instruction parsers
play

Instruction Parsers Nathan Jay Paradyn Project Scalable Tools - PowerPoint PPT Presentation

Aug 01, 2023 •122 likes •697 views

Random and Exhaustive T esting of Instruction Parsers Nathan Jay Paradyn Project Scalable Tools Workshop Granlibakken, California August 2016 Motivation Lots of tools parse binaries GNU 2 Instruction Parser Testing Motivation Parsers

  1. Random and Exhaustive T esting of Instruction Parsers Nathan Jay Paradyn Project Scalable Tools Workshop Granlibakken, California August 2016

  2. Motivation Lots of tools parse binaries GNU 2 Instruction Parser Testing

  3. Motivation Parsers rely on a disassembly step: Converting object code into a higher-level language with semantic information Hex Assembly 00: 55 push %rbp 01: 48 89 e5 mov %rsp, %rbp 04: 89 7d fc mov %edi, -0x4(%rbp) 07: 8b 45 fc mov – x4(%rbp), %eax 0a: 83 c0 0a add $0xa, %eax 0d: 0f af 45 fc imul – x04(%rpb), %eax 11: 5d pop %rbp 12: c3 retq 3 Instruction Parser Testing

  4. Motivation Size field Operation Immediate Converting object code to assembly is Source Register easy for a single format, like this from Dest. Register ARMv8: Condition Fixed Value Compare and branch (immediate) No single format is difficult to decode. Just extract the fields and translate binary to assembly for each field. 4 Instruction Parser Testing

  5. Motivation Size field Operation Immediate Unfortunately, the format varies between Source Register instructions. Dest. Register Condition Fixed Value Compare and branch (immediate) Test and branch (immediate) Conditional branch (immediate) 5 Instruction Parser Testing

  6. Motivation Size field Operation Immediate And there are a lot of formats: Source Register Dest. Register Condition Fixed Value 6 Instruction Parser Testing

  7. Motivation These formats only partially cover: o load/store o branching The manual specifies more than 5 times as many different, general formats. ARM can vary between implementations: Apple, Samsung, AMD, Nvidia, Broadcom, Applied Micro, Huawei, Cavium… 7 Instruction Parser Testing

  8. Motivation x86 has other challenges with variable length instructions. This format works for some 1 or 2 byte opcodes: Prefixes opcode mod SIB displacement immediate R/M Seg, Rep, Lock, 66, 67 0F XX * * 0, 1, 2 or 4 byte value 0, 1, 2 or 4 byte value REX There is another format for some 3 byte opcodes: Prefixes opcode mod SIB displacement imm R/M Seg, Rep, Lock, 66, 67 0F * XX * * 0, 1, 2 or 4 byte value byte REX This is less than a 3 rd of byte level maps, and there are bit level maps as well. 8 Instruction Parser Testing

  9. Motivation Moreover, instruction sets change over time: x86 Extensions 1977 – 1996: Additions made in NPX (x87) 1977 80186, 80286, 80386, 80387.AMD 1997 – 1999: Additions made in releases first x86 processor, K-5. MMX 1997 Pentium MMX, Pentium Pro, AMD 1999: AMD adds 3DNow! And 2 MMX+ and Intel EMMX SSE 1999 separate additions to 3DNow!+ SSE2 2000 SSE3 2004 2005: Intel adds virtualization SSSE3 2006 2006: AMD adds virtualization 2007-2008: AMD adds SSE4a in SSE4 2007 Phenom Intel adds SSE4.2 in 2008-2010: Intel adds SHA. Nehalem AVX 2008 2013: Intel and AMD both AMD deprecates 3DNow! AVX2 2011 support BMI1, disagree on what’s included. Intel supports BMI 2 AVX512 2013 2015: AMD supports BMI 2, MPX 2013 Intel adds AES support 9 Instruction Parser Testing

  10. Goals o Find disassembler errors o Test enormous instruction space quickly o Consolidate duplicate reports of an error o Avoid instruction set specifics o Work for multiple instruction sets o Don’t rely on specific instruction set versions o Work with any disassembler 10 Instruction Parser Testing

  11. Previous Work Some past efforts: o Comparison of disassembly and execution results, Ormandy 2008 o Generate instructions randomly or by brute force o Disassemble instructions, execute instructions and compare results o Generation of known valid or invalid x86 prefixes and opcodes, Seidel 2014 o Start with empty string of bytes o Use look up tables for next valid byte to build instruction, byte-by-byte o Arbitrary values can be appended after opcode o N-version differential disassembly, Paleari et. al 2010 12 Instruction Parser Testing

