Building Customized Dynamic Program Inspectors
description
Transcript of Building Customized Dynamic Program Inspectors
![Page 1: Building Customized Dynamic Program Inspectors](https://reader038.fdocuments.net/reader038/viewer/2022110103/56814331550346895dafa4d5/html5/thumbnails/1.jpg)
BuildingCustomized DynamicProgram Inspectors
Derek BrueningQin Zhao
![Page 2: Building Customized Dynamic Program Inspectors](https://reader038.fdocuments.net/reader038/viewer/2022110103/56814331550346895dafa4d5/html5/thumbnails/2.jpg)
Motivation
Profile, monitor, or inspect application binaries as they run• Build customized dynamic program inspectors
Target production workloads• Profile or inspect actual deployed application with no overhead when
not in inspection mode
Target applications that include legacy components, third-party libraries, or dynamically-generated code• Want to inspect whole program even if cannot recompile it all
2
![Page 3: Building Customized Dynamic Program Inspectors](https://reader038.fdocuments.net/reader038/viewer/2022110103/56814331550346895dafa4d5/html5/thumbnails/3.jpg)
Reach of Toolchain Control Points
3
runtime inspector
![Page 4: Building Customized Dynamic Program Inspectors](https://reader038.fdocuments.net/reader038/viewer/2022110103/56814331550346895dafa4d5/html5/thumbnails/4.jpg)
Dynamo@HP Labs
on x86
DynamoRIO
Dynamo + RIO DynamoRIO
1999
Dynamo@HP Labson PA-RISC
RIO @MIT(Runtime Introspection
and Optimization)
2001
late 1990’s 2000
4
![Page 5: Building Customized Dynamic Program Inspectors](https://reader038.fdocuments.net/reader038/viewer/2022110103/56814331550346895dafa4d5/html5/thumbnails/5.jpg)
Google sponsors
Dr. Memory
DynamoRIO History
2001
VMwareacquires
Determina
Determinasecurity startup
open-sourcedBSD license
binary releases
DynamoRIO@MIT
2003 2007 2010
2002 2009
5
![Page 6: Building Customized Dynamic Program Inspectors](https://reader038.fdocuments.net/reader038/viewer/2022110103/56814331550346895dafa4d5/html5/thumbnails/6.jpg)
DynamoRIO Tool Platform Design Goals
Efficient
• Near-native performance
Transparent
• Match native behavior
Comprehensive
• Control every instruction, in any application
Customizable
• Adapt to satisfy disparate tool needs
6
![Page 7: Building Customized Dynamic Program Inspectors](https://reader038.fdocuments.net/reader038/viewer/2022110103/56814331550346895dafa4d5/html5/thumbnails/7.jpg)
Outline
Base System: DynamoRIO
• Efficient
• Transparent
• Comprehensive
• Customizable
Dynamic Program Inspectors
• Examples and Possibilities
• Case studies
7
![Page 8: Building Customized Dynamic Program Inspectors](https://reader038.fdocuments.net/reader038/viewer/2022110103/56814331550346895dafa4d5/html5/thumbnails/8.jpg)
Basic Interpreter
interpreter
fetch decode execute
~300x Slowdown!
application code
bar()foo()
A
B C
D
E
F
8
![Page 9: Building Customized Dynamic Program Inspectors](https://reader038.fdocuments.net/reader038/viewer/2022110103/56814331550346895dafa4d5/html5/thumbnails/9.jpg)
application code
bar()foo()
Improvement #1: Basic Block Cache
A
B C
D
E
F
DynamoRIO
basic block cache
A
C
D
E
F
Slowdown: 300x 25x
9
![Page 10: Building Customized Dynamic Program Inspectors](https://reader038.fdocuments.net/reader038/viewer/2022110103/56814331550346895dafa4d5/html5/thumbnails/10.jpg)
application code
bar()foo()
Improvement #2: Linking Direct Branches
A
B C
D
E
F
DynamoRIO
basic block cache
A
C
D
E
F
Slowdown: 300x 25x 3x
10
![Page 11: Building Customized Dynamic Program Inspectors](https://reader038.fdocuments.net/reader038/viewer/2022110103/56814331550346895dafa4d5/html5/thumbnails/11.jpg)
application code
bar()foo()
Improvement #3: Linking Indirect Branches
A
B C
D
E
F
DynamoRIO
basic block cache
A
C
D
E
F
Slowdown: 300x 25x 3x 1.2x
indirect branch lookup
11
![Page 12: Building Customized Dynamic Program Inspectors](https://reader038.fdocuments.net/reader038/viewer/2022110103/56814331550346895dafa4d5/html5/thumbnails/12.jpg)
application code
bar()foo()
Improvement #4: Trace Building
A
B C
D
E
F
DynamoRIO
basic block cache
A
C
D
E
F
trace cache
A
C
D
E
F
?
