Upload
lowri
View
57
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Dynamic Emulation and Fault-Injection using Dyninst. Presented by: Rean Griffith Programming Systems Lab (PSL) [email protected]. Overview. Introduction Background Dynamic Emulation Example Solution Requirements Dyninst Modifications Necessary - PowerPoint PPT Presentation
Citation preview
1
Dynamic Emulation and Dynamic Emulation and Fault-Injection using Fault-Injection using
DyninstDyninst
Presented by:Presented by:
Rean GriffithRean Griffith
Programming Systems Lab (PSL)Programming Systems Lab (PSL)
[email protected]@cs.columbia.edu
2
OverviewOverview
IntroductionIntroduction BackgroundBackground Dynamic Emulation ExampleDynamic Emulation Example Solution RequirementsSolution Requirements Dyninst Modifications NecessaryDyninst Modifications Necessary On-going Fault-injection Tool On-going Fault-injection Tool
DevelopmentDevelopment ConclusionsConclusions
3
IntroductionIntroduction
We are working on the design and We are working on the design and evaluation of self-healing systems.evaluation of self-healing systems.
Based on two techniquesBased on two techniques Runtime-adaptations (technical)Runtime-adaptations (technical) Mathematical models of failures & Mathematical models of failures &
recovery (analytical)recovery (analytical)
4
Role of Runtime-Role of Runtime-AdaptationsAdaptations
Fault-DetectionFault-Detection Transparently adding/modifying Transparently adding/modifying
detection mechanismsdetection mechanisms Replacing/removing under-performing Replacing/removing under-performing
mechanismsmechanisms Failure-DiagnosisFailure-Diagnosis
In-situ diagnosis of systems (drill-down)In