü 2010-05-26 ETH Z rich / LST / Mathias Payer 11

  12. Optimization  Indirect control flow transfers are expensive  Runtime lookup and patching required  Indirect control transfer replaced by software trap  Optimizations in fastBT:  Local branch prediction  Inlining a fast lookup into the code cache  Building on-the-fly shadow jump tables ü 2010-05-26 ETH Z rich / LST / Mathias Payer 12

  13. Optimization: Branch prediction  Cache the last one or two targets  If there is a cache hit  No lookup is needed  Results in 3 to 5 instructions  If there is a cache miss  Lookup the target and cache it for future use  Updating the cache costs additional instructions ü 2010-05-26 ETH Z rich / LST / Mathias Payer 13

  14. Optimization: Fast lookup  Emit an inlined fast lookup into the code cache  Uses the mapping table to translate the target  Optimized for direct hit in the mapping table  Results in 13 or 14 instructions ü 2010-05-26 ETH Z rich / LST / Mathias Payer 14

  15. Optimization: Shadow jump table  Build a shadow jump table, iff the original indirect control transfer uses a jump table  Initialize all entries with catch-all function  Lazy lookup and write-back in catch-all  Results in 5 instructions if the target is translated ü 2010-05-26 ETH Z rich / LST / Mathias Payer 15

  16. Optimization: Problem  Each optimization is only effective for some program locations and a specific program behavior  Low number of targets, few changes  Use a cache  High number of targets, many changes  Use fast lookup  Location has many different targets, all close to each other  Use a shadow jump-table  An adaptive runtime optimization can select the best optimization for each indirect control transfer ü 2010-05-26 ETH Z rich / LST / Mathias Payer 16

  17. Adaptive Optimization  fastBT offers an adaptive optimization for indirect control transfers  Start with a prediction for 1 or 2 locations, count misses  Recover to a fast lookup, if count exceeds threshold  Construct a shadow jump-table, if the control transfer uses a jump table  Adaptive optimizations bring competitive performance! ü 2010-05-26 ETH Z rich / LST / Mathias Payer 17

  18. Benchmarks: Setup  Used null-transformation to show translation overhead  Used SPEC CPU2006 benchmarks to evaluate performance  We use the Test dataset for short running programs and the Ref dataset for long running programs  Machine: E6850 Intel Core2Duo @ 3.00GHz ü 2010-05-26 ETH Z rich / LST / Mathias Payer 18

  19. Related work  HDTrans  S. Sridhar et al. HDTrans: a low-overhead dynamic translator. SIGARCH'07  Table based dynamic BT, no high level interface  DynamoRIO  D. Bruening et al. Design and implementation of a dynamic optimization framework for windows. In ACM Workshop Feedback- directed Dyn. Opt. (FDDO-4) (2001).  IR based optimizing BT, does not export a translation interface  PIN  C.-K. Luk et al. Pin: building customized program analysis tools with dynamic instrumentation. In PLDI'05  High overhead, offers high level interface ü 2010-05-26 ETH Z rich / LST / Mathias Payer 19

  20. Benchmarks: Ref dataset 126% 100% 90% 80% 70% 60% fastBT Overhead HDTrans 50% PIN 40% dynamoRIO 30% 20% 10% 0% 400.perlbench 445.gobmk 483.xalancbmk 447.dealII Average ü 2010-05-26 ETH Z rich / LST / Mathias Payer 20

  21. Benchmarks: Ref dataset Benchmark Function inlined Indirect jmptbl pred Indirect pred calls 1) jumps 1) calls 1) 400.perlbench 25'814 8.1% 21'930 93.7% 6.3% 3'903 7.4% 445.gobmk 18'001 1.3% 93 1.0% 99.0% 185 4.1% 483.xalancbmk 28'888 10.6% 2'627 27.0% 63.6% 9'161 96.1% 447.dealII 52'756 54.5% 21'147 1.7% 98.3% 540 98.4% 1) All numbers are *10 6 ü 2010-05-26 ETH Z rich / LST / Mathias Payer 21

  22. Benchmarks: Test dataset 1415% 3481% 308% 745% 140% 120% 100% fastBT Overhead 80% HDTrans PIN 60% dynamoRIO 40% 20% 0% 400.perlbench 445.gobmk 483.xalancbmk 447.dealII Average ü 2010-05-26 ETH Z rich / LST / Mathias Payer 22