Slowdown: 300x 25x 3x 1.2x 1.1x
indirect branch lookup
ind. br. stays
on trace?
12
![Page 13: Building Customized Dynamic Program Inspectors](https://reader038.fdocuments.net/reader038/viewer/2022110103/56814331550346895dafa4d5/html5/thumbnails/13.jpg)
Base Performance: SPEC 2006
13
![Page 14: Building Customized Dynamic Program Inspectors](https://reader038.fdocuments.net/reader038/viewer/2022110103/56814331550346895dafa4d5/html5/thumbnails/14.jpg)
application code
bar()foo()
Time Breakdown for SPEC CPU INT
A
B C
D
E
F
DynamoRIO
basic block cache
A
C
D
E
F
trace cache
A
C
D
E
F
?indirect branch lookup
ind. br. stays
on trace?
0%
2%
94%4%
< 1%
14
![Page 15: Building Customized Dynamic Program Inspectors](https://reader038.fdocuments.net/reader038/viewer/2022110103/56814331550346895dafa4d5/html5/thumbnails/15.jpg)
Outline
Base System: DynamoRIO
• Efficient
• Transparent
• Comprehensive
• Customizable
Dynamic Program Inspectors
• Examples and Possibilities
• Case studies
15
![Page 16: Building Customized Dynamic Program Inspectors](https://reader038.fdocuments.net/reader038/viewer/2022110103/56814331550346895dafa4d5/html5/thumbnails/16.jpg)
Unavoidably Intrusive
16
processprocess
app cache
process processDynamoRIO
thre
ad
thre
ad
thre
ad
operating system
A
C
D
E
F
lookup
A
B C
D
E
F
thre
ad
thre
ad
thre
ad
![Page 17: Building Customized Dynamic Program Inspectors](https://reader038.fdocuments.net/reader038/viewer/2022110103/56814331550346895dafa4d5/html5/thumbnails/17.jpg)
Outline
Base System: DynamoRIO
• Efficient
• Transparent
• Comprehensive
• Customizable
Dynamic Program Inspectors
• Examples and Possibilities
• Case studies
17
![Page 18: Building Customized Dynamic Program Inspectors](https://reader038.fdocuments.net/reader038/viewer/2022110103/56814331550346895dafa4d5/html5/thumbnails/18.jpg)
processprocess
app cache
Above the Operating System
process processDynamoRIO
thre
ad
thre
ad
thre
ad
18
A
C
D
E
F
lookup
A
B C
D
E
F
thre
ad
thre
ad
thre
ad
E E
operating system
![Page 19: Building Customized Dynamic Program Inspectors](https://reader038.fdocuments.net/reader038/viewer/2022110103/56814331550346895dafa4d5/html5/thumbnails/19.jpg)
Outline
Base System: DynamoRIO
• Efficient
• Transparent
• Comprehensive
• Customizable
Dynamic Program Inspectors
• Examples and Possibilities
• Case studies
19
![Page 20: Building Customized Dynamic Program Inspectors](https://reader038.fdocuments.net/reader038/viewer/2022110103/56814331550346895dafa4d5/html5/thumbnails/20.jpg)
basic block cache
application code
bar()foo()
DynamoRIO + Client Program Inspector
A
B C
D
E
F
DynamoRIOC
D
E
F
trace cache
C
E
F
?indirect branch lookup
A
A
client code
20
D
D
![Page 21: Building Customized Dynamic Program Inspectors](https://reader038.fdocuments.net/reader038/viewer/2022110103/56814331550346895dafa4d5/html5/thumbnails/21.jpg)
Primary Client Events: Code Stream
Client has opportunity to inspect and potentially modify every single application instruction, immediately before it executes
Entire application code stream
• Basic block creation event: can modify the block
• For comprehensive instrumentation tools
Or, focus on hot code only
• Trace creation event: can modify the trace
• Custom trace creation: can determine trace end condition
• For optimization and profiling tools
21
![Page 22: Building Customized Dynamic Program Inspectors](https://reader038.fdocuments.net/reader038/viewer/2022110103/56814331550346895dafa4d5/html5/thumbnails/22.jpg)
application code
bar()foo()
Instrumentation Time vs Analysis Time
