implementing an llvm based d ynamic b inary i
play

Implementing an LLVM based D ynamic B inary I nstrumentation - PowerPoint PPT Presentation

Nov 05, 2023 •103 likes •769 views

Implementing an LLVM based D ynamic B inary I nstrumentation framework Charles Hubain Cdric Tessier Introduction to Instrumentation 34c3 - Implementing an LLVM based DBI framework 2 What is Instrumentation? Transformation of a program

  1. Implementing an LLVM based D ynamic B inary I nstrumentation framework Charles Hubain Cédric Tessier

  2. Introduction to Instrumentation 34c3 - Implementing an LLVM based DBI framework 2

  3. What is Instrumentation? • “Transformation of a program into its own measurement tool” • Observe any state of a program anytime during runtime • Automate the data collection and processing 34c3 - Implementing an LLVM based DBI framework 3

  4. Use Cases • Finding memory bugs: • Track memory allocations / deallocations • Track memory accesses • Fuzzing: • Measure code coverage • Build symbolic representation of code • Recording execution traces • Replay them for “timeless” debugging • Software side-channel attacks against crypto 34c3 - Implementing an LLVM based DBI framework 4

  5. “Why not … debuggers?” • Debuggers are awesome but slooooooooow Resume Schedule Signal + Debugger Kernel Target Trap interrupt schedule 34c3 - Implementing an LLVM based DBI framework 5

  6. https://asciinema.org/a/17nynlopg5a18e1qps3r9ou7g

  7. “Why not … debuggers?” • Debuggers are awesome but slooooooooow Resume Schedule Signal + Debugger Kernel Target Trap interrupt schedule • Solution? Get rid of the kernel • How? Run the instrumentation inside the target 34c3 - Implementing an LLVM based DBI framework 7

  8. Instrumentation Techniques • From source code: • Manually, you know … printf(…) BORING • At compile time • From binary: • Static binary patching & hooking Crude and barbaric • Dynamic Binary Instrumentation This talk 34c3 - Implementing an LLVM based DBI framework 8

  9. Existing Frameworks • Valgrind since 2000 • Open source, only *nix platforms, very complex • DynamoRIO since 2002 • Open source, cross-platforms, very raw • Intel Pin since 2004 • Closed source, only Intel platforms, user friendly 34c3 - Implementing an LLVM based DBI framework 9

  10. “Why we made our own” What we wanted from a DBI framework in 2015 • Cross-platform and cross-architecture • Mobile and embedded targets support • Simpler and modular design • Focus on “heavy” instrumentation 34c3 - Implementing an LLVM based DBI framework 10

  11. Introduction to DBI 34c3 - Implementing an LLVM based DBI framework 11

  12. Dynamic Binary Instrumentation • Dynamically insert the instrumentation at runtime Generate Disassemble Insert Execute Instrumentation Instru Original Binary Code PAC-MAN for scale 34c3 - Implementing an LLVM based DBI framework 12

  13. Disassembling • What part of the binary is the code is unknown ➡ Disassembling the whole binary in advance is impossible • We need to discover the code as we go 34c3 - Implementing an LLVM based DBI framework 13

  14. Code Discovery • How? • Execute a block of code • Discover where the execution flow after the block • Execute the next block of code • This forms a short execution cycle 34c3 - Implementing an LLVM based DBI framework 14

  15. No Free Space • The instrumented code is larger than Instruction Instruction the original code Instruction … COND JUMP • Binaries are usually tightly packed with TRUE Instruction little free space FALSE Instruction Instruction … JUMP ➡ The instrumentation cannot be Instruction inserted in-place Instruction Instruction … ➡ It needs to be “ relocated” JUMP 34c3 - Implementing an LLVM based DBI framework 15

  16. Relocating • Code contains relative reference to memory addresses • These become invalid once we move the code • We need to completely rewrite the code to fix those references ➡ This is what we call “ patching ” 34c3 - Implementing an LLVM based DBI framework 16

  17. The “Cycle of Life” 34c3 - Implementing an LLVM based DBI framework 17

  18. Designing a DBI: 1. Low Level Abstractions 34c3 - Implementing an LLVM based DBI framework 18

  19. Basic Blocks Instruction Instruction Instruction … Instruction Instruction Instruction Instruction Instruction Instruction … … Instruction Instruction Instruction … 34c3 - Implementing an LLVM based DBI framework 19

