paulo marques, bruno cabral {pmarques,bcabral}@dei.uc.pt dependable systems group university of...
TRANSCRIPT
![Page 1: Paulo Marques, Bruno Cabral {pmarques,bcabral}@dei.uc.pt Dependable Systems Group University of Coimbra, Portugal RAIL: Code Instrumentation for.NET](https://reader038.vdocuments.us/reader038/viewer/2022110303/5514756a550346b0158b5299/html5/thumbnails/1.jpg)
Paulo Marques, Bruno Cabral{pmarques,bcabral}@dei.uc.pt
Dependable Systems Group University of Coimbra, Portugal
RAIL: Code Instrumentation for .NET
![Page 2: Paulo Marques, Bruno Cabral {pmarques,bcabral}@dei.uc.pt Dependable Systems Group University of Coimbra, Portugal RAIL: Code Instrumentation for.NET](https://reader038.vdocuments.us/reader038/viewer/2022110303/5514756a550346b0158b5299/html5/thumbnails/2.jpg)
Code Instrumentation The ability to modify an application
after it has been compiled but before (or during) its execution
Application Scenarios: Security Verifications, Dynamic Code
Optimizers, Profiling, Fault Injection, AOP, among others
![Page 3: Paulo Marques, Bruno Cabral {pmarques,bcabral}@dei.uc.pt Dependable Systems Group University of Coimbra, Portugal RAIL: Code Instrumentation for.NET](https://reader038.vdocuments.us/reader038/viewer/2022110303/5514756a550346b0158b5299/html5/thumbnails/3.jpg)
RAIL Runtime Assembly Instrumentation
Library http://rail.dei.uc.pt
“An API that allows CLR assemblies to be manipulated and instrumented before they are loaded and executed”
Currently, one of the main high-level code instrumentation libraries for .NET
![Page 4: Paulo Marques, Bruno Cabral {pmarques,bcabral}@dei.uc.pt Dependable Systems Group University of Coimbra, Portugal RAIL: Code Instrumentation for.NET](https://reader038.vdocuments.us/reader038/viewer/2022110303/5514756a550346b0158b5299/html5/thumbnails/4.jpg)
But what’s this RAIL API anyway? Simple example:
How can you be sure that the application that you’ve downloaded from the Internet is not searching through your files??
![Page 5: Paulo Marques, Bruno Cabral {pmarques,bcabral}@dei.uc.pt Dependable Systems Group University of Coimbra, Portugal RAIL: Code Instrumentation for.NET](https://reader038.vdocuments.us/reader038/viewer/2022110303/5514756a550346b0158b5299/html5/thumbnails/5.jpg)
RAIL Suppose that you can open the
application executable and substitute all class references from “File” to “SecureFileAccess”!!!
......
FileFile theSecret; theSecret;
theSecret = newtheSecret = new FileFile(“secret.doc”);(“secret.doc”);
......
data = theSecret.read();data = theSecret.read();
internet.send(...);internet.send(...);
......
FileFile theSecret; theSecret;
theSecret = newtheSecret = new FileFile(“secret.doc”);(“secret.doc”);
......
data = theSecret.read();data = theSecret.read();
internet.send(...);internet.send(...);
Original File (but in binary code!) RAIL......
SecureFileAccessSecureFileAccess theSecret; theSecret;
theSecret = newtheSecret = new SecureFileAccessSecureFileAccess(“secret.doc”);(“secret.doc”);
......
data = theSecret.read();data = theSecret.read();
internet.send(...);internet.send(...);
......
SecureFileAccessSecureFileAccess theSecret; theSecret;
theSecret = newtheSecret = new SecureFileAccessSecureFileAccess(“secret.doc”);(“secret.doc”);
......
data = theSecret.read();data = theSecret.read();
internet.send(...);internet.send(...);
New File (also in binary code...)
