New Developments in the Dyninst and MRNet T oolkits Bill Williams - - PowerPoint PPT Presentation

new developments in the dyninst and mrnet t oolkits
SMART_READER_LITE
LIVE PREVIEW

New Developments in the Dyninst and MRNet T oolkits Bill Williams - - PowerPoint PPT Presentation

Jul 08, 2023 47 likes •348 views

New Developments in the Dyninst and MRNet T oolkits Bill Williams Paradyn Project 9 th Petascale Tools Workshop Tahoe, CA August 3, 2015 Dyninst 9.0 Overview o New features: o Memory optimizations o Initial ARM64 support o Improved TLS

slide-1
SLIDE 1

Paradyn Project

9th Petascale Tools Workshop Tahoe, CA August 3, 2015

New Developments in the Dyninst and MRNet T

  • olkits

Bill Williams

slide-2
SLIDE 2

Dyninst 9.0 Overview

  • New features:
  • Memory optimizations
  • Initial ARM64 support
  • Improved TLS support
  • Research areas:
  • Improved parsing & datafmow analysis
  • Stack frame modifjcation interface
  • SD-Dyninst integration
  • Git-head is near fjnal, offjcial release coming soon

2

Dyninst 9.0

slide-3
SLIDE 3

MRNet 5.0 Overview

  • LIBI integration
  • Verifjed ARM64 support
  • Bug fjxes
  • Offjcially released 7/30/15

3

Dyninst 9.0

slide-4
SLIDE 4

SymtabAPI

Symtab memory optimization

  • Lazy demangling
  • Lazy line information parsing
  • Have observed ~75% reduction in Symtab
  • verhead from these changes
  • Tradeoff: higher CPU cost at initial startup

4

Dyninst 9.0

slide-5
SLIDE 5

SymtabAPI

Symtab optimization breakdown

Area Pre-opt. MB Pre-opt % Opt. MB Opt. % Line info indexes 1600 31% 0% Libdwarf leaks 950 18% 0% String copies 300 6% 0% Demangled names 1000 19% 0% Mangled names 240 5% 240 18% Exception blocks 280 6% 280 21% Symbol indexes 150 3% 150 11% Other 670 13% 670 50% Total 5190 100% 1340 100%

5

Dyninst 9.0

Results obtained from openFile and a request for line information at a single address Per-CU line info Lazy demangling

slide-6
SLIDE 6

ParseAPI

ParseAPI memory optimization

  • Blocks, functions, etc. stored in interval trees
  • Can be overlapping
  • Overlap is rare
  • T

wo types of interval tree: fast and safe

  • Fast assumes non-overlapping intervals, O(n) space
  • Safe assumes most/all intervals overlap, O(n log n)

space

6

Dyninst 9.0

slide-7
SLIDE 7

ParseAPI

ParseAPI memory optimization

7

Dyninst 9.0

0x800- 0x808 0x808

  • 0x811

0x811- 0x830 0x900- 0x905 0x905- 0x90A 0x1100- 0x121C 0x121F- 0x12A0 0x830- 0x835 0x831- 0x835 0x121C

  • 0x121F

0x121D

  • 0x121F

Non-overlapping (fast) set of intervals Overlapping (safe) set

  • f intervals
slide-8
SLIDE 8

SymtabAPI

ARM64-enabled components

  • SymtabAPI
  • Build system support
  • Generally smooth port
  • ProcControl
  • Stackwalker

8

Dyninst 9.0

slide-9
SLIDE 9

ProcControl

ARM64-enabled components

  • SymtabAPI
  • ProcControl
  • Most functionality was easy
  • Kernel bug
  • Lack of ptrace backwards compatibility
  • Stackwalker

9

Dyninst 9.0

slide-10
SLIDE 10

Stackwalker

ARM64-enabled components

  • SymtabAPI
  • Proccontrol
  • Stackwalker
  • 3rd party support works
  • 1st party support coming later