  23. Benchmarks: Ref vs. Test Dataset Ref dataset Test dataset Benchmark no BT [s] fastBT no BT[s] fastBT 400.perlbench 486 56% 4 29% 445.gobmk 611 18% 21 18% 483.xalancbmk 371 24% <1 56% 447.dealII 552 44% 25 36% Average 839 6% 8 10% ü 2010-05-26 ETH Z rich / LST / Mathias Payer 23

  24. Benchmarks: Summary  High overhead:  Many indirect control transfers  Function calls incur high overhead, even with optimizations  Indirect control transfers without caches or jump tables add overhead  High collision rate in mapping table  Expensive recoveries, try different rescheduling strategies  Low overhead:  Few indirect control transfers  Cost of indirect control transfers is reduced through optimizations ü 2010-05-26 ETH Z rich / LST / Mathias Payer 24

  25. Conclusion  fastBT shows that it is possible to combine ease of use with efficient binary translation  Adaptive optimizations select best optimization for individual locations  Adaptive optimizations are necessary for low overhead in table based binary translators ü 2010-05-26 ETH Z rich / LST / Mathias Payer 25

  26. Thanks for your attention! ?  fastBT project page: http://nebelwelt.net/fastBT  Contact: mathias.payer@inf.ethz.ch  Kudos to:  Marcel Wirth, Peter Suter, Stephan Classen, and Antonio Barresi for code contributions  My colleagues for endless comments and reviews ü 2010-05-26 ETH Z rich / LST / Mathias Payer 26

  27. Table Generation: Analysis Function bool isMemOp (const unsigned char* opcode, const instr& disInf, std::string& action) { bool res; /* check for memory access in instr. */ res = mayOpAccessMem(disInf.dstFlags); res |= mayOpAccessMem(disInf.srcFlags); res |= mayOpAccessMem(disInf.auxFlags); /* change the default action */ if (res) { action = "handleMemOp"; } return res; } // in main function: addAnalysFunction(isMemOp); ü 2010-05-26 ETH Z rich / LST / Mathias Payer 27

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Automatic Generation of Efficient Dynamic Binary Translators Fr ed eric P etrot, Luc

Automatic Generation of Efficient Dynamic Binary Translators Fr ed eric P etrot, Luc

Introduction DBT principle Design flow Intermediate Representation Generation Conclusion Automatic Generation of Efficient Dynamic Binary Translators Fr ed eric P etrot, Luc Michel and Nicolas Fournel Tima Laboratory , Grenoble,

686 views • 25 slides
Fast dynamic and partial reconfiguration Data Path with low Hardware overhead on Xilinx FPGAs

Fast dynamic and partial reconfiguration Data Path with low Hardware overhead on Xilinx FPGAs

Fast dynamic and partial reconfiguration Data Path with low Hardware overhead on Xilinx FPGAs with low Hardware overhead on Xilinx FPGAs Michael Hbner 1 , Diana Ghringer 2 , Juanjo Noguera 3 , Jrgen Becker 1 1 Karlsruhe Institute of

370 views • 16 slides
Analysis of Overhead in Dynamic Java Performance Monitoring Vojtch Hork, Jaroslav Kotr,

Analysis of Overhead in Dynamic Java Performance Monitoring Vojtch Hork, Jaroslav Kotr,

Analysis of Overhead in Dynamic Java Performance Monitoring Vojtch Hork, Jaroslav Kotr, Peter Libi and Petr Tma Charles University in Prague Context: Dynamic Monitoring of Production Systems Dynamic Monitoring of Production Systems

999 views • 61 slides
Type Systems: Big Idea Static vs. Dynamic Typing Expressiveness (+ Dynamic) Dont have

Type Systems: Big Idea Static vs. Dynamic Typing Expressiveness (+ Dynamic) Dont have

Type Systems: Big Idea Static vs. Dynamic Typing Expressiveness (+ Dynamic) Dont have to worry about types (+ Dynamic) Dependent on input (- Dynamic) Runtime overhead (- Dynamic) Serve as documentation (+ Static)

572 views • 24 slides
PAGURUS: Low-Overhead Dynamic Information Flow Tracking on Loosely Coupled Accelerators Luca

PAGURUS: Low-Overhead Dynamic Information Flow Tracking on Loosely Coupled Accelerators Luca

ACM/IEEE CODES+ISSS 2018, Turin, Italy PAGURUS: Low-Overhead Dynamic Information Flow Tracking on Loosely Coupled Accelerators Luca Piccolboni, Giuseppe Di Guglielmo and Luca P. Carloni Columbia University, NY, USA Systems-on-Chip (SoCs) Are

851 views • 50 slides
Reconfiguration Overhead in Dynamic Task-Based Implementations on FPGAs Padmini Nagaraj

