dynamic instrumentation
TRANSCRIPT
![Page 1: Dynamic instrumentation](https://reader034.vdocuments.us/reader034/viewer/2022051323/627ba0f67a3c6c43d406d6f9/html5/thumbnails/1.jpg)
Dynamic instrumentation techniques
Ahmad shahnejat Michel Dagenais May, 06
1
![Page 2: Dynamic instrumentation](https://reader034.vdocuments.us/reader034/viewer/2022051323/627ba0f67a3c6c43d406d6f9/html5/thumbnails/2.jpg)
OUTLINE● INTRODUCTION to dynamic instrumentation● Trap instruction● INstruction punning technique● Proposed compiler-assisted technique 1● Proposed Technique 2● Proposed Technique 3● Conclusion and FUTURE WORK
2
![Page 3: Dynamic instrumentation](https://reader034.vdocuments.us/reader034/viewer/2022051323/627ba0f67a3c6c43d406d6f9/html5/thumbnails/3.jpg)
INT3 (CC encoding)
INT33
![Page 4: Dynamic instrumentation](https://reader034.vdocuments.us/reader034/viewer/2022051323/627ba0f67a3c6c43d406d6f9/html5/thumbnails/4.jpg)
Trap-based vs. jump-based probes
Trap-based probes:
● use an interrupt handler ● encoded with single-bytes (INT3 in the x86 instruction set) that will fit at any probe site atomically. ● substantial slow down along instrumentation (interrupt and userspace to kernel space switching)● Trap-based probes are usually effective as a last option
jump-based probes:
● redirects control flow directly to a trampoline rather than signal handlers.● low invocation overhead● Neighbor instructions will be overwritten, which is unsound If the probed instruction is smaller than the jump
4
![Page 5: Dynamic instrumentation](https://reader034.vdocuments.us/reader034/viewer/2022051323/627ba0f67a3c6c43d406d6f9/html5/thumbnails/5.jpg)
Fasttp vs. new techniques
Function
Tracing
jmp
jmp
Kernel space
User space
5
Trap handler
Trap
Trampoline
![Page 6: Dynamic instrumentation](https://reader034.vdocuments.us/reader034/viewer/2022051323/627ba0f67a3c6c43d406d6f9/html5/thumbnails/6.jpg)
Jump-based tracepoints
6
● If the probe site holds an instruction of five-bytes in length
![Page 7: Dynamic instrumentation](https://reader034.vdocuments.us/reader034/viewer/2022051323/627ba0f67a3c6c43d406d6f9/html5/thumbnails/7.jpg)
Jump-based tracepoints
7
● If the probe site holds a five-byte plus instruction
![Page 8: Dynamic instrumentation](https://reader034.vdocuments.us/reader034/viewer/2022051323/627ba0f67a3c6c43d406d6f9/html5/thumbnails/8.jpg)
Jump-based tracepoints
8
● If the probe site holds an instruction shorter than 5 bytes
![Page 9: Dynamic instrumentation](https://reader034.vdocuments.us/reader034/viewer/2022051323/627ba0f67a3c6c43d406d6f9/html5/thumbnails/9.jpg)
Instruction punning technique
I1 I2
53
0 1 8 9e9 48 c3 4889
9
I3
4 5
5b 48 89 c3 48 8d 45 80
8d 45 80
I4
53
● By injecting a jump instruction, the relative offset of the jump serves simultaneously both as data and as a sequence of instruction(s).
![Page 10: Dynamic instrumentation](https://reader034.vdocuments.us/reader034/viewer/2022051323/627ba0f67a3c6c43d406d6f9/html5/thumbnails/10.jpg)
Instruction punning technique
10
● If the probe site holds an instruction shorter than 5 bytes
![Page 11: Dynamic instrumentation](https://reader034.vdocuments.us/reader034/viewer/2022051323/627ba0f67a3c6c43d406d6f9/html5/thumbnails/11.jpg)
Instruction punning technique
11
● only one pun is available for the jump probe
![Page 12: Dynamic instrumentation](https://reader034.vdocuments.us/reader034/viewer/2022051323/627ba0f67a3c6c43d406d6f9/html5/thumbnails/12.jpg)
Instruction punning technique
12
![Page 13: Dynamic instrumentation](https://reader034.vdocuments.us/reader034/viewer/2022051323/627ba0f67a3c6c43d406d6f9/html5/thumbnails/13.jpg)
Fasttp technique
● Max usage of trap instructions
I1 I2
I4 I5
0 1 8 1612I6
9jmp
e9 CC ?? CC??