  20. Control Flow Instruction Instruction Instruction … JUMP Instruction Instruction Instruction Instruction Instruction Instruction … … JUMP JUMP Instruction Instruction Instruction … JUMP 34c3 - Implementing an LLVM based DBI framework 20

  21. Under Control Flow Guest Host Instruction Instruction Instruction … JUMP Instruction Instruction Instruction … JUMP DBI Instruction Instruction Instruction … JUMP Instruction Instruction Instruction … JUMP 34c3 - Implementing an LLVM based DBI framework 21

  22. Under Control DBI is all about keeping control of the execution 34c3 - Implementing an LLVM based DBI framework 22

  23. Under Control • Keeping control of the execution • requires modifying original instructions… • …without modifying original behaviour 34c3 - Implementing an LLVM based DBI framework 23

  24. What We Need • A multi-architecture disassembler • A multi-architecture assembler • A generic intermediate representation to apply modifications on 34c3 - Implementing an LLVM based DBI framework 24

  25. We Don't Want Actually we don’t have 10 years and unlimited ressources • To implement a multi-architecture disassembler and assembler • To abstract every single instruction semantic • Architectures Developer Manuals are not that fun… 34c3 - Implementing an LLVM based DBI framework 25

  26. Here Be Dragons This has nothing to do with 26C3 34c3 - Implementing an LLVM based DBI framework 26

  27. To the rescue • LLVM already has everything • It supports all major architectures • It provides a disassembler and an assembler … • …and both work on the same intermediate representation • LLVM Machine Code (aka MC) to the rescue 34c3 - Implementing an LLVM based DBI framework 27

  28. LLVM MC movq rax, 42 Instruction Binary [0x48,0x89,0x04,0x25,0x2a,0x00,0x00,0x00] <MCInst #1670 MOV64mr LLVM MC <MCOperand Reg:0> <MCOperand Imm:1> <MCOperand Reg:0> <MCOperand Imm:42> <MCOperand Reg:0> <MCOperand Reg:35>> 34c3 - Implementing an LLVM based DBI framework 28

  29. LLVM MC • It’s minimalist • It’s totally generic • still encodes a lot of things about an instruction • But very raw • genericness means some heavy compromises • doesn’t encode everything about an instruction 34c3 - Implementing an LLVM based DBI framework 29

  30. Creation Every instruction is encoded using the same representation … … but in a di ff erent way <MCInst #1139 MOV64mr <MCOperand Reg:41> <MCOperand Imm:1> movq [rip+0x2600], rax <MCOperand Reg:0> <MCOperand Imm:0x2600> <MCOperand Reg:0> <MCOperand Reg:35>> 34c3 - Implementing an LLVM based DBI framework 30

  31. Modification jmp 0x41424242 jmp [rip+0x2600] <MCInst #1139 JMP64m <MCOperand Reg:41> <MCInst #1141 JMP_1 <MCOperand Imm:1> <MCOperand Imm: 0x41424242>> <MCOperand Reg:0> <MCOperand Imm:0x2600> <MCOperand Reg:0>> 34c3 - Implementing an LLVM based DBI framework 31

  32. Patch 0x410000: mov r0, [r0+pc] ; Load a value relative to PC 34c3 - Implementing an LLVM based DBI framework 32

  33. Patch mov [pc+0x2600], r1 ; Backup R1 mov r1, 0x410000 ; Set original instruction address 0x7f10000: mov r0, [r0+r1] ; Load a value relative to R1 mov r1, [pc+0x2600] ; Restore R1 34c3 - Implementing an LLVM based DBI framework 33

  34. Abstractions • MCInst encoding make transformations painful • Patches can be really complex • Many transformations are composed of generic steps we need abstractions 34c3 - Implementing an LLVM based DBI framework 34

  35. Patch Engine MCInst Patch MCInst MCInst Engine MCInst Abstractions Inside™ 34c3 - Implementing an LLVM based DBI framework 35

  36. 36

  37. Patch DSL Abstractions you said? • Identify transformation steps required to patch instructions • Regroup and integrate them as a domain-specific language • Instructions are architecture specifics… • …DSL should be generic (as much as possible) 34c3 - Implementing an LLVM based DBI framework 37

  38. Patch DSL Program QBDI Registry Copy Reg T emp Load/Save e Get/Set t i r W Memory Shadows, Context Metadata 34c3 - Implementing an LLVM based DBI framework 38

