1

Dynamic Emulation and Dynamic Emulation and Fault-Injection using Fault-Injection using

DyninstDyninst

Presented by:Presented by:

Rean GriffithRean Griffith

Programming Systems Lab (PSL)Programming Systems Lab (PSL)

rg2023@cs.columbia.edurg2023@cs.columbia.edu

2

OverviewOverview

IntroductionIntroduction BackgroundBackground Dynamic Emulation ExampleDynamic Emulation Example Solution RequirementsSolution Requirements Dyninst Modifications NecessaryDyninst Modifications Necessary On-going Fault-injection Tool On-going Fault-injection Tool

DevelopmentDevelopment ConclusionsConclusions

3

IntroductionIntroduction

We are working on the design and We are working on the design and evaluation of self-healing systems.evaluation of self-healing systems.

Based on two techniquesBased on two techniques Runtime-adaptations (technical)Runtime-adaptations (technical) Mathematical models of failures & Mathematical models of failures &

recovery (analytical)recovery (analytical)

4

Role of Runtime-Role of Runtime-AdaptationsAdaptations

Fault-DetectionFault-Detection Transparently adding/modifying Transparently adding/modifying

detection mechanismsdetection mechanisms Replacing/removing under-performing Replacing/removing under-performing

mechanismsmechanisms Failure-DiagnosisFailure-Diagnosis

In-situ diagnosis of systems (drill-down)In-situ diagnosis of systems (drill-down) In-vivo testing (ghost transactions)In-vivo testing (ghost transactions)

System-RepairsSystem-Repairs Dynamic fine-grained or coarse-Dynamic fine-grained or coarse-

grained repairsgrained repairs

5

Dynamic Emulation Dynamic Emulation ExampleExample

Proof-of-concept dynamic emulation Proof-of-concept dynamic emulation support for applications using Kheiron/C support for applications using Kheiron/C (mutator)(mutator) Allows select portions of an application to run Allows select portions of an application to run

on an x86 emulator rather than on the raw on an x86 emulator rather than on the raw CPUCPU

Security-oriented self-healing mechanismSecurity-oriented self-healing mechanism Allows users to:Allows users to:

Limit the impact of un-patched vulnerabilitiesLimit the impact of un-patched vulnerabilities Test/verify interim (auto-generated) patchesTest/verify interim (auto-generated) patches Manage the performance impact of whole-Manage the performance impact of whole-

program emulationprogram emulation

6

Background on the x86 Background on the x86 EmulatorEmulator

Selective Transaction Emulator Selective Transaction Emulator (STEM)(STEM) An x86 instruction-level emulator An x86 instruction-level emulator

developed by Michael Locasto, Stelios developed by Michael Locasto, Stelios Sidiroglou-Douskos, Stephen Boyd and Sidiroglou-Douskos, Stephen Boyd and Prof. Angelos KeromytisProf. Angelos Keromytis

Developed as a recovery mechanism for Developed as a recovery mechanism for illegal memory references, division by illegal memory references, division by zero exceptions and buffer overflow zero exceptions and buffer overflow attacksattacks

7

Big Picture Idea for Big Picture Idea for STEMSTEM

Building a Reactive Immune System for Software Systems, Stelios Sidiroglou Michael E. Locasto Stephen W. Boyd Angelos D. Keromytis

USENIX 2005

8

Limitations of the Original Limitations of the Original STEMSTEM

Inserted via source-codeInserted via source-code Manual identification of locations to emulateManual identification of locations to emulate Re-compilation and (static) re-linking needed Re-compilation and (static) re-linking needed

to emulate different sections of an to emulate different sections of an applicationapplication

Minimum observed runtime over-head of Minimum observed runtime over-head of 30%.30%.

9

Proposed SolutionProposed Solution

Dynamic,No

re-compilation

10

Solution RequirementsSolution Requirements

Dynamic Loading of the STEM x86 Dynamic Loading of the STEM x86 Emulator.Emulator.

Clean CPU-to-Emulator handoffClean CPU-to-Emulator handoff Correct Emulator initializationCorrect Emulator initialization Correct Emulator executionCorrect Emulator execution

Clean Emulator-to-CPU handoffClean Emulator-to-CPU handoff Correct Emulator unloadCorrect Emulator unload

11

Requirements Met Out-of-Requirements Met Out-of-the-Box by Dyninst 5.0.1the-Box by Dyninst 5.0.1

Dynamic Loading of the STEM x86 Dynamic Loading of the STEM x86 Emulator.Emulator.

Clean CPU-to-Emulator handoffClean CPU-to-Emulator handoff Correct Emulator initializationCorrect Emulator initialization Correct Emulator executionCorrect Emulator execution

Clean Emulator-to-CPU handoffClean Emulator-to-CPU handoff Correct Emulator unloadCorrect Emulator unload

But…with a few simple modifications to But…with a few simple modifications to Dyninst, Dyninst,

we are able to satisfy all these we are able to satisfy all these requirements.requirements.