A
B C
D
E
F
DynamoRIO
basic block cache
C
D
E
F
trace cache
C
D
E
F
?indirect branch lookup
A
A
client code
instrumentation time
22
analysis time
average instruction
length
call instruction execution
count
![Page 23: Building Customized Dynamic Program Inspectors](https://reader038.fdocuments.net/reader038/viewer/2022110103/56814331550346895dafa4d5/html5/thumbnails/23.jpg)
Code Cache Threading Models
thread
thread
thread
thread
thread
thread
thread
thread
thread
thread
thread
thread
application
thread-shared code cache
operating system
thread-private code caches
23
![Page 24: Building Customized Dynamic Program Inspectors](https://reader038.fdocuments.net/reader038/viewer/2022110103/56814331550346895dafa4d5/html5/thumbnails/24.jpg)
Secondary Client Events
Application thread creation and deletion
Application library load and unload
Application exception/signal
• Client chooses whether to deliver, suppress, bypass the app handler, or redirect control
Application pre- and post- system call
• Client can inspect/modify call number, params, or return value
Bookkeeping: init, exit, cache management, etc.
24
![Page 25: Building Customized Dynamic Program Inspectors](https://reader038.fdocuments.net/reader038/viewer/2022110103/56814331550346895dafa4d5/html5/thumbnails/25.jpg)
DynamoRIO API: General Utilities
Safe utilities for maintaining transparency
• Separate stack, memory allocation, file I/O
• Thread-local storage, synchronization
• Create client-only thread or private itimer
Application control
• Suspend and resume all other threads
Application inspection
• Address space querying
• Module iterator
• Processor feature identification
25
![Page 26: Building Customized Dynamic Program Inspectors](https://reader038.fdocuments.net/reader038/viewer/2022110103/56814331550346895dafa4d5/html5/thumbnails/26.jpg)
DynamoRIO API: Code Manipulation
Clean calls to C or C++ code
• Automatically inlined for simple callees
Full IA-32/AMD64 instruction representation
• Includes implicit operands, decoding, encoding
State preservation
• Eflags, arith flags, floating-point state, MMX/SSE state
• Spill slots, TLS, CLS
Dynamic instrumentation
• Replace code in the code cache
26
![Page 27: Building Customized Dynamic Program Inspectors](https://reader038.fdocuments.net/reader038/viewer/2022110103/56814331550346895dafa4d5/html5/thumbnails/27.jpg)
DynamoRIO Demo
![Page 28: Building Customized Dynamic Program Inspectors](https://reader038.fdocuments.net/reader038/viewer/2022110103/56814331550346895dafa4d5/html5/thumbnails/28.jpg)
Outline
Base System: DynamoRIO
• Efficient
• Transparent
• Comprehensive
• Customizable
Dynamic Program Inspectors
• Examples and Possibilities
• Case studies Program shepherding
Dr. Memory
28
![Page 29: Building Customized Dynamic Program Inspectors](https://reader038.fdocuments.net/reader038/viewer/2022110103/56814331550346895dafa4d5/html5/thumbnails/29.jpg)
Examples and Possibilities
Code Inspection
• Code coverage
• Path profiling
Data Inspection
• Heap overflow detection
Concurrency Inspection
• Cache contention detection
29
![Page 30: Building Customized Dynamic Program Inspectors](https://reader038.fdocuments.net/reader038/viewer/2022110103/56814331550346895dafa4d5/html5/thumbnails/30.jpg)
application code
bar()foo()
Code Inspection: Code Coverage (bbcov)
A
B C
D
E
F
DynamoRIO
basic block cache
E
F
trace cache
A
client code
30
A
A
C
C
D
C
A C D E F
A C D E F
• Efficient code coverage
C
D
E
F
A
instrumentation time
D
D
E
E
F
F
• Hot/cold code discovery
• Cold start optimization