  12. Previous Work – Paleari et. al 2010 Input: o Randomized bytes (40,000 sequences used) o CPU-tested instructions (20,000 sequences picked at random) o Enumerate all possible 1, 2 and 3 byte sequences o Execute each byte sequence with a few operands o Prepend a few prefixes to each sequence Test: o Compare 8 disassemblers’ outputs and execution results o Remove disassembly output that conflicts with execution in: o Instruction length o Operand type o Declare the most common output to be correct 13 Instruction Parser Testing

  13. Previous Work - Limitations o Naïve input generation o Randomly choosing instructions inefficiently tests whole space o A brute force approach would require 2 120 instructions o Required expert knowledge of x86 o Semantic specification for decoding to compare to execution o List of all valid bytes, prefixes, knowledge of operand position o Relied on details of the ISA o Opcode length and position o Byte boundaries o No means to coalesce similar error reports 14 Instruction Parser Testing

  14. Approach o Generate instructions more effectively o Avoid repetitions of similar instructions o Cover instruction space more thoroughly than purely random within a reasonable timeframe o Test all functional parts of instructions o Avoid ISA dependencies and expert knowledge 15 Instruction Parser Testing

  15. Workflow Input Generation Create object code to disassemble Differential Disassembly Disassemble object code with each Disassembler 1 Disassembler n disassembler and normalize results to … uniform representation Normalize n Normalize 1 … Compare disassembled code and Comparison & Filtering suppress duplicate differences Reassemble output, looking for Reassembly differences with object code Determine which disassembly is Analysis correct 16 Instruction Parser Testing

  16. Workflow – Current State Generalized, works for x86 and Input Generation ARMv8. PPC64 lacks some register info Differential Disassembly Differential disassembly tested on all Disassembler 1 Disassembler n “In - progress” decoders. … Normalize n Normalize 1 … Normalization ongoing in each. Generalized, works for x86, PPC64 Comparison & Filtering and ARMv8. PPC64 lacks register info. Reassembly Primitive support for x86 and ARMv8 Preliminary results on x86 and Analysis ARMv8 outputs 17 Instruction Parser Testing

  17. Workflow – Current State Generalized, works for x86 and Input Generation ARMv8. PPC64 lacks some register info Differential Disassembly Differential disassembly tested on all Disassembler 1 Disassembler n “In - progress” decoders. … Normalize n Normalize 1 … Normalization ongoing in each. Generalized, works for x86, PPC64 Comparison & Filtering and ARMv8. PPC64 lacks register info. Reassembly Primitive support for x86 and ARMv8 Preliminary results on x86 and Analysis ARMv8 outputs 18 Instruction Parser Testing

  18. Input Generation – Observations o Naïve brute force is too slow o x86 instructions are up to 15 bytes long o There are much less than 2 120 significantly different instructions o Many instructions differ only slightly o Immediate values do not change meaning or decoding of instructions o Registers names (usually) do not change meaning or decoding of instructions 19 Instruction Parser Testing

  19. Input Generation – Observations Disassemblers are likely to decode similar instructions all correctly or all incorrectly. Binary Code Decoded Instruction 1011 0100 1101 1111 mov $0xdf, %ah 1011 0100 0101 1111 mov $0x5f, %ah 1011 0110 1101 1111 mov $0xdf, %dh 1011 1100 1101 1111 movsbb (%rsi), (%rdi) Not all bits flips are equally interesting, so can we find those that are most interesting? 21 Instruction Parser Testing

  20. Input Generation – Observations Goal: Find and ignore bits that encode only register names or immediate values. mov $0xdf, %ah: 1011 0100 1101 1111 We can identify 11 of 16 bits that will not be interesting to vary 22 Instruction Parser Testing

  21. Input Generation Add some random byte strings Seed Work Queue to the queue Queue Check if there are more Done! Empty? instructions to evaluate Find interesting bits to vary for Map Instruction (each decoder) new instructions Flip interesting bits to create Generate Insns (each decoder) instructions Add new instructions to the Queue New Insns queue Differential Disassembly 23

  22. Producing a Map of Interesting Instruction Bits Map: * Base Bits: 1011 0100 1101 1111 New Bits: 0011 0100 1101 1111 Base Insn: mov $0xdf, %ah New Insn: xor $0xdf, %al 24 Instruction Parser Testing