10

Dyninst 9.0

slide-11
SLIDE 11

Stackwalker

ARM64-enabled components

  • SymtabAPI
  • Proccontrol
  • Stackwalker
  • ARM stack layout is unusual
  • Calls don’t save RA to stack

11

Dyninst 9.0

Normal stack Slot Contents RA 1 FP 2…N Locals ARM stack Slot Contents 0…N-2 Locals N-1 RA N FP

slide-12
SLIDE 12

New thread local storage (TLS) features

  • ProcControl: read & write TLS variables in a

process

  • Dyninst: trampguards moved to TLS
  • No hard limits on # of threads
  • Faster instrumentation in cases where trampguards

are enabled

12

Dyninst 9.0

slide-13
SLIDE 13

InstructionAPI

Instruction representation challenges

  • Maintain accurate map of bytes to opcodes
  • Instruction sets grow & change rapidly
  • Syntax is easy, semantics are harder
  • Maintain accurate understanding of operands
  • Register sets grow and change rapidly, too
  • Documentation is highly variable
  • Good: standardized XML (ARM)
  • Medium: scrapeable HTML (PPC)
  • Bad: dead tree/PDF (Intel)

13

Dyninst 9.0

slide-14
SLIDE 14

ParseAPI

Jump table improvements

  • Principled slicing-based approach
  • Improves performance of instrumented binary
  • Handles arbitrary number of table levels

14

Dyninst 9.0

slide-15
SLIDE 15

ParseAPI

Normal jump table

15

Dyninst 9.0

Address Contents 0x405100 0x401102 0x405104 0x401F00 0x405108 0x401102 0x40510C 0x401107 CMP %RAX, 0x03 JA 0x401F00 JMP *(0x405100+4* %RAX) Table entries Binary implementation Source-level construct switch(x) { case 0: case 2: // … break; case 3: // … break; default: // … }

slide-16
SLIDE 16

ParseAPI

T wo-level Jump table example

16

Dyninst 9.0

JMP *(0x416bc0 + 4 * *(0x416bd4 + %EAX)) Address Contents 0x416bc0 0x4156ac 0x416bc4 0x4157d0 0x416bc8 0x41596a 0x416bcc 0x41599e 0x416bd0 0x41677e First level table Address Contents 0x416bd4 0x0 0x416bd5 0x4 … … 0x416c7c 0x4 0x416c7d 0x3 Second level table CMP 0xa9,%EAX JA 0x41677e MOVZBL *(0x416bd4+%EAX) ,%ECX JMP *(0x416bc0+4* %ECX) Binary implementation Source-level construct switch(x) { case 0: // … break; case 29: // … break; case 100: // … break; case 169: // … break; default: // … }

slide-17
SLIDE 17

ParseAPI

Non-jump table example

17

Dyninst 9.0

Binary implementation AND 0x7,%EAX JE 0x80d93c8 LEA 0x80d93c5+9*%EAX ,%EAX JMP %EAX 80d93c8: //case 0 mov (%esi),%eax sbb (%edx),%eax mov %eax,(%edi) 80d93ce: // case 1 mov 0x4(%esi),%eax sbb 0x4(%edx),%eax mov %eax,0x4(%edi) // … 80d9404: // case 7 mov 0x1c(%esi),%eax sbb 0x1c(%edx),%eax mov %eax,0x1c(%edi) Source-level construct switch(i % 8) { case 0: x[i]-=y[i]; ++i; case 1: x[i]-=y[i]; ++i; // … case 7: x[i]-=y[i]; ++i; }

slide-18
SLIDE 18

ParseAPI

Jump table principles

  • Tables are contiguous
  • Tables depend on a single bounded input value
  • Tables live in read-only data or code

