• No results found

Compiler-Assisted Binary Parsing

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Compiler-Assisted Binary Parsing"

Copied!
20
0
0

Loading.... (view fulltext now)

Download now ( 20 Page )

Full text

(1)

Compiler-Assisted Binary Parsing

Tugrul Ince

[email protected] PD Week 2012

26 – 27 March 2012

(2)

Parsing Binary Files

• Binary analysis is common for

o Performance modeling o Computer security

o Maintenance

o Binary modification

• Parsing: first step in most binary analyses

o Not straight-forward

o Time consuming

(3)

Objective

• Improve parsing speed and accuracy

• Store more data in binary files

• Store more data in binary files

o Basic block locations

o Edge information (source, target, type)

• Binary analysis tools read this extra information

o Create basic block, edge, and finally CFG abstractions

(4)

Difficulties in Parsing

• Distinguishing code and data

• Disassembly is tricky

o Identifying functions

o Finding instruction boundaries

− Variable-length instruction set architectures

• Building Control Flow Graphs

o Identify Basic Block boundaries

o Identify edges between basic blocks

(5)

Compiler Assistance for Parsing

• Developed new compilation mechanism

o Wrappers for GNU compiler suite (gcc/g++) o Transparent to the end user

• Support most standard flags

• Support most standard flags

o Pass flags to underlying system compiler o Intercept output flags (-c, -S, -o, etc.)

• Augments binary files with tables

o Basic Block Table

o Edge Table

(6)

Compiler Infrastructure

• Analyze intermediate assembly files

o Generate information about basic blocks and edges

o Store in a section that is not loaded at runtime

(7)

Basic Block - Edge Tables

(8)

Assembly Modification

• Function Model

o Block of code

o “type … @function”

o “.size …”

• Modifications

o Add Basic Block and Edge Tables

o Add shadow symbol

(9)

Merge Duplicate Functions

• Weak functions are merged by linker

o Functions included multiple times o Binary code might slightly differ o Only one weak function survives

• Tables cannot be merged

o Need to uniquely match functions and tables

o Use shadow symbol in function to extract file name

o Use file name and function name to identify tables

(10)

Reconstruction

• Binary analysis tools operate on executables directly

o No interaction with the compiler

(11)

Reconstruction

• Parsing a functions involves:

o Finding the shadow symbol stored in the function

− File name is extracted

o Locating Basic Block and Edge Tables with the function name and file name pair

o Reading in the tables o Reading in the tables

o Adding function start address to offsets

o Creating basic block and edge abstractions

• No need to parse individual instructions

(12)

Evaluation

• Benchmarks

o SPEC CINT2006

o PETSc snes package o Firefox (v. 9.0.1)

• Systems

• Systems

o 64-bit Linux machines

o server: 24-core Intel Xeon, 48 GB total memory o laptop: AMD Turion, 2 GB total memory

• Methodology

o Executed running time experiments 5 times

o Reporting mean

(13)

Normalized Parsing Time

SPEC CINT2006

0.5 0.6 0.7 0.8 0.9

1

Benchmark GNU Tables

astar 0.21 0.05 bzip2 0.29 0.07 gcc 21.91 5.6 gobmk 4.78 1.35 h264ref 2.24 0.54 hmmer 1.56 0.42

Benchmark GNU Tables libquantum 0.19 0.05

mcf 0.06 0.02 omnetpp 3.67 1.11 perlbench 7.65 2

sjeng 0.79 0.18 Xalan 20.06 7.07

0 0.1 0.2 0.3 0.4 0.5

(14)

Normalized Parsing Time

PETSc snes Package

0.6 0.7 0.8 0.9

1

Benchmark GNU Tables

ex14 28.67 6.81 ex18 30.18 7.28 ex19 29.72 6.98 ex1f 29.56 7.17 ex1 30.01 6.83 ex20 30.15 7.07 ex21 29.24 6.87

Benchmark GNU Tables ex24 29.62 7.15 ex25 29.65 7.02 ex26 29.53 7.08 ex27 29.58 7.08 ex29 29.72 7.10 ex2 28.65 6.84 ex30 30.07 7.21

Benchmark GNU Tables ex34f90 31.02 7.48

ex3 29.34 7.00 ex42 28.68 6.77 ex43 28.53 6.87 ex5f90 30.32 7.09 ex5f 29.70 7.07 ex5 29.56 6.97