  39. Patch DSL mov [pc+0x2600], r1 mov r1, 0x410000 Temp(0) […] mov r1, [pc+0x2600] 34c3 - Implementing an LLVM based DBI framework 39

  40. Patch DSL mov [pc+0x2600], r1 mov r1, 0x410000 mov r0, [r0+r1] mov r1, [pc+0x2600] SubstituteWithTemp(Reg(REG_PC), Temp(0)) 34c3 - Implementing an LLVM based DBI framework 40

  41. Patch DSL • Modifications are defined in rules • A rule is composed of • one (or several) condition(s) • one (or several) action(s) • Actions can modify or replace an instruction 34c3 - Implementing an LLVM based DBI framework 41

  42. Patch DSL /* Rule #3: Generic RIP patching. * Target: Any instruction with RIP as operand, e.g. LEA RAX, [RIP + 1] * Patch: Temp(0) := rip * LEA RAX, [RIP + IMM] --> LEA RAX, [Temp(0) + IMM] */ PatchRule( UseReg(Reg(REG_PC)), { GetPCO ff set(Temp(0), Constant(0)), ModifyInstruction({ SubstituteWithTemp(Reg(REG_PC), Temp(0)) }) } ); 34c3 - Implementing an LLVM based DBI framework 42

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

LLVM IR and the IoT Dvid Juhsz david.juhasz@imsystech.com 4/2/2018 1 FOSDEM 2018 LLVM

LLVM IR and the IoT Dvid Juhsz david.juhasz@imsystech.com 4/2/2018 1 FOSDEM 2018 LLVM

A unique processor architecture meeting LLVM IR and the IoT Dvid Juhsz david.juhasz@imsystech.com 4/2/2018 1 FOSDEM 2018 LLVM devroom Compiling with LLVM High-Level Programming Language LLVM LLVM Front-end LLVM Assembly / IR LLVM

434 views • 22 slides
Implementing Data Layout Optimizations Implementing Data Layout Optimizations in the LLVM

Implementing Data Layout Optimizations Implementing Data Layout Optimizations in the LLVM

compilertree.com Implementing Data Layout Optimizations Implementing Data Layout Optimizations in the LLVM Framework in the LLVM Framework Prashantha NR (Speaker) CompilerTree Technologies CompilerTree Technologies

508 views • 33 slides
FTL WebKits LLVM based JIT Andrew Trick, Apple Juergen Ributzka, Apple LLVM Developers

FTL WebKits LLVM based JIT Andrew Trick, Apple Juergen Ributzka, Apple LLVM Developers

FTL WebKits LLVM based JIT Andrew Trick, Apple Juergen Ributzka, Apple LLVM Developers Meeting 2014 San Jose, CA WebKit JS Execution Tiers OSR Entry LLInt DFG FTL Baseline JIT Interpret High-level opts bytecode

749 views • 28 slides
Implementing SPMD control flow in LLVM using reconverging CFGs Fabian Wahlster Technische

Implementing SPMD control flow in LLVM using reconverging CFGs Fabian Wahlster Technische

Implementing SPMD control flow in LLVM using reconverging CFGs Fabian Wahlster Technische Universitt Mnchen UX3D Nicolai Hhnle AMD Divergence on wide SIMD Src : D. Lively and H. Gruen. Wave Programming in D3D12 and Vulkan Src:

260 views • 14 slides
Porting LLVM to a new OS Kai Nacke 31 January 2016 LLVM devroom @ FOSDEM16 Porting LLVM

Porting LLVM to a new OS Kai Nacke 31 January 2016 LLVM devroom @ FOSDEM16 Porting LLVM

Porting LLVM to a new OS Kai Nacke 31 January 2016 LLVM devroom @ FOSDEM16 Porting LLVM There are two possible goals Run LLVM tools on OS Generate code for OS / CPU architecture Mission is to run LLVM on previously unsupported

603 views • 11 slides
Debugging With LLVM A quick introducon to LLDB and LLVM sanizers Graham Hunter, Andrzej

Debugging With LLVM A quick introducon to LLDB and LLVM sanizers Graham Hunter, Andrzej

Debugging With LLVM A quick introducon to LLDB and LLVM sanizers Graham Hunter, Andrzej Warzyski Arm February 2020 Our Background Compiler engineers at Arm Arm Compiler For Linux Downstream and upstream LLVM Based in

913 views • 28 slides
The Many Faces of Instrumentation: Debugging and Better Performance using LLVM in HPC What are

The Many Faces of Instrumentation: Debugging and Better Performance using LLVM in HPC What are

The Many Faces of Instrumentation: Debugging and Better Performance using LLVM in HPC What are LLVM, Clang, and Flang? How is LLVM Being Improved for HPC. What Facilities for Tooling Exist in LLVM? Opportunities for the Future!