int13
I3
4 5
int
![Page 14: Dynamic instrumentation](https://reader034.vdocuments.us/reader034/viewer/2022051323/627ba0f67a3c6c43d406d6f9/html5/thumbnails/14.jpg)
Compiler-assisted Technique 1
● Forcing the compiler to leave space between functions
● have a hidden cost
14
Functions
F 1
F 2
F 3
Space left between functions
F 1F 2
F 3
Normal placement
Compiler-assisted placement
![Page 15: Dynamic instrumentation](https://reader034.vdocuments.us/reader034/viewer/2022051323/627ba0f67a3c6c43d406d6f9/html5/thumbnails/15.jpg)
15
1- Save registers2- Instrumentation3- Restore registers4- Executing original instructions5- Jump back
1- Save registers2- Instrumentation3- Restore registers4- Executing original instructions5- Jump back
![Page 16: Dynamic instrumentation](https://reader034.vdocuments.us/reader034/viewer/2022051323/627ba0f67a3c6c43d406d6f9/html5/thumbnails/16.jpg)
0x0000000000013c8f <+0>: 55 push %rbp0x0000000000013c90 <+1>: 48 89 e5 mov %rsp,%rbp0x0000000000013c93 <+4>: 53 push %rbx
0x0000000000013cd8 <+73>: 8b 45 dc mov -0x24(%rbp),%eax0x0000000000013cdb <+76>: 89 c7 mov %eax,%edi0x0000000000013cdd <+78>: e8 2e 88 ff ff callq 0xc510 <exit@plt>
16
1- Save registers2- Instrumentation3- Restore registers4- Executing original instructions5- Jump back
1- Save registers2- Instrumentation3- Restore registers4- Original instructions5- Jump back
![Page 17: Dynamic instrumentation](https://reader034.vdocuments.us/reader034/viewer/2022051323/627ba0f67a3c6c43d406d6f9/html5/thumbnails/17.jpg)
0x0000000000013c8f <+0>: eb //Entry0x0000000000013c90 <+1>: 80 89 e5 //Probe0x0000000000013c93 <+4>: 53 push %rbx
0x0000000000013cd8 <+73>: 8b 45 dc mov -0x24(%rbp),%eax0x0000000000013cdb <+76>: 89 c7 mov %eax,%edi0x0000000000013cdd <+78>: eb 03 88 ff ff //Exit probe
17
0x0000000000013c13 <-124>: 1- Save registers2- Instrumentation3- Restore registers4- Executing original instructions5- Jump back
0x0000000000013d5f <+83>: 1- Save registers2- Instrumentation3- Restore registers4- Original instructions5- Jump back
![Page 18: Dynamic instrumentation](https://reader034.vdocuments.us/reader034/viewer/2022051323/627ba0f67a3c6c43d406d6f9/html5/thumbnails/18.jpg)
Technique 2
18
0 1 4 5
Short JMP
0 1eb ??
e9 ?? ????
JMP
??
4 GB
256 B
● Binary overlapping● Why not using 2-byte short jump?● How far the range of a jump could be?● Landing on another jump/Call
e8 e9
e9 43
43 00 00
00 00 48
Callq 0x55555556c456
Jmp 0x48000048
![Page 19: Dynamic instrumentation](https://reader034.vdocuments.us/reader034/viewer/2022051323/627ba0f67a3c6c43d406d6f9/html5/thumbnails/19.jpg)
19
jmp 0x48000048
call 0x4334869
e9 43 00 00 48
e8 64 48 33 04
![Page 20: Dynamic instrumentation](https://reader034.vdocuments.us/reader034/viewer/2022051323/627ba0f67a3c6c43d406d6f9/html5/thumbnails/20.jpg)
20
jmp 0x48000048
call 0x4334869
e9 43 00 00 48
e8 64 48 33 04
![Page 21: Dynamic instrumentation](https://reader034.vdocuments.us/reader034/viewer/2022051323/627ba0f67a3c6c43d406d6f9/html5/thumbnails/21.jpg)
Technique 20x0000555555568068 <+225>: e8 e9 43 00 00 callq 0x55555556c4560x000055555556806d <+230>: 48 89 c1 mov %rax,%rcx
0x00005555555680b1 <+298>: e8 18 d0 ff ff callq 0x5555555650ce
0x000055555556810b <+388>: 48 8b 45 e8 mov -0x18(%rbp),%rax0x000055555556810f <+392>: 64 48 33 04 25 28 00 00 00 xor %fs:0x28,%rax
21
74 bytes
91 bytes
![Page 22: Dynamic instrumentation](https://reader034.vdocuments.us/reader034/viewer/2022051323/627ba0f67a3c6c43d406d6f9/html5/thumbnails/22.jpg)
Technique 20x0000555555568068 <+225>: e8 e9 43 00 00 callq 0x55555556c4560x000055555556806d <+230>: 48 89 c1 mov %rax,%rcx
0x00005555555680b1 <+298>: eb b4 d0 ff ff callq 0x5555555650ce
0x000055555556810b <+388>: 48 8b 45 e8 mov -0x18(%rbp),%rax0x000055555556810f <+392>: 64 48 33 04 25 28 00 00 00 xor %fs:0x28,%rax
22
74 bytes
![Page 23: Dynamic instrumentation](https://reader034.vdocuments.us/reader034/viewer/2022051323/627ba0f67a3c6c43d406d6f9/html5/thumbnails/23.jpg)
Technique 20x0000555555568068 <+225>: e8 e9 43 00 00 callq 0x55555556c4560x000055555556806d <+230>: 48 89 c1 mov %rax,%rcx
0x00005555555680b1 <+298>: eb 59 d0 ff ff callq 0x5555555650ce
0x000055555556810b <+388>: 48 8b 45 e8 mov -0x18(%rbp),%rax0x000055555556810f <+392>: 64 48 33 04 25 28 00 00 00 xor %fs:0x28,%rax
23
91 bytes
![Page 24: Dynamic instrumentation](https://reader034.vdocuments.us/reader034/viewer/2022051323/627ba0f67a3c6c43d406d6f9/html5/thumbnails/24.jpg)
Technique 3
I1 I2
53
0 1 8 9e9 48 c3 4889
24
I3
4 5
5b 48 89 c3 48 8d 45 80
8d 45 80
I4
53
● Instrumentation of a five-byte location with multiple instructions.