![Page 31: Building Customized Dynamic Program Inspectors](https://reader038.fdocuments.net/reader038/viewer/2022110103/56814331550346895dafa4d5/html5/thumbnails/31.jpg)
Code Inspection: Code Coverage (bbcov)
void dr_init(client_id_t id) { … dr_register_bb_event(event_basic_block); … if (dr_using_all_private_caches()) bbcov_per_thread = true;}
dr_emit_flags_t event_basic_block(void *dc, void *tag, instrlist_t *bb, bool trace, bool xl8) { … for (instr = instrlist_first(bb); instr != NULL; instr = instr_get_next(instr)) { … } … bb_table_entry_add(dc, data, start_pc, cbr_tgt, (end_pc - start_pc), num_instrs, trace); return DR_EMIT_DEFAULT;}
31
![Page 32: Building Customized Dynamic Program Inspectors](https://reader038.fdocuments.net/reader038/viewer/2022110103/56814331550346895dafa4d5/html5/thumbnails/32.jpg)
application code
bar()foo()
Code Inspection: Path Profiling (bbbuf)
A
B C
D
E
F
DynamoRIO
basic block cache
trace cacheclient code
32
A
C
A C D
E
A C D
A C D
E
A
C
A
D
C
D
DE
E
analysis time
![Page 33: Building Customized Dynamic Program Inspectors](https://reader038.fdocuments.net/reader038/viewer/2022110103/56814331550346895dafa4d5/html5/thumbnails/33.jpg)
Code Inspection: Path Profiling (bbbuf)
void dr_init(client_id_t id) { … dr_register_bb_event(event_basic_block); if (!dr_raw_tls_calloc(&tls_seg, &tls_offs, 1, 0)) DR_ASSERT(false);}
dr_emit_flags_t event_basic_block(void *dc, void *tag, instrlist_t *bb, bool trace, bool xl8) { … /* load buffer pointer from TLS field */ MINS(bb, first, INSTR_CREATE_mov_ld (dc, opnd_create_reg(reg), opnd_create_far_base_disp(tls_seg, DR_REG_NULL, DR_REG_NULL, 0, tls_offs, OPSZ_PTR))); /* store bb's start pc into the buffer */ MINS (bb, first, INSTR_CREATE_mov_st (dc, OPND_CREATE_MEM32(reg, 0), OPND_CREATE_INT32(pc))); /* advance buffer, we use lea to avoid aflags save/restore */ MINS(bb, first, INSTR_CREATE_lea (dc, opnd_create_reg(reg_16), opnd_create_base_disp(reg, DR_REG_NULL, 0, sizeof(app_pc), OPSZ_lea))); /* save buffer pointer */ MINS(bb, first, INSTR_CREATE_mov_st (dc, opnd_create_far_base_disp(tls_seg, DR_REG_NULL, DR_REG_NULL, 0, tls_offs, OPSZ_PTR), opnd_create_reg(reg))); return DR_EMIT_DEFAULT; }
33
start_pc = 0xf771bb9b mov (%esp) %ebx ret %esp (%esp) %espend_pc = 0xf771bb9f
mov $0xf771bb9b (%ebx)
lea 0x04(%ebx) %bx
mov %ebx %fs:0x4c
mov (%esp) %ebx ret %esp (%esp) %esp
mov %fs:0x4c %ebx
![Page 34: Building Customized Dynamic Program Inspectors](https://reader038.fdocuments.net/reader038/viewer/2022110103/56814331550346895dafa4d5/html5/thumbnails/34.jpg)
Code Inspection
Profiling
• Instruction/edge/path/inter-procedural profiling
• Hot/cold code
• Control-flow/call graph
Debugging
• Execution recording
• Software breakpoint
Security
• Program shepherding
• Code de-obfuscation
34
![Page 35: Building Customized Dynamic Program Inspectors](https://reader038.fdocuments.net/reader038/viewer/2022110103/56814331550346895dafa4d5/html5/thumbnails/35.jpg)
Examples and Possibilities
Code Inspection
• Code coverage
• Path profiling
Data Inspection
• Heap overflow detection
Concurrency Inspection
• Cache contention detection
35
![Page 36: Building Customized Dynamic Program Inspectors](https://reader038.fdocuments.net/reader038/viewer/2022110103/56814331550346895dafa4d5/html5/thumbnails/36.jpg)
Data Inspection: Heap Overflow Detection
Catch heap underflow and overflow:
• Wrap allocation routines• Keep track of malloc chunks.
• Insert redzones between application malloc chunksand put special value (pattern) like 0xf1fd in the redzone.