  23. Producing a Map of Interesting Instruction Bits Map: ** Base Bits: 1011 0100 1101 1111 New Bits: 0111 0100 1101 1111 Base Insn: mov $0xdf, %ah New Insn: hlt 25 Instruction Parser Testing

  24. Producing a Map of Interesting Instruction Bits Map: *** Base Bits: 1011 0100 1101 1111 New Bits: 1001 0100 1101 1111 Base Insn: mov $0xdf, %ah New Insn: xchg %eax, %esp 26 Instruction Parser Testing

  25. Producing a Map of Interesting Instruction Bits Map: **** Base Bits: 1011 0100 1101 1111 New Bits: 1010 0100 1101 1111 Base Insn: mov $0xdf, %ah New Insn: movsbb (%rsi), (%rdi) 27 Instruction Parser Testing

  26. Producing a Map of Interesting Instruction Bits Map: **** * Base Bits: 1011 0100 1101 1111 New Bits: 1011 1100 1101 1111 Base Insn: mov $0xdf, %ah New Insn: mov $0x6d5f5…, % esp 28 Instruction Parser Testing

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

XML Parsers Asst. Prof. Dr. Kanda Runapongsa Saikaew (krunapon@kku.ac.th) Dept. of Computer

XML Parsers Asst. Prof. Dr. Kanda Runapongsa Saikaew (krunapon@kku.ac.th) Dept. of Computer

XML Parsers Asst. Prof. Dr. Kanda Runapongsa Saikaew (krunapon@kku.ac.th) Dept. of Computer Engineering Khon Kaen University 1 Overview What are XML Parsers? Programming Interfaces of XML Parsers DOM: Document Object Model

438 views • 33 slides
Scanners and parsers COMP 520 Fall 2010 Scanners and Parsers (2) A scanner or lexer transforms a

Scanners and parsers COMP 520 Fall 2010 Scanners and Parsers (2) A scanner or lexer transforms a

COMP 520 Fall 2010 Scanners and Parsers (1) Scanners and parsers COMP 520 Fall 2010 Scanners and Parsers (2) A scanner or lexer transforms a string of characters into a string of tokens: uses a combination of deterministic finite automata

1.08k views • 53 slides
Dependency and Phrasal Parsers of the Czech Language: A Comparison ak 1 , Tom s Holan 2 ,

Dependency and Phrasal Parsers of the Czech Language: A Comparison ak 1 , Tom s Holan 2 ,

Outline Motivation Compared Parsers Differences of the Parses Results Conclusions and Future Directions Dependency and Phrasal Parsers of the Czech Language: A Comparison ak 1 , Tom s Holan 2 , Vladim r Kadlec 1 , Vojt r 1 Ale s

734 views • 46 slides
Instruction Set 2 Architecting a vocabulary for the HW INSTRUCTION SET OVERVIEW 3 Instruction

Instruction Set 2 Architecting a vocabulary for the HW INSTRUCTION SET OVERVIEW 3 Instruction

1 EE 109 Unit 13 MIPS Instruction Set 2 Architecting a vocabulary for the HW INSTRUCTION SET OVERVIEW 3 Instruction Set Architecture (ISA) Defines the software interface of the processor and memory system Instruction set is the

915 views • 52 slides
LR Parsing Compiler Design CSE 504 Shift-Reduce Parsing 1 LR Parsers 2 SLR and LR(1) Parsers

LR Parsing Compiler Design CSE 504 Shift-Reduce Parsing 1 LR Parsers 2 SLR and LR(1) Parsers

LR Parsing Compiler Design CSE 504 Shift-Reduce Parsing 1 LR Parsers 2 SLR and LR(1) Parsers 3 Last modifled: Fri Mar 06 2015 at 13:50:06 EST Version: 1.7 16:58:46 2016/01/29 Compiled at 12:57 on 2016/02/26 Compiler Design LR Parsing

418 views • 16 slides
CS406: Compilers Spring 2020 Week 5: Parsers, AST, and Semantic Routines 1 Recap 2 3

CS406: Compilers Spring 2020 Week 5: Parsers, AST, and Semantic Routines 1 Recap 2 3