Reconfiguration Overhead in Dynamic Task-Based Implementations on FPGAs Padmini Nagaraj

Reconfiguration Overhead in Dynamic Task-Based Implementations on FPGAs Padmini Nagaraj University of California, Berkeley, Distributed Mentor Program, Researcher Summer 2004 Professor Elaheh Bozorgzadeh University of California, Irvine,

415 views • 13 slides
Generating Top-N Recommendations from Binary Profile Data Michael Hahsler Marketing Research and

Generating Top-N Recommendations from Binary Profile Data Michael Hahsler Marketing Research and

Generating Top-N Recommendations from Binary Profile Data Michael Hahsler Marketing Research and e-Business Adviser Hall Financial Group, Frisco, Texas, USA Hall Wines, St. Helena, California, USA Berufungsvortrag Wirtschaftsinformatik,

721 views • 38 slides
Algorithms Theory 14 Dynamic Programming (3) Optimal binary search trees Prof. Dr. S.

Algorithms Theory 14 Dynamic Programming (3) Optimal binary search trees Prof. Dr. S.

Algorithms Theory 14 Dynamic Programming (3) Optimal binary search trees Prof. Dr. S. Albers Winter term 07/08 Method of dynamic programming Recursive approach: Solve a problem by solving several smaller analogous subproblems of the same

559 views • 16 slides
Neutrino-driven explosions of ultra-stripped type Ic supernovae generating binary neutron stars

Neutrino-driven explosions of ultra-stripped type Ic supernovae generating binary neutron stars

Neutrino-driven explosions of ultra-stripped type Ic supernovae generating binary neutron stars Yudai Suwa 1, 2 1 Yukawa Institute for Theoretical Physics, Kyoto U. 2 Max Planck Institute for Astrophysics, Garching Collaboration with: T. Yoshida,

199 views • 18 slides
Reconfiguration Overhead in Dynamic Task-Based Implementations on FPGAs Padmini Nagaraj UCB,

Reconfiguration Overhead in Dynamic Task-Based Implementations on FPGAs Padmini Nagaraj UCB,

Reconfiguration Overhead in Dynamic Task-Based Implementations on FPGAs Padmini Nagaraj UCB, Distributed Mentor Program, Researcher Summer 2004 Professor Elaheh Bozorgzadeh UCI, Distributed Mentor Program, Mentor Outline I. Introduction

607 views • 27 slides
An Ontological Approach for Generating Useful Discrete-Event Dynamic System Models Ken Keefe PhD

An Ontological Approach for Generating Useful Discrete-Event Dynamic System Models Ken Keefe PhD

An Ontological Approach for Generating Useful Discrete-Event Dynamic System Models Ken Keefe PhD Qualifying Examination - 2020 Talk Overview Introduction Problem Description Manual Model Development Approach Ontologies and

623 views • 26 slides
Binary Search Trees ! A data structures with efficient support for many dynamic set operations:

Binary Search Trees ! A data structures with efficient support for many dynamic set operations:

Binary Search Trees ! A data structures with efficient support for many dynamic set operations: Search/Find Minimum/findMin Maximum/findMax Binary Search Trees Predecessor Successor Insert Delete/Remove ! All

83 views • 4 slides
Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or

Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or

Binary Numbers Binary numbers look like this Binary Numbers or Binary Code Binary numbers or binary code are used by computers and digital devices to talk to each other. It is used to give commands to the computer or a way to enter data

165 views • 12 slides
HI-CFG: Construction by Dynamic Binary Analysis, and Application to Attack Polymorphism Dan

HI-CFG: Construction by Dynamic Binary Analysis, and Application to Attack Polymorphism Dan

HI-CFG: Construction by Dynamic Binary Analysis, and Application to Attack Polymorphism Dan Caselden, Alex Bazhanyuk, Mathias Payer , Stephen McCamant, Dawn Song, UC Berkeley Recovering Information Knowledge of information (data) flow and

694 views • 32 slides
Tiddle: A Trace Description Language for Generating Concurrent Benchmarks to Test Dynamic

Tiddle: A Trace Description Language for Generating Concurrent Benchmarks to Test Dynamic

Tiddle: A Trace Description Language for Generating Concurrent Benchmarks to Test Dynamic Analyses Caitlin Sadowski Jaeheon Yi July 20, 2009 University of California at Santa Cruz Monday, July 20, 2009 1 Some

570 views • 28 slides
Generating Model Transformations for Mending Dynamic Constraint Violations in Cyber Physical

Generating Model Transformations for Mending Dynamic Constraint Violations in Cyber Physical