• Instrumentation• Check value before every memory access: look for 0xf1fd.
• If found, check whether address is in redzone.
36
malloc header
requested size for application data
malloc padding
pre-redzone
post-redzone
![Page 37: Building Customized Dynamic Program Inspectors](https://reader038.fdocuments.net/reader038/viewer/2022110103/56814331550346895dafa4d5/html5/thumbnails/37.jpg)
Instrumentation
void pattern_insert_cmp_jne_ud2a(void *dc, instrlist_t *ilist, instr_t *app, opnd_t ref, opnd_t pattern){ instr_t *label; app_pc pc = instr_get_app_pc(app); label = INSTR_CREATE_label(drcontext); /* cmp ref, pattern */ PREXL8M(ilist, app, INSTR_XL8 (INSTR_CREATE_cmp(dc, ref, pattern), pc)); /* jne label */ PRE(ilist, app, INSTR_CREATE_jcc_short (dc, OP_jne_short, opnd_create_instr(label))); /* illegal instr */ PREXL8M(ilist, app, INSTR_XL8(INSTR_CREATE_ud2a(dc), pc)); /* label */ PRE(ilist, app, label);}
void dr_init(client_id_t id) { …#ifdef LINUX dr_register_signal_event(event_signal);#else dr_register_exception_event(event_exception);#endif }
37
mov 0x00000084(%eax) %edx test %edx %edx jz $0xf77e6ea2
cmp 0x00000084(%eax) $0xf1fdf1fd
jnz <label>
ud2a
<label> mov 0x1c(%esp) %eax
![Page 38: Building Customized Dynamic Program Inspectors](https://reader038.fdocuments.net/reader038/viewer/2022110103/56814331550346895dafa4d5/html5/thumbnails/38.jpg)
Data Inspection
Profiling• Memory tracing
Cache simulation, data layout/prefetch optimization, etc.
• System call tracing• Heap state inspection
Debugging• Memory bug detection
Uninit error, buffer overflow/underflow, memory leak, etc.
• Software watchpoint
Security• Dynamic data-flow tracking (taint-trace)
38
![Page 39: Building Customized Dynamic Program Inspectors](https://reader038.fdocuments.net/reader038/viewer/2022110103/56814331550346895dafa4d5/html5/thumbnails/39.jpg)
Examples and Possibilities
Code Inspection
• Code coverage
• Path profiling
Data Inspection
• Heap overflow detection
Concurrency Inspection
• Cache contention detection
39
![Page 40: Building Customized Dynamic Program Inspectors](https://reader038.fdocuments.net/reader038/viewer/2022110103/56814331550346895dafa4d5/html5/thumbnails/40.jpg)
Concurrency Inspection: Cache Contention
40
P$
P$
$
P$
P$
$
Motivating example:
uint64 local_sum[2];uint64 global_sum;
parallel_sum(int myid, int start, int end) { for (int i = start; i < end; i++) local_sum[myid] += buf[i]; lock(); global_sum += local_sum[myid]; unlock();}
# Threads 1 2
same core distinct cores
min max
Time(s): no padding 4.798 4.842 3.883 5.219
Time(s): padding 4.780 4.817 2.451 2.473
NetworkNetwork
memorymemory I/OI/Olocal_sum[2]
Xeon X5460 @ 3.16GHz, 2x Quad core
![Page 41: Building Customized Dynamic Program Inspectors](https://reader038.fdocuments.net/reader038/viewer/2022110103/56814331550346895dafa4d5/html5/thumbnails/41.jpg)
Hardware Performance Counter
Hardware limitation• Limited events: must deduce from supported counter
Hardware specific• Cache configuration, particular cache line size, cache size, etc.