572 views • 38 slides
LLVM/Clang Mouna Abidi &amp; Manel Grichi 1 Plan What is LLVM? How will you be using it?

LLVM/Clang Mouna Abidi &amp; Manel Grichi 1 Plan What is LLVM? How will you be using it?

LLVM/Clang Mouna Abidi &amp; Manel Grichi 1 Plan What is LLVM? How will you be using it? LLVM Architecture Compiler Simple case study Conclusion 2 What is LLVM? Low Level Virtual Machine Modern Compiler

1.34k views • 19 slides
LLVM Binutils BoF 2019 EuroLLVM Developers' Meeting James Henderson (SN Systems) Jordan

LLVM Binutils BoF 2019 EuroLLVM Developers' Meeting James Henderson (SN Systems) Jordan

LLVM Binutils BoF 2019 EuroLLVM Developers' Meeting James Henderson (SN Systems) Jordan Rupprecht (Google) Introduction LLVM binary utilities (aka binutils) include: llvm-readobj/llvm-readelf llvm-objdump llvm-objcopy

352 views • 8 slides
Dyna ynamic mics 365 365 for for Energy gy is Data Communications 360 software solution

Dyna ynamic mics 365 365 for for Energy gy is Data Communications 360 software solution

Dyna ynamic mics 365 365 for for Energy gy is Data Communications 360 software solution for the Electricity and Gas industries. Based on Dynamics 365 platform, Dynami amics 365 for Energy incorporates innovative features and specialized

184 views • 5 slides
LLVM and IR Construction Fabian Ritter based on slides by Christoph Mallon and Johannes Doerfert

LLVM and IR Construction Fabian Ritter based on slides by Christoph Mallon and Johannes Doerfert

LLVM and IR Construction Fabian Ritter based on slides by Christoph Mallon and Johannes Doerfert http://compilers.cs.uni-saarland.de Compiler Design Lab Saarland University 1 Project Progress token stream LLVM you are here! assembly IR

627 views • 36 slides
Building an LLVM-based tool Lessons Learned EuroLLVM 2019, Brussels whoami Alex Denisov

Building an LLVM-based tool Lessons Learned EuroLLVM 2019, Brussels whoami Alex Denisov

Building an LLVM-based tool Lessons Learned EuroLLVM 2019, Brussels whoami Alex Denisov Software Engineer at PTScientists GmbH LLVM Hacker https://lowlevelbits.org https://twitter.com/1101_debian Agenda Build System

873 views • 58 slides
Building, Testing and Debugging a Simple out-of-tree LLVM Pass October 29, 2015, LLVM

Building, Testing and Debugging a Simple out-of-tree LLVM Pass October 29, 2015, LLVM

Building, Testing and Debugging a Simple out-of-tree LLVM Pass October 29, 2015, LLVM Developers Meeting LLVM 3.7 Resources https://github.com/quarkslab/ llvm-dev-meeting-tutorial-2015 1 Instruction Booklet a = b + c a = b

794 views • 62 slides
LLVM Simone Campanoni simonec@eecs.northwestern.edu Problems with Canvas? Problems with slides?

LLVM Simone Campanoni simonec@eecs.northwestern.edu Problems with Canvas? Problems with slides?

LLVM Simone Campanoni simonec@eecs.northwestern.edu Problems with Canvas? Problems with slides? Any problems? Outline Introduction to LLVM CAT steps Hacking LLVM LLVM LLVM is a great, hackable compiler for C/C++ languages

1.68k views • 44 slides
Jancy LLVM-based scripting language for IO and UI programming Vladimir Gladkov Tibbo Technology

Jancy LLVM-based scripting language for IO and UI programming Vladimir Gladkov Tibbo Technology

Jancy LLVM-based scripting language for IO and UI programming Vladimir Gladkov Tibbo Technology Inc http://tibbo.com/jancy Overview Why? 2 main Jancy features Compiler design and how we use LLVM Questions Why?! Do we need

608 views • 33 slides
Wring an LLVM Pass: 101 LLVM 2019 tutorial Andrzej Warzyski arm October 2019 Andrzejs