![Page 6: Paulo Marques, Bruno Cabral {pmarques,bcabral}@dei.uc.pt Dependable Systems Group University of Coimbra, Portugal RAIL: Code Instrumentation for.NET](https://reader038.vdocuments.us/reader038/viewer/2022110303/5514756a550346b0158b5299/html5/thumbnails/6.jpg)
class class SecureFileAccessSecureFileAccess { {
File theRealFile;File theRealFile; boolean accessPermited; boolean accessPermited;
SecureFileAccess(String filename) {SecureFileAccess(String filename) { logfile.write(“The foo is accessing {0}”, name); logfile.write(“The foo is accessing {0}”, name); ... ... accessPermited = User.readPermitAccess(); accessPermited = User.readPermitAccess(); theRealFile = new File(filename); theRealFile = new File(filename); } }
read() {read() { if (accessPermited) {if (accessPermited) { theRealFile.read(); theRealFile.read(); } } } }
}}
class class SecureFileAccessSecureFileAccess { {
File theRealFile;File theRealFile; boolean accessPermited; boolean accessPermited;
SecureFileAccess(String filename) {SecureFileAccess(String filename) { logfile.write(“The foo is accessing {0}”, name); logfile.write(“The foo is accessing {0}”, name); ... ... accessPermited = User.readPermitAccess(); accessPermited = User.readPermitAccess(); theRealFile = new File(filename); theRealFile = new File(filename); } }
read() {read() { if (accessPermited) {if (accessPermited) { theRealFile.read(); theRealFile.read(); } } } }
}}
theSecrettheSecrettheSecrettheSecret
Proxy class
RealFile
Real reference to the file
![Page 7: Paulo Marques, Bruno Cabral {pmarques,bcabral}@dei.uc.pt Dependable Systems Group University of Coimbra, Portugal RAIL: Code Instrumentation for.NET](https://reader038.vdocuments.us/reader038/viewer/2022110303/5514756a550346b0158b5299/html5/thumbnails/7.jpg)
RAIL Suppose that you can open the
application executable and substitute all class references from “File” to “SecureFileAccess”!!!
......
FileFile theSecret; theSecret;
theSecret = newtheSecret = new FileFile(“secret.doc”);(“secret.doc”);
......
data = theSecret.read();data = theSecret.read();
internet.send(...);internet.send(...);
......
FileFile theSecret; theSecret;
theSecret = newtheSecret = new FileFile(“secret.doc”);(“secret.doc”);
......
data = theSecret.read();data = theSecret.read();
internet.send(...);internet.send(...);
Original File (but in binary code!) RAIL......
SecureFileAccessSecureFileAccess theSecret; theSecret;
theSecret = newtheSecret = new SecureFileAccessSecureFileAccess(“secret.doc”);(“secret.doc”);
......
data = theSecret.read();data = theSecret.read();
internet.send(...);internet.send(...);
......
SecureFileAccessSecureFileAccess theSecret; theSecret;
theSecret = newtheSecret = new SecureFileAccessSecureFileAccess(“secret.doc”);(“secret.doc”);
......
data = theSecret.read();data = theSecret.read();
internet.send(...);internet.send(...);
New File (also in binary code...)
// Load assembly into memory RAssemblyDef myAssembly = RAssemblyDef.LoadAssembly("Download.exe");
// Creates references for the old and new types to be usedRType oldType = myAssembly.RModuleDef.GetType("File");RType newType = myAssembly.RModuleDef.GetType("SecureFileAccess");
// Creates a reference replacer and apply the substitutionReferenceReplacer replacer = new ReferenceReplacer(oldType, newType);myAssembly.Accept(replacer);
![Page 8: Paulo Marques, Bruno Cabral {pmarques,bcabral}@dei.uc.pt Dependable Systems Group University of Coimbra, Portugal RAIL: Code Instrumentation for.NET](https://reader038.vdocuments.us/reader038/viewer/2022110303/5514756a550346b0158b5299/html5/thumbnails/8.jpg)
Development Model
![Page 9: Paulo Marques, Bruno Cabral {pmarques,bcabral}@dei.uc.pt Dependable Systems Group University of Coimbra, Portugal RAIL: Code Instrumentation for.NET](https://reader038.vdocuments.us/reader038/viewer/2022110303/5514756a550346b0158b5299/html5/thumbnails/9.jpg)
What can be done with RAIL? Iterate over code, injecting and removing code Replace Type references Add epilogues and prologues to methods Redirect method accesses and calls Redirect field and property accesses Redirect field access to properties Redirect field read and write access to methods Manipulate custom attributes Copy-Paste Types and Methods and