• Thread-CPU binding
Flexibility• Limited to sampling
• Hard to reconfigure
41
![Page 42: Building Customized Dynamic Program Inspectors](https://reader038.fdocuments.net/reader038/viewer/2022110103/56814331550346895dafa4d5/html5/thumbnails/42.jpg)
Software Shadow Memory
Store meta-data• Track properties of application memory
Update via instrumented code
42
a.out
stack
libc
application memory
heap
a.out
stack
libc
shadow memory
heap
process address space
![Page 43: Building Customized Dynamic Program Inspectors](https://reader038.fdocuments.net/reader038/viewer/2022110103/56814331550346895dafa4d5/html5/thumbnails/43.jpg)
ownership bitmap (32 bits)
shadow memory
T1
T32T2
Cache Contention Detection
Cacheline mapped to thread ownership bitmap
Memory reference: • Test and set thread bit (cache miss)
Memory write: • Compare and set only own bit (cache invalidation)
application memory
cache lines (16 words each)
43
![Page 44: Building Customized Dynamic Program Inspectors](https://reader038.fdocuments.net/reader038/viewer/2022110103/56814331550346895dafa4d5/html5/thumbnails/44.jpg)
Concurrency Inspection
Profiling• Cache contention
• False sharing
• Multi-thread communication
Debugging• Data race detection
• Deterministic record and replay
Security• Deterministic scheduling
44
![Page 45: Building Customized Dynamic Program Inspectors](https://reader038.fdocuments.net/reader038/viewer/2022110103/56814331550346895dafa4d5/html5/thumbnails/45.jpg)
Other Possible Applications
Performance• Cross-architectural performance estimation
Debugging• Integration with debugger with reverse execution
Security• Sandboxing
Others• Dynamic translation
45
![Page 46: Building Customized Dynamic Program Inspectors](https://reader038.fdocuments.net/reader038/viewer/2022110103/56814331550346895dafa4d5/html5/thumbnails/46.jpg)
Outline
Base System: DynamoRIO
• Efficient
• Transparent
• Comprehensive
• Customizable
Dynamic Program Inspectors
• Examples and Possibilities
• Case studies Program shepherding
Dr. Memory
46
![Page 47: Building Customized Dynamic Program Inspectors](https://reader038.fdocuments.net/reader038/viewer/2022110103/56814331550346895dafa4d5/html5/thumbnails/47.jpg)
Anatomy of a Memory-Based Attack
system and application
memory
kernel
network
ENTER
CORRUPT DATA
HIJACK PROGRAM COUNTER
COMPROMISE
47
![Page 48: Building Customized Dynamic Program Inspectors](https://reader038.fdocuments.net/reader038/viewer/2022110103/56814331550346895dafa4d5/html5/thumbnails/48.jpg)
Critical Data: Control Flow Indirection
Subroutine calls• Return address and activation records on visible stack
Dynamic library linking• Function exports and imports
Object oriented polymorphism: dynamic dispatch• Vtables
Callbacks – registered function pointers• Event dispatch, atexit
Exception handling
Any problem in computer science can be solved with another layer of indirection.
- David Wheeler
48
![Page 49: Building Customized Dynamic Program Inspectors](https://reader038.fdocuments.net/reader038/viewer/2022110103/56814331550346895dafa4d5/html5/thumbnails/49.jpg)
Critical Data: Control Flow Exploits
Return address overwrite• Classic buffer overflow
GOT overwrite
Object pointer overwrite or uninitialized use
Function pointer overwrite• Heap, stack, data, PEB
Exception handler overwrites• SEH exploits
Any problem in computer science can be solved with another layer of indirection. But that usually will create another problem.
- David Wheeler
49
![Page 50: Building Customized Dynamic Program Inspectors](https://reader038.fdocuments.net/reader038/viewer/2022110103/56814331550346895dafa4d5/html5/thumbnails/50.jpg)
Preventing Data Corruption Is Difficult
Stored program addresses legitimately manipulated by many different entities
• Dynamic linker, language runtime
Intermingled with regular data
• Return addresses on stack
• Vtables in heap
Even if could distinguish a good write from a bad write, too expensive to monitor all data writes
50
![Page 51: Building Customized Dynamic Program Inspectors](https://reader038.fdocuments.net/reader038/viewer/2022110103/56814331550346895dafa4d5/html5/thumbnails/51.jpg)
Insight: Hijack Violates Execution Model
Hardware Interface
Typical Application
Execution ModelSecurity Attack
51
![Page 52: Building Customized Dynamic Program Inspectors](https://reader038.fdocuments.net/reader038/viewer/2022110103/56814331550346895dafa4d5/html5/thumbnails/52.jpg)
Goal: Shrink Hardware Interface
Typical Application
Execution ModelSecurity Attack
Constrained Hardware Interface
52
![Page 53: Building Customized Dynamic Program Inspectors](https://reader038.fdocuments.net/reader038/viewer/2022110103/56814331550346895dafa4d5/html5/thumbnails/53.jpg)
Program Shepherding
Monitor all control-flow transfers during program execution
• DynamoRIO is in perfect position to do this
Validate that each transfer satisfies security policy based on execution model
• Application Binary Interface (ABI): calling convention, library invocation
The application may be damaged by data corruption, but the system will not be compromised by hijacking control flow
53
![Page 54: Building Customized Dynamic Program Inspectors](https://reader038.fdocuments.net/reader038/viewer/2022110103/56814331550346895dafa4d5/html5/thumbnails/54.jpg)
program shepherding
application code
unmodified code
modified code
Technique 1: Restricted Code Origins
E
D
basic block cache
A
C
D
trace cache
indirect branch lookup
instrumen-tation time
54
![Page 55: Building Customized Dynamic Program Inspectors](https://reader038.fdocuments.net/reader038/viewer/2022110103/56814331550346895dafa4d5/html5/thumbnails/55.jpg)
program shepherding
application code
Technique 2: Restricted Control Transfers
basic block cache
A
C
D
trace cache
indirect branch lookup
E
F
D
E
F
?