Wring an LLVM Pass: 101 LLVM 2019 tutorial Andrzej Warzyski arm October 2019 Andrzejs

Wring an LLVM Pass: 101 LLVM 2019 tutorial Andrzej Warzyski arm October 2019 Andrzejs Background arm DOWNSTREAMlldb SciComp Highlander LLVM Dev Meeng 2019 2 / 39 Overview LLVM pass development crash course Focus on

635 views • 39 slides
MB : SGX SGX-BO BOMB Locking Down the Processor via the Rowhammer Attack Yeongjin Jang *,

MB : SGX SGX-BO BOMB Locking Down the Processor via the Rowhammer Attack Yeongjin Jang *,

MB : SGX SGX-BO BOMB Locking Down the Processor via the Rowhammer Attack Yeongjin Jang *, Jaehyuk Lee , Sangho Lee , and Taesoo Kim Oregon State University* KAIST Georgia Institute of Technology TL;DR SGX locks up the

503 views • 24 slides
Introduction to Explicit Instruction Presented by: Gina W . Hopper, Director of Special

Introduction to Explicit Instruction Presented by: Gina W . Hopper, Director of Special

Introduction to Explicit Instruction Presented by: Gina W . Hopper, Director of Special Education Technical Assistance With permission from Dr. Anita A. Archer 1 Permission and Thank You! The content of this session is expanded in Chapter

334 views • 14 slides
Effectively Prefetching Remote Memory with Leap Hasan Al Maruf and Mosharaf Chowdhury 1

Effectively Prefetching Remote Memory with Leap Hasan Al Maruf and Mosharaf Chowdhury 1

Effectively Prefetching Remote Memory with Leap Hasan Al Maruf and Mosharaf Chowdhury 1 Memory-Intensive Applications 2 Perform Great! 40 38.61 35 30 TPS (Thousands) 25 20 15 10 6.61 5 1.01 0 100% 75% 50% In-Memory Working Set

864 views • 39 slides
Human Capabilities Perception Processing Action Jrg Cassens Memory Institut fr Mathematik

Human Capabilities Perception Processing Action Jrg Cassens Memory Institut fr Mathematik

Overview Human Capabilities Perception Processing Action Jrg Cassens Memory Institut fr Mathematik und Angewandte Informatik Medieninformatik WS 2019/2020 WS 2019/2020 Jrg Cassens Human Capabilities 1 / 41 Pingo Overview

1.09k views • 53 slides
1 Number is potentially limitless 1. 1. Human counter erfactual thought What to change? Not

1 Number is potentially limitless 1. 1. Human counter erfactual thought What to change? Not

What if and If only thoughts about imagined alternatives to Co Cons nstraints on n reality Co Coun unterfactua uals Counterfactuals How a decision in the past could Ruth M.J. Byrne Ru have been different, or how one in

861 views • 16 slides
Optimisation While Streaming Amit Chakrabarti Dartmouth College Joint work with S. Kale, A.

Optimisation While Streaming Amit Chakrabarti Dartmouth College Joint work with S. Kale, A.

Optimisation While Streaming Amit Chakrabarti Dartmouth College Joint work with S. Kale, A. Wirth DIMACS Workshop on Big Data Through the Lens of Sublinear Algorithms, Aug 2015 Combinatorial Optimisation Problems 1950s, 60s: Operations

998 views • 56 slides
Paradim Shift in cholesterol behandeling: van LDL-C target naar LDL-C eradicatie Prof. G.Kees

Paradim Shift in cholesterol behandeling: van LDL-C target naar LDL-C eradicatie Prof. G.Kees

Paradim Shift in cholesterol behandeling: van LDL-C target naar LDL-C eradicatie Prof. G.Kees Hovingh, MD PhD MBA Dept. Vascular Medicine Academic Medical Center Amsterdam, the Netherlands Risk and profit

722 views • 55 slides
Novel strategies targeting residual risk: the promise of PCSK-9 inhibiting therapies ESC August

Novel strategies targeting residual risk: the promise of PCSK-9 inhibiting therapies ESC August

Novel strategies targeting residual risk: the promise of PCSK-9 inhibiting therapies ESC August 29 th , Rome Erik Stroes, MD Academic Medical Center Amsterdam, The Netherlands Faculty Disclosure Declaration of financial interests For the

519 views • 36 slides

More recommend