CS406: Compilers Spring 2020 Week 5: Parsers, AST, and Semantic Routines 1 Recap 2 3 Top-down Parsing predictive parsers 4 Suggested reading: https://en.wikipedia.org/wiki/LL_parser Top-down Parsing contd.. Also called

750 views • 46 slides
Training Deterministic Parsers with Non-Deterministic Oracles by Yoav Goldberg and Joakim

Training Deterministic Parsers with Non-Deterministic Oracles by Yoav Goldberg and Joakim

Training Deterministic Parsers with Non-Deterministic Oracles by Yoav Goldberg and Joakim Nivre, 2013 Seminarvortrag Pius Meinert July 13, 2018 Training Deterministic Parsers with Non-Deterministic Oracles root PRD SBJ DOBJ IOBJ

842 views • 47 slides
Objectives Combinator Parsing Show how to build complex parsers by composing simpler parsers.

Objectives Combinator Parsing Show how to build complex parsers by composing simpler parsers.

Introduction Choices and Recursion Repeating and Composing Introduction Choices and Recursion Repeating and Composing Objectives Combinator Parsing Show how to build complex parsers by composing simpler parsers. Dr. Mattox Beckman

507 views • 5 slides
EE 109 Unit 8 MIPS Instruction Set Architecting a vocabulary for the HW INSTRUCTION SET

EE 109 Unit 8 MIPS Instruction Set Architecting a vocabulary for the HW INSTRUCTION SET

8.1 8.2 EE 109 Unit 8 MIPS Instruction Set Architecting a vocabulary for the HW INSTRUCTION SET OVERVIEW 8.3 8.4 Instruction Set Architecture (ISA) Components of an ISA 1. ________ and Address Size Defines the _________________ of

449 views • 12 slides
Features of Statistical Parsers Mark Johnson Brown Laboratory for Linguistic Information

Features of Statistical Parsers Mark Johnson Brown Laboratory for Linguistic Information

Features of Statistical Parsers Mark Johnson Brown Laboratory for Linguistic Information Processing CoNLL 2005 1 Features of Statistical Parsers Confessions of a bottom-feeder: Dredging in the Statistical Muck Mark Johnson Brown Laboratory

879 views • 59 slides
Automatic Generation of 100 Gbps Packet Parsers from P4 Description cek 1 s 1 a 2 Pavel Ben a

Automatic Generation of 100 Gbps Packet Parsers from P4 Description cek 1 s 1 a 2 Pavel Ben a

Automatic Generation of 100 Gbps Packet Parsers from P4 Description cek 1 s 1 a 2 Pavel Ben a Viktor Pu Hana Kub atov 1 Liberouter CESNET 2 Faculty of Information Technology Czech Technical University in Prague H 2 RC Workshop,

130 views • 12 slides
Predictive Parsers LL(k) Parsing Can we avoid backtracking? Yes, if for a given input symbol and

Predictive Parsers LL(k) Parsing Can we avoid backtracking? Yes, if for a given input symbol and

10/17/2012 Predictive Parsers LL(k) Parsing Can we avoid backtracking? Yes, if for a given input symbol and given non- LL(k) terminal, we can choose the alternative appropriately. L left to right scan L leftmost derivation

396 views • 7 slides
Pipelining Instruction Pipelining is the use of pipelining to allow more than one instruction to

Pipelining Instruction Pipelining is the use of pipelining to allow more than one instruction to

Pipelining Instruction Pipelining is the use of pipelining to allow more than one instruction to be in some stage of execution at the same time. Ferranti ATLAS (1963): Pipelining reduced the average time per instruction by

1.85k views • 147 slides
Instruction Scheduling cs5363 1 Instruction scheduling Reordered Original Instruction code

Instruction Scheduling cs5363 1 Instruction scheduling Reordered Original Instruction code

Instruction Scheduling cs5363 1 Instruction scheduling Reordered Original Instruction code code Scheduler Reorder operations to reduce running time Different operations take different number of cycles Referencing values not yet

728 views • 17 slides
EE 109 Unit 10 MIPS Instruction Set MIPS INSTRUCTION OVERVIEW 10.3 10.4 Instruction Set

EE 109 Unit 10 MIPS Instruction Set MIPS INSTRUCTION OVERVIEW 10.3 10.4 Instruction Set

10.1 10.2 EE 109 Unit 10 MIPS Instruction Set MIPS INSTRUCTION OVERVIEW 10.3 10.4 Instruction Set Architecture (ISA) MIPS Processor and Bus Interface The MIPS processor can execute software instructions that will Defines the