bar()foo()
A
B C
D
E
F
call
A
C
instrumen-tation time
55
return
jump
![Page 56: Building Customized Dynamic Program Inspectors](https://reader038.fdocuments.net/reader038/viewer/2022110103/56814331550346895dafa4d5/html5/thumbnails/56.jpg)
application code
bar()foo()
basic block cache
Technique 3: Un-circumventable Sandboxing
AB
pre-checksystem callpost-check
Cjump
AB
system callC
jump
pre-checksystem callpost-check
C
56
![Page 57: Building Customized Dynamic Program Inspectors](https://reader038.fdocuments.net/reader038/viewer/2022110103/56814331550346895dafa4d5/html5/thumbnails/57.jpg)
Minimal False Positives
Carefully crafted security policies
Automated exemption generation: ‘staging mode’
Determina, Inc: 50 customers, 10,000 machines
• No false positives in MSFT apps
• <50 unique false positives in 3rd party libraries
We treated these false positives as bugs rather than customer driven policies
• Radically different from other security products
57
![Page 58: Building Customized Dynamic Program Inspectors](https://reader038.fdocuments.net/reader038/viewer/2022110103/56814331550346895dafa4d5/html5/thumbnails/58.jpg)
Outline
Base System: DynamoRIO
• Efficient
• Transparent
• Comprehensive
• Customizable
Dynamic Program Inspectors
• Examples and Possibilities
• Case studies Program shepherding
Dr. Memory
58
![Page 59: Building Customized Dynamic Program Inspectors](https://reader038.fdocuments.net/reader038/viewer/2022110103/56814331550346895dafa4d5/html5/thumbnails/59.jpg)
Memory Bugs
Memory bugs are challenging to detect and fix• Memory corruption, reading uninitialized memory, memory leaks
Observable symptoms resulting from memory bugs are often delayed and non-deterministic• Errors are difficult to discover during regular testing
• Testing usually relies on randomly happening to hit visible symptoms
• The sources of these bugs are painful and time-consuming to track down from observed crashes
Memory bugs often remain in shipped products and can show up in customer usage
59
![Page 60: Building Customized Dynamic Program Inspectors](https://reader038.fdocuments.net/reader038/viewer/2022110103/56814331550346895dafa4d5/html5/thumbnails/60.jpg)
Dr. Memory
Detects unaddressable memory accesses• Wild access to invalid address
• Use-after-free
• Buffer and array overflow and underflow
• Read beyond top of stack
• Invalid free, double free
Detects uninitialized memory reads
Detects memory leaks
60
![Page 61: Building Customized Dynamic Program Inspectors](https://reader038.fdocuments.net/reader038/viewer/2022110103/56814331550346895dafa4d5/html5/thumbnails/61.jpg)
Implementation Strategy
Track the state of application memory using shadow memory
• Track whether allocated and whether defined
Monitor every memory-related action by the application:
• System call
• Malloc, realloc, calloc, free, mmap, mumap, mremap
• Memory read or write
• Stack adjustment
At exit or on request, scan memory to check for leaks
61
![Page 62: Building Customized Dynamic Program Inspectors](https://reader038.fdocuments.net/reader038/viewer/2022110103/56814331550346895dafa4d5/html5/thumbnails/62.jpg)
Shadow each byte of memory + registers with 1 of 3 states:
Shadow Metadata
definedunaddressable uninitialized
allocate:malloc, stack
deallocate
write
deallocate
allocate: mmap, calloc
62
![Page 63: Building Customized Dynamic Program Inspectors](https://reader038.fdocuments.net/reader038/viewer/2022110103/56814331550346895dafa4d5/html5/thumbnails/63.jpg)
Shadow Memory
defined
unaddr
uninit
defined
Shadow StackStack
Shadow HeapHeap
header
malloc
header
padding
unaddr
unaddr
unaddr
defined
uninit