18

Dyninst 9.0

slide-19
SLIDE 19

ParseAPI

Jump table results

  • Glibc: ~30% decrease in uninstrumentable

functions, 20% increase in parse overhead

  • Newly instrumentable libc functions include:
  • strncmp
  • strcmp
  • memcmp
  • memset
  • Normal binaries: ~5% increase in parse overhead,

7% decrease in uninstrumentable functions

19

Dyninst 9.0

slide-20
SLIDE 20

ParseAPI

Gap parsing improvements

  • Machine learning based model updated for

current compilers

  • …and fjnally integrated into Dyninst
  • No longer need to apply compiler-specifjc models

20

Dyninst 9.0

slide-21
SLIDE 21

ParseAPI

Gap parsing results

Version Platform

  • Avg. Precision
  • Avg. Recall

Dyninst 8.2.1 64-bit x86 98.1% 37.4% Dyninst 8.2.1 32-bit x86 95.6% 53.9% Dyninst 9.0 64-bit x86 94.7% 83.2% Dyninst 9.0 32-bit x86 97.1% 93.8%

21

Dyninst 9.0

Test binaries are from binutils, coreutils, and fjndutils, built with icc and gcc, at –O0 through –O3.

slide-22
SLIDE 22

DyninstAPI

Stack frame modifjcations

  • Can add, remove, swap, randomize space on stack
  • Operates at function scope
  • Mostly a security-oriented feature
  • Important prerequisite: understand the stack

frame with stack analysis

22

Dyninst 9.0

slide-23
SLIDE 23

DatafmowAPI

Stack analysis improvements

  • Stack analysis: for each register, what stack

location does it point to?

  • TOP: does not point to the stack
  • Numeric height: relative to SP at function entry
  • BOTTOM: may point to anywhere on the stack
  • More instructions analyzed precisely
  • Added support for sign extend, zero extend, more

general math (including more LEA math)

  • Improved stack modifjcation from covering 30% of

SPEC 2006 functions to 60% at –O2

23

Dyninst 9.0

slide-24
SLIDE 24

DyninstAPI

SD-Dyninst integration

  • Maintain instrumentation capability through:
  • Dynamically generated code
  • Obfuscated control fmow
  • Designed for malware
  • “Any suffjciently advanced optimizer is

indistinguishable from malware”

  • Can capture control fmow through exception

handlers

24

Dyninst 9.0

slide-25
SLIDE 25

DatafmowAPI

Slicing improvements

  • Better handling of control fmow cycles
  • Data fmow around a cycle may involve different

instructions on each iteration

  • Need to distinguish between visited instructions and

visited assignments

  • Many bug fjxes, improving slice precision and

accuracy

25

Dyninst 9.0

slide-26
SLIDE 26

Range-based interfaces

  • Lesson from Symtab optimizations: exposing

containers is infmexible

  • Whole container must exist, even if user wants one

element

  • Hard to change types or relocate data
  • Instead, prefer ranges
  • Begin/end interfaces like STL containers
  • Typedefs for readability
  • Key to enabling, e.g., lazy demangling

26

Dyninst 9.0

slide-27
SLIDE 27

LIBI

  • Single interface for launching processes
  • Does not replace RSH or XT launch frameworks,

but augments them

  • Contact Dorian Arnold for details

27

Dyninst 9.0

slide-28
SLIDE 28

MRNet ARM64 support

  • MRNet now supports ARM64/Linux
  • Full set of features should work
  • Has not been tested at large scale
  • Uneventful port

28

Dyninst 9.0

slide-29
SLIDE 29

MRNet bugs fjxed

  • Build system fjxes to support ARM
  • Low port numbers (<10000) now work
  • Better XPLAT_RSH_ARGS support
  • Filter load failures are reported to front end

29

Dyninst 9.0

slide-30
SLIDE 30

Ongoing and future work

  • Windows binary rewriter
  • Exception table rewriting
  • Further memory and CPU improvements
  • Completing ARM64 port
  • New instruction foundation for x86

30

Dyninst 9.0