IL code across assemblies Manipulate Exception Blocks Integration with CODEDOM
![Page 10: Paulo Marques, Bruno Cabral {pmarques,bcabral}@dei.uc.pt Dependable Systems Group University of Coimbra, Portugal RAIL: Code Instrumentation for.NET](https://reader038.vdocuments.us/reader038/viewer/2022110303/5514756a550346b0158b5299/html5/thumbnails/10.jpg)
Operating SystemOperating SystemOperating SystemOperating System
program.exe/dllprogram.exe/dllprogram.exe/dllprogram.exe/dll
PE HeaderPE Header
MetadataMetadata
ILIL
PE HeaderPE Header
MetadataMetadata
ILIL
ILIL x86x86
Source CodeSource Code
CompileCompile
AssemblyAssembly
JIT-compilerJIT-compiler
RAILRAIL
.cs
![Page 11: Paulo Marques, Bruno Cabral {pmarques,bcabral}@dei.uc.pt Dependable Systems Group University of Coimbra, Portugal RAIL: Code Instrumentation for.NET](https://reader038.vdocuments.us/reader038/viewer/2022110303/5514756a550346b0158b5299/html5/thumbnails/11.jpg)
Structure of an Assembly
PE/COFF headers
CLR Header
CLR Data
Metadata IL code
Native Image Sections
.data, .rdata, .rsrc, .text
Managed Module
Metadata
IL code
Source Code
Managed Compiler
Common Language Runtime
Loader JIT Compiler
Internal DataStructures
Native Code
Execution engine
![Page 12: Paulo Marques, Bruno Cabral {pmarques,bcabral}@dei.uc.pt Dependable Systems Group University of Coimbra, Portugal RAIL: Code Instrumentation for.NET](https://reader038.vdocuments.us/reader038/viewer/2022110303/5514756a550346b0158b5299/html5/thumbnails/12.jpg)
Object-OrientedRepresentation
(diagram not complete)
![Page 13: Paulo Marques, Bruno Cabral {pmarques,bcabral}@dei.uc.pt Dependable Systems Group University of Coimbra, Portugal RAIL: Code Instrumentation for.NET](https://reader038.vdocuments.us/reader038/viewer/2022110303/5514756a550346b0158b5299/html5/thumbnails/13.jpg)
Assembly
RAIL
Mono.PEToolkit
RAIL.Reflect RAIL.MSIL
Rail High Level Instrumentation classes
System.Reflection
System.Reflection.Emit
AssemblyBuilder object
Assembly
Save
AppDomain
Load
Load
RAIL’s InternalStructure
Fully-configurable:Can use third-partylibraries
Source CodeCODEDOM
![Page 14: Paulo Marques, Bruno Cabral {pmarques,bcabral}@dei.uc.pt Dependable Systems Group University of Coimbra, Portugal RAIL: Code Instrumentation for.NET](https://reader038.vdocuments.us/reader038/viewer/2022110303/5514756a550346b0158b5299/html5/thumbnails/14.jpg)
// Source code to usestring myProxy = @" using system;
class SecureFileAccess { File theRealFile; boolean accessPermited; (...) }";
// Define the code in an assembly RAssemblyDef dynamicAssembly = RAssemblyDef.CreateRAssemblyFromCode(myProxy, false);
(...)
// Creates references for the old and new types to be usedRType oldType = myAssembly.RModuleDef.GetType("File");RType newType = dynamicAssembly.RModuleDef.GetType("SecureFileAccess");
// Creates a reference replacer and apply the substitutionReferenceReplacer replacer = new ReferenceReplacer(oldType, newType);myAssembly.Accept(replacer);
Example Using
CodeDom
![Page 15: Paulo Marques, Bruno Cabral {pmarques,bcabral}@dei.uc.pt Dependable Systems Group University of Coimbra, Portugal RAIL: Code Instrumentation for.NET](https://reader038.vdocuments.us/reader038/viewer/2022110303/5514756a550346b0158b5299/html5/thumbnails/15.jpg)
Conclusion High Level of Abstraction
No need for handling all the internal details of PEs
At the same time, has the ability to manipulate IL code directly
Object-oriented Model for representation of all assembly modules
Flexible MSIL instruction handling Use of Design Patterns One of the main high-level code
instrumentation libraries for .NET
![Page 16: Paulo Marques, Bruno Cabral {pmarques,bcabral}@dei.uc.pt Dependable Systems Group University of Coimbra, Portugal RAIL: Code Instrumentation for.NET](https://reader038.vdocuments.us/reader038/viewer/2022110303/5514756a550346b0158b5299/html5/thumbnails/16.jpg)
![Page 17: Paulo Marques, Bruno Cabral {pmarques,bcabral}@dei.uc.pt Dependable Systems Group University of Coimbra, Portugal RAIL: Code Instrumentation for.NET](https://reader038.vdocuments.us/reader038/viewer/2022110303/5514756a550346b0158b5299/html5/thumbnails/17.jpg)
Questions?
http://rail.dei.uc.pt