defined
freed
unaddr
63
redzone
redzone unaddr
unaddr
![Page 64: Building Customized Dynamic Program Inspectors](https://reader038.fdocuments.net/reader038/viewer/2022110103/56814331550346895dafa4d5/html5/thumbnails/64.jpg)
The Uninitialized Whole Word Problem
Sub-word variables are moved around as whole words• Sub-word field often initialized as sub-word yet copied as whole word• Reads involved in copying should not raise errors
Solution: report errors on “meaningful” reads only• Use in compare, conditional branch, address register, or system call
Requires propagating metadata and shadowing registers• Shadow metadata mirrors application data flow
byte 3
byte 0
byte 1
byte 2init
uninit
uninit
init
Init
iali
ze 1
6 b
its init
uninit
uninit
init
Co
py
32 b
its
init
uninit
uninit
init
Co
mp
are
16 b
its
64
![Page 65: Building Customized Dynamic Program Inspectors](https://reader038.fdocuments.net/reader038/viewer/2022110103/56814331550346895dafa4d5/html5/thumbnails/65.jpg)
Memory Leaks
Dr. Memory uses reachability-based leak detection• A leak is memory that is no longer reachable by the application
• Memory that is never freed is not considered a leak Acceptable to not free memory whose lifetime matches process lifetime
At exit time, or on request, perform leak analysis• Similar to mark-and-sweep garbage collection
Dr. Memory divides all allocated memory into categories based on how it can be reached by live application pointers• Any pointer-aligned and initialized pointer-sized word is considered a
potential pointer
65
![Page 66: Building Customized Dynamic Program Inspectors](https://reader038.fdocuments.net/reader038/viewer/2022110103/56814331550346895dafa4d5/html5/thumbnails/66.jpg)
Heap Usage and Staleness
Memory usage statistics• Snapshots of memory usage spaced uniformly across execution
• Drill down by allocation callstack
“Staleness” information• Record the time at which each allocation was last accessed
• Helps identify "logical memory leaks", where memory is still reachable but is no longer needed
• Also identifies “hotness” of heap objects
Approach• Shadow memory state is touched or not touched
• Periodically sample shadow state and update timestamps
66
![Page 67: Building Customized Dynamic Program Inspectors](https://reader038.fdocuments.net/reader038/viewer/2022110103/56814331550346895dafa4d5/html5/thumbnails/67.jpg)
Fastpath and Slowpath
Fastpath = carefully hand-crafted machine-code kernels• Obtain shadow metadata, combine, and propagate: inlined
• Handle stack pointer updates: lean procedure
Slowpath = clean call to C code• Unaligned memory references
• Complex instructions
• Allocation library routine and system call handling
• Error reporting
67
![Page 68: Building Customized Dynamic Program Inspectors](https://reader038.fdocuments.net/reader038/viewer/2022110103/56814331550346895dafa4d5/html5/thumbnails/68.jpg)
Performance Comparison
Val
gri
nd
fai
led
Val
gri
nd
fai
led
68
![Page 69: Building Customized Dynamic Program Inspectors](https://reader038.fdocuments.net/reader038/viewer/2022110103/56814331550346895dafa4d5/html5/thumbnails/69.jpg)
Outline
Base System: DynamoRIO
• Efficient
• Transparent
• Comprehensive
• Customizable
Dynamic Program Inspectors
• Examples and Possibilities
• Case studies
Wrap-up
69
![Page 70: Building Customized Dynamic Program Inspectors](https://reader038.fdocuments.net/reader038/viewer/2022110103/56814331550346895dafa4d5/html5/thumbnails/70.jpg)
More Information
Web
• http://dynamorio.org
• http://drmemory.org
• http://groups.google.com/group/dynamorio-users
• http://groups.google.com/group/drmemory-users
70