0 0.1 0.2 0.3 0.4

0.5

ex21 29.24 6.87

ex22 29.62 7.05 ex23 29.95 7.25

ex30 30.07 7.21 ex31 29.65 7.32

ex5 29.56 6.97

ex6 28.86 6.89

(15)

Normalized Parsing Time

Firefox Version 9.0.1

0.5 0.6 0.7 0.8 0.9

1

Benchmark GNU Tables

firefox 0.29 0.08 libbrowsercomps 0.64 0.17 libdbusservice 0.04 0.01 libfreebl3 1.90 0.47 libmozalloc 0.02 0.01 libmozgnome 0.13 0.04 libmozsqlite3 3.91 1.08

Benchmark GNU Tables libnkgnomevfs 0.11 0.03

libnspr4 1.47 0.40 libnss3 8.06 2.23 libnssckbi 0.64 0.20 libnssdbm3 1.19 0.32 libnssutil3 0.43 0.12

Benchmark GNU Tables libplc4 0.08 0.03 libplds4 0.04 0.01 libsmime3 1.11 0.31 libsoftokn3 1.83 0.60 libssl3 1.45 0.38 libxpcom 0.02 0.01

0 0.1 0.2 0.3 0.4

libmozsqlite3 3.91 1.08

(16)

Build Time Metrics

File Size

Compilation Time Without Debug With Debug

SPEC CINT2006 2.21x 1.38x 1.25x

PETSc 1.50x 1.09x 1.32x

Firefox 1.17x 1.21x 1.13x

• File size increase on disk

o Not reflected to memory footprint

• Small increase in compilation time

o One time cost

o Not reflected to running time performance

OVERALL 1.63x 1.23x 1.23x

(17)

Runtime Metrics

Memory Footprint Running Time

SPEC CINT2006 1.00x 0.97x

PETSc 1.00x 0.95x

Firefox 1.00x 0.94x

OVERALL 1.00x 0.95x

• Virtually no change in runtime metrics

o Memory requirement is almost constant o Change in running time is within noise

• Hard to measure Firefox running time

o No workload

o Use V8 Benchmark

(18)

V8 Benchmarks for Firefox

• V8: JavaScript benchmark

V8 Benchmark Value

Firefox with gcc 2549.2

Firefox with our mechanism 2587.6

• V8: JavaScript benchmark

o Higher scores are better

o Cannot be converted to time

• No significant change in performance

(19)

Limitations / Future Work

• Hand-written assembly

o When branches use offsets in assembly

• 2n more symbols (n: number of functions)

• Compilation takes 23% more time

o Integrate compilation mechanism into gcc

• File size increases

o Compress tables – about 78% compression ratio

(20)

Conclusion

• Developed a new compilation mechanism

o Creates Basic Block and Edge Tables o Transparent to end user

• Improved parsing speed

• Improved parsing speed

o On average 73% decrease in parsing time

o No memory or runtime overhead

References

Download now ( PDF - 20 Page - 567.56 KB )

Related documents

Crafts With The Letter O

We would like how cute crafts, owl letter of construction paper plate craft ideas about feel free printable o so i subscribed?. Cut by letting me know about letter o on one

O&O Defrag and the Windows Defragmenter: A comparison

O&O Defrag provides a clear and well-defined flowchart for defragmentation: it defragments all fragmented files and offers an option for consolidating free disk

Graduate School Options for Psychology Majors from

Although the requirements for a psychology license vary from state to state, they typically involve the following: (1) a doctoral degree in a field of study that is

The Effect of Police Enforcement on Road Traffic Accidents

This suggests that although police forces in many European countries see their role in enforcing compliance with seat belt laws as minimal at best, due to the belief that

The Oregon Experiment — Effects of Medicaid on Clinical Outcomes

Medicaid coverage significantly increased the probability of a diagnosis of diabetes and the use of diabetes medication, but we observed no significant effect on average

The effects of running speed, form, and fatigue on intervertebral disc pressures at L5/S1: A developmental musculoskeletal and finite element modeling approach

The purpose of this study was to simulate L5/S1 joint contact forces and moments during running under variable speed/footstrike conditions, and to apply these forces within a

Pre-requisites to create AVE for Android

Adding a transparent background on a HTML enrichment will disable the display optimization: The page in your document might be less fluid than others and the

Promotional flyer. Checkpoint Software Ltd Website: Contact: Telephone: +44 (0)

o Review all types of tables in a few minutes o Remove the need to recalculating tables in excel o Software tested on thousands professional reportings o Check tables using