12

Unmodified Dyninst Unmodified Dyninst OperationOperation

13

Dynamic STEM Dynamic STEM OperationOperation

14

Correct Emulator Correct Emulator InitializationInitialization

– Dyninst Modifications – Dyninst Modifications Emitter32::emitBTSaves modificationsEmitter32::emitBTSaves modifications

Save CPU state before instrumentation on Save CPU state before instrumentation on the real CPU stack AND at a location in the the real CPU stack AND at a location in the target program address space (Register target program address space (Register storage area address)storage area address)

Save the instructions mangled by inserting Save the instructions mangled by inserting the trampoline at a KNOWN location in the the trampoline at a KNOWN location in the target program address space (Code storage target program address space (Code storage area address)area address)

instPoint, BPatch_point modificationsinstPoint, BPatch_point modifications Added extra fields and methods to the type Added extra fields and methods to the type

definitions to set/get the extra informationdefinitions to set/get the extra information

15

Dynamic Emulation Dynamic Emulation Mutator SnippetMutator Snippet

16

Correct Emulator Correct Emulator ExecutionExecution

Register storage area address used Register storage area address used to initialize STEM’s registersto initialize STEM’s registers

Code storage area address used to Code storage area address used to prime STEM’s execution pipelineprime STEM’s execution pipeline

STEM tracks its current stack depthSTEM tracks its current stack depth Initially set to 0Initially set to 0 Call and Return instructions modify the Call and Return instructions modify the

stack depthstack depth A return instruction at depth 0 signals A return instruction at depth 0 signals

the end of emulationthe end of emulation

17

Correct Emulator UnloadCorrect Emulator Unload

CleanupCleanup Copy emulator registers to real CPU registersCopy emulator registers to real CPU registers Push the saved_eip onto the real CPU stackPush the saved_eip onto the real CPU stack Make it the return address for the current Make it the return address for the current

stack frame – pop it into 4(%ebp)stack frame – pop it into 4(%ebp) Push the saved_ebp onto the real cpu stackPush the saved_ebp onto the real cpu stack Restore that value into the real EBP registerRestore that value into the real EBP register

18

Current StatusCurrent Status

Doesn’t crash on our simple test programs.Doesn’t crash on our simple test programs. Correct computation results for these Correct computation results for these

programs.programs. Multiple emulator entries/exits e.g. in a Multiple emulator entries/exits e.g. in a

loop.loop. More refinements to x86 emulator needed More refinements to x86 emulator needed

to support more complicated programsto support more complicated programs Emulator-state rollbacks in the worksEmulator-state rollbacks in the works Clean up the CPU-to-Emulator and Emulator-Clean up the CPU-to-Emulator and Emulator-

to-CPU handoffsto-CPU handoffs

19

Role of Runtime-Role of Runtime-AdaptationsAdaptations

Fault-DetectionFault-Detection Transparently adding/modifying detection Transparently adding/modifying detection

mechanismsmechanisms Replacing/removing under-performing mechanismsReplacing/removing under-performing mechanisms

Failure-DiagnosisFailure-Diagnosis In-situ diagnosis of systems (drill-down)In-situ diagnosis of systems (drill-down) In-vivo testing (ghost transactions)In-vivo testing (ghost transactions)

System-RepairsSystem-Repairs Dynamic fine-grained or coarse-grained repairsDynamic fine-grained or coarse-grained repairs

Fault-InjectionFault-Injection Exercise the detection, diagnosis and repair Exercise the detection, diagnosis and repair

mechanisms so we can perform a quantitative mechanisms so we can perform a quantitative evaluationevaluation

20

Fault-Injection Tool Fault-Injection Tool DevelopmentDevelopment Kheiron/CLR and Kheiron/JVMKheiron/CLR and Kheiron/JVM

Fault-injection tools for .NET applications and Fault-injection tools for .NET applications and JVM applications/application-servers based JVM applications/application-servers based runtime adaptations (bytecode-rewriting)runtime adaptations (bytecode-rewriting)

Kheiron/C extensionsKheiron/C extensions Dynamic fault-injection tool for databases Dynamic fault-injection tool for databases

using Dyninst. Specifically targeting the query using Dyninst. Specifically targeting the query (re)-planning and processing sub-systems of (re)-planning and processing sub-systems of the databasethe database

Device driver fault-injection tools for Device driver fault-injection tools for Linux 2.4, Linux 2.6, Windows 2003 Linux 2.4, Linux 2.6, Windows 2003 Server and Solaris 10Server and Solaris 10 Evaluating device-driver recovery frameworks Evaluating device-driver recovery frameworks

e.g. Nooks and Solaris 10 Fault Isolation e.g. Nooks and Solaris 10 Fault Isolation ServicesServices

21

ConclusionsConclusions

We have described and implemented We have described and implemented an example of dynamically inserting an example of dynamically inserting and removing a recovery mechanism and removing a recovery mechanism based on selective emulation.based on selective emulation.

More work needs to be done to More work needs to be done to polish our prototype and polish our prototype and experimentally evaluate the efficacy experimentally evaluate the efficacy of this recovery mechanism.of this recovery mechanism.

22

AcknowledgementsAcknowledgements

This work was conducted under the This work was conducted under the supervision of Prof. Gail Kaiser and supervision of Prof. Gail Kaiser and with the help of Stelios with the help of Stelios Sidiroglou We would like to thank Matthew We would like to thank Matthew

Legendre, Drew Bernat and the Dyninst Legendre, Drew Bernat and the Dyninst Team for their assistance/guidance as Team for their assistance/guidance as we worked with Dyninst 4.2.1 and we worked with Dyninst 4.2.1 and Dyninst 5.0.1 to develop our dynamic Dyninst 5.0.1 to develop our dynamic emulation techniques.emulation techniques.

23

Thank YouThank You

Questions, Comments Queries?Questions, Comments Queries?

For more details please contact:For more details please contact:Rean GriffithRean Griffith

Programming Systems Lab Columbia Programming Systems Lab Columbia UniversityUniversity

rg2023@cs.columbia.edurg2023@cs.columbia.edu