Arizona s First University. Generating Model Transformations for Mending Dynamic Constraint Violations in Cyber Physical Systems Sean Whitsitt and Jonathan Sprinkle Introduction: Cyber Physical Systems Electrical and Computer Engineering

599 views • 23 slides
Harnessing Harnessing Grid Resources with Grid Resources with Data- -Centric Task Farms

Harnessing Harnessing Grid Resources with Grid Resources with Data- -Centric Task Farms

Harnessing Harnessing Grid Resources with Grid Resources with Data- -Centric Task Farms Centric Task Farms Data Ioan Raicu Distributed Systems Laboratory Computer Science Department University of Chicago Committee Members: Ian Foster:

750 views • 58 slides
PRESENTATION TO INQUIRY INTO OP BURNHAM AND RELATED MATTERS 4 APRIL 2019 Good afternoon Sir

PRESENTATION TO INQUIRY INTO OP BURNHAM AND RELATED MATTERS 4 APRIL 2019 Good afternoon Sir

PRESENTATION TO INQUIRY INTO OP BURNHAM AND RELATED MATTERS 4 APRIL 2019 Good afternoon Sir Terence and Sir Geoffrey, counsel assisting, core participants and attendees. My name is Colonel Grant Motley. I am a Regular Force Army Officer with 30

295 views • 11 slides
Conditions for and effects of CARD cache implementations Gustaf R antil a and Mikael W

Conditions for and effects of CARD cache implementations Gustaf R antil a and Mikael W

Conditions for and effects of CARD cache implementations Gustaf R antil a and Mikael W anggren {e99_gra,e99_mwa}@e.kth.se 1 Agenda Problem formulation Hypothesis Our approach and methods Results (and their reliability)

634 views • 31 slides
SPLIT ARRAY CACHES FOR EMBEDDED APPLICATIONS Euromicro DSD 2010 Alice M. Tokarnia, Marina

SPLIT ARRAY CACHES FOR EMBEDDED APPLICATIONS Euromicro DSD 2010 Alice M. Tokarnia, Marina

A. M. Tokarnia, M. Tachibana Schoool of Electrical and Computer Engineering, UNICAMP DESIGN OF TRACE-BASED SPLIT ARRAY CACHES FOR EMBEDDED APPLICATIONS Euromicro DSD 2010 Alice M. Tokarnia, Marina Tachibana Introduction Split Array Caches

298 views • 26 slides
Tarek Bohsali Microsoft SESSION SUMMARY [PRES ESEN ENTATI TION N TITLE LE] [PRES ESEN

Tarek Bohsali Microsoft SESSION SUMMARY [PRES ESEN ENTATI TION N TITLE LE] [PRES ESEN

[TITLE LE] Scaling SQL Server Applications: Application Design and Hardware Considerations Tarek Bohsali Microsoft SESSION SUMMARY [PRES ESEN ENTATI TION N TITLE LE] [PRES ESEN ENTATI TION N TITLE LE] SQL Server is a proven

598 views • 31 slides
WARM SRAM: A Novel Scheme to Reduce Static Leakage Energy in SRAM Arrays Mahadevan

WARM SRAM: A Novel Scheme to Reduce Static Leakage Energy in SRAM Arrays Mahadevan

WARM SRAM: A Novel Scheme to Reduce Static Leakage Energy in SRAM Arrays Mahadevan Gomathisankaran Akhilesh Tyagi Iowa State University Iowa State University gmdev@iastate.edu tyagi@iastate.edu Introduction Proposed Circuit Technique

654 views • 22 slides
SALES HISTORY SINCE IPO 35,000,000 2019 19-20 20 in su summa mary 30,000,000 15

SALES HISTORY SINCE IPO 35,000,000 2019 19-20 20 in su summa mary 30,000,000 15

SALES HISTORY SINCE IPO 35,000,000 2019 19-20 20 in su summa mary 30,000,000 15 years as a public company 25,000,000 Acquisition of Tristel Italia 20,000,000 Launch of Cache surface portfolio 15,000,000

228 views • 5 slides
Virtual CDN Implementation Eugene E. Otoakhia - eugene.otoakhia@bt.com, BT Peter Willis

Virtual CDN Implementation Eugene E. Otoakhia - eugene.otoakhia@bt.com, BT Peter Willis

Virtual CDN Implementation Eugene E. Otoakhia - eugene.otoakhia@bt.com, BT Peter Willis peter.j.willis@bt.com, BT October 2017 1 British Telecommunications plc 2017 Virtual CDN Implementation - Contents 1. What is BTs vCDN Concept 2.Lab

331 views • 13 slides

More recommend