260 likes | 554 Views
Binary Rewriting with Dyninst. Madhavi Krishnan and Dan McNulty. Talk Outline. Binary Rewriter Review Implementation Challenges New Features Rewriting Statically Linked Binaries Conclusion. Binary Rewriting. Dyninst Binary Rewriter. a.out. a.out.rewritten. libc. libc.rewritten.
E N D
Binary Rewriting with Dyninst Madhavi Krishnan and Dan McNulty
Talk Outline • Binary Rewriter Review • Implementation Challenges • New Features • Rewriting Statically Linked Binaries • Conclusion Binary Rewriting with Dyninst
Binary Rewriting Dyninst Binary Rewriter a.out a.out.rewritten libc libc.rewritten libprofile • Rewrite executables • Rewrite libraries • Add new libraries to binaries Binary Rewriting with Dyninst
Binary Rewriter Capabilities • Instrument once, run many • Support more systems (BlueGene, FreeBSD, …) • Operate on unmodified binaries • No debug information required • No linker relocations required • No symbols required • Rewritten binary need not be compiled or linked Dynamic instrumentation and binary rewriting use the same abstractions and interfaces Binary Rewriting with Dyninst
Binary Rewriter Example /* Setup */ BPatch_addressSpace *addr_space; if (use_bin_edit) addr_space = BPatch.openFile(“a.out”); else addr_space = BPatch.createProcess(“a.out”); /* Instrumentation */ addr_space->loadLibrary(“libInstrumentation.so”); addr_space->getImage()->findFunction(“func”, funcs); … addr_space->insertSnippet(callExpr, point); /* Finalize */ if (use_bin_edit) { app_bin->writeFile(a.rewritten.out); } else { app_proc->continueExecution(); }
Challenges • Complex Standards • Executable and Linkable Format(ELF) • System V Standard • Linux Standard Base (LSB) • Accessing information in the original binary file • Redundant information • Inconsistent! • E.g., Section size stored in headers and dynamic section • Writing a new binary file • Updating sections with new information • Not precisely defined by standards! • E.g., Adding new symbol to hash section Binary Rewriting with Dyninst
Challenges • Implementation of the standards • Libraries and tools • OS • Assigning meaning to undefined behavior • Symbols with no name and no type • Stringent requirements by libelf • Section alignment • Unexpected restrictions by the OS • Program header must be on first page • Loader assumes relocation sections are adjacent Binary Rewriting with Dyninst
What is New in the Binary Rewriter? • Linux/PowerPC32 port • Handling run time events with the binary rewriter • Support for rewriting static binaries Binary Rewriting with Dyninst
Linux/PowerPC32 Port • Dealing with Position Independent Code (PIC) • What is PIC? • Why deal with PIC? • PowerPC specific challenges • Identifying PIC idiom • Determining current PC Shared library Code PC relative references Data Address space 0x1000 0x2000 0x3000 Binary Rewriting with Dyninst
Handling Run Time Events Initialize and finalize instrumentation Mutatee Process DyninstMutator Events process load … OneTimeCode Callback Binary Rewriting with Dyninst
Handling Run Time Events Initialize and finalize instrumentation Mutatee Binary ? Events process load … init/fini section Snippet to handle the event A general framework to handle run time events Binary Rewriting with Dyninst
Rewriting Static Binaries Dynamic Binary Static Binary Headers Headers Code Code Data Data Dynamic Linker Shared Libraries ? libm.so libc.so Code libnew.so libnew.a libnew.so Static Library Binary Rewriting with Dyninst
Adding New Libraries to Static Binaries Static Binary • Link code and data from the new libraries into the binary • Can we use use an existing linker? • Dyninst must become a linker Headers Code Data libnew.a Binary Rewriting with Dyninst
Rewriting a Static Binary Let’s start with this simple picture of a binary Headers Code Data Binary Rewriting with Dyninst
Rewriting a Static Binary First, load new libraries Headers Code Data libdyninstRT.a Code libprofile.a Data Code libc.a Code Data Data Binary Rewriting with Dyninst
Rewriting a Static Binary Second, generate instrumentation to reference new libraries Headers Code Data References Instrumentation libdyninstRT.a Code libprofile.a Data Code libc.a Code Data Data Binary Rewriting with Dyninst
Rewriting a Static Binary Third, link code and data from the new libraries into the binary Headers Code Data References Instrumentation libdyninstRT.a libdyninstRT.a Code Code libprofile.a Code libprofile.a libc.a Code Data Code libc.a libdyninstRT.a Data Code libprofile.a Data Data libc.a Data Data Binary Rewriting with Dyninst
Rewriting a Static Binary Finally, update the headers Old Headers Code Data Instrumentation libdyninstRT.a Code libprofile.a Code libc.a Code libdyninstRT.a Data libprofile.a Data libc.a Data New Headers Binary Rewriting with Dyninst
Challenges in Rewriting Static Binaries relinker Dyninst must become a linker Not Finalized Finalized Object File Linker Static Binary Object File Static Library Dyninst Binary Rewriter New Library Binary Rewriting with Dyninst
Challenges in Rewriting Static Binaries • Relinking is harder than linking • Thread Local Storage (TLS) • Constructor and destructor tables • Supporting TLS • Need to link together multiple TLS sections • TLS sections must be adjacent • Move existing TLS section to the end and append new TLS sections • Update program header Binary Rewriting with Dyninst
Challenges in Rewriting Static Binaries Unexpected interactions within the tool chain Standard Format gcc ld Unpublished conventions New Library Linked Binary Dyninst Binary Rewriter Binary Rewriting with Dyninst
Binary Rewriter Example /* Setup */ BPatch_addressSpace *addr_space; if (use_bin_edit) addr_space = BPatch.openFile(“a.out”); else addr_space = BPatch.createProcess(“a.out”); /* Instrumentation */ if( addr_space->isStaticExecutable() ) { addr_space->loadLibrary(“libprofile.a”); addr_space->loadLibrary(“libc.a”); } else { addr_space->loadLibrary(“libprofile.so”); } … /* Finalize */ if (use_bin_edit) { app_bin->writeFile(a.rewritten.out); } else { app_proc->continueExecution(); }
Binary Rewriter Status • Rewriting dynamic binaries • Linux/x86 • Linux/x86_64 • Linux/PowerPC32 • Rewriting static binaries • Linux/x86 • Linux/x86_64 Binary Rewriting with Dyninst
Future Directions • Rewriting dynamically linked binaries • PowerPC64 • Rewriting statically linked binaries • PowerPC Family • Ports to new platforms and object formats • FreeBSD (ELF) • Windows (PE, PDB) • AIX (XCOFF) • Update debug information (DWARF) in rewritten binaries Binary Rewriting with Dyninst
Demo on Tuesday: Scalasca, TAU, Paraver Questions? Binary Rewriting with Dyninst