● reusing the suffix of an instruction as a distinct instruction is used mainly in code obfuscation.
● 1st: instruction punning2nd: ?
JMP
![Page 25: Dynamic instrumentation](https://reader034.vdocuments.us/reader034/viewer/2022051323/627ba0f67a3c6c43d406d6f9/html5/thumbnails/25.jpg)
Technique 3
0 1 8e9 48 c3 4889
25
4 5
8d 45 80
(1) (2) (3)
(1): E9 48 89 c3 48 = jmp 0x48c3894d
(2): 48 89 c3 = dec eaxmov ebx,eax
(3): 48 8d 45 80 = dec eax lea eax,[ebp-0x80]
Need to be validated
Original instructions
53
9
JMP
![Page 26: Dynamic instrumentation](https://reader034.vdocuments.us/reader034/viewer/2022051323/627ba0f67a3c6c43d406d6f9/html5/thumbnails/26.jpg)
Technique 3
0 1 8e9 e9 c3 e989
26
4 5
8d 45 80
(1) (2) (3)
(1): e9 e9 ?? ?? e9
(2): e9 ?? ?? e9 ??
(3): e9 ?? ?? ?? 53
2 bytes available to manipulate
3 bytes available to manipulate
53
![Page 27: Dynamic instrumentation](https://reader034.vdocuments.us/reader034/viewer/2022051323/627ba0f67a3c6c43d406d6f9/html5/thumbnails/27.jpg)
Technique 3
0
1
8
e9 e9 ??
e9
??
27
4 5
?? ?? ??
(1)
(2)
(3)
53
e9 ?? e9?? ??
e9
2¹⁶ alternatives
2²⁴ alternatives
● In practice it typically takes no more than 7 attempts(for the two significant bytes) to map memory for a trampoline, while we have at least 256 alternatives in this cases.
2MSB
2MSB
![Page 28: Dynamic instrumentation](https://reader034.vdocuments.us/reader034/viewer/2022051323/627ba0f67a3c6c43d406d6f9/html5/thumbnails/28.jpg)
Conclusion & Future worK
28
![Page 29: Dynamic instrumentation](https://reader034.vdocuments.us/reader034/viewer/2022051323/627ba0f67a3c6c43d406d6f9/html5/thumbnails/29.jpg)
Conclusion & Future work● The key goal is interpreting data as code.
this technique is called instruction punning.
● 1st approach: Instruction punning● 2nd approach: Proposed techniques● last approach: Trap instruction(s)● Trampoline placement● Prototype under development
29
![Page 30: Dynamic instrumentation](https://reader034.vdocuments.us/reader034/viewer/2022051323/627ba0f67a3c6c43d406d6f9/html5/thumbnails/30.jpg)
Questions?!:)
30
![Page 31: Dynamic instrumentation](https://reader034.vdocuments.us/reader034/viewer/2022051323/627ba0f67a3c6c43d406d6f9/html5/thumbnails/31.jpg)
References1- B. Chamith, B. J. Svensson, L. Dalessandro, and R. R. Newton. Instruction punning:Lightweight instrumentation for x86-64. In Proceedings of the 38th ACM SIGPLAN Conference on Programming Language Design and Implementation, 2017.
2- Zhao, Valerie, "Evaluation of Dynamic Binary Instrumentation Approaches: Dynamic Binary Translation vs. Dynamic Probe Injection" (2018).
31