225 views • 18 slides
Basic Steps for Execution Fetch an instruction from the instruction store Decode it

Basic Steps for Execution Fetch an instruction from the instruction store Decode it

Basic Steps for Execution Fetch an instruction from the instruction store Decode it What does this instruction do? Gather inputs From the register file From memory Perform the operation Write back the outputs To

176 views • 16 slides
Multi-Architecture ISA-Level Simulation of OpenCL Dana Schaa, Rafael Ubal Northeastern

Multi-Architecture ISA-Level Simulation of OpenCL Dana Schaa, Rafael Ubal Northeastern

Multi2Sim 4.1 Multi-Architecture ISA-Level Simulation of OpenCL Dana Schaa, Rafael Ubal Northeastern University Boston, MA Conference title 1 Outline Introduction Simulation methodology Part 1 Simulation of an x86 CPU Emulation

1.17k views • 68 slides
x86 basics ISA context and x86 history Translation tools: C --> assembly <--> machine

x86 basics ISA context and x86 history Translation tools: C --> assembly <--> machine

x86 basics ISA context and x86 history Translation tools: C --> assembly <--> machine code x86 Basics: Registers Data movement instructions Memory addressing modes Arithmetic instructions 1 Program, Application Software

439 views • 39 slides
Update on Telecommunications for Disaster Relief, Mitigation, and Early Warning in the ITU-T J.

Update on Telecommunications for Disaster Relief, Mitigation, and Early Warning in the ITU-T J.

Update on Telecommunications for Disaster Relief, Mitigation, and Early Warning in the ITU-T J. Kenneth Smith Rapporteur Q1/2 TDR, Q7/4 October 19-20, 2006 Verizon Communications, Inc (USA) 1 Outline ITU-T Action Plan for

295 views • 16 slides
Geochemical Modeling to Evaluate Remediation Options for Iron-Laden Mine Discharges Charles

Geochemical Modeling to Evaluate Remediation Options for Iron-Laden Mine Discharges Charles

Geochemical Modeling to Evaluate Remediation Options for Iron-Laden Mine Discharges Charles Chuck Cravotta III U.S. Geological Survey Pennsylvania Water Science Center cravotta@usgs.gov Summary Aqueous geochemical tools using PHREEQC have

468 views • 42 slides
1 PIER: 15-Letter Gain From Baseline PIER: Loss of < 15 Letters From Baseline at 12 Months

1 PIER: 15-Letter Gain From Baseline PIER: Loss of < 15 Letters From Baseline at 12 Months

Follow-up After Initiating Therapy: 1. Treat Every Month? Follow-up After Initiating Therapy 2. What is the Efficacy of a Reduced-Frequency Neil M. Bressler, MD but Fixed Dosing Schedule? 3. Other Regimens PIER: Reduced-Frequency Dosing

385 views • 7 slides
Cluster Computing: Cluster Computing: You've Come A Long Way You've Come A Long Way In A Short

Cluster Computing: Cluster Computing: You've Come A Long Way You've Come A Long Way In A Short

LCSC 5th Annual Workshop on Linux Clusters for Super Computing October 18-21, 2004 Linkping University, Sweden Cluster Computing: Cluster Computing: You've Come A Long Way You've Come A Long Way In A Short Time In A Short Time Jack

565 views • 22 slides
Online Phase-Adaptive Data Layout Selection Chengliang Zhang Martin Hirzel Microsoft IBM

Online Phase-Adaptive Data Layout Selection Chengliang Zhang Martin Hirzel Microsoft IBM

Online Phase-Adaptive Data Layout Selection Chengliang Zhang Martin Hirzel Microsoft IBM (former IBM intern) ECOOP, 10 July 2008 1 Problem Statement No training run. Online Phase-Adaptive Data Layout Selection Cache line or page A

344 views • 17 slides
Experiments at Scale: PRObE Garth Gibson, Carnegie Mellon University Gary Grider, Los Alamos

Experiments at Scale: PRObE Garth Gibson, Carnegie Mellon University Gary Grider, Los Alamos

A New Community Resource for Experiments at Scale: PRObE Garth Gibson, Carnegie Mellon University Gary Grider, Los Alamos National Laboratory Katharine Chartrand, New Mexico Consortium Andree Jacobson, New Mexico Consortium LANL is giving

258 views • 11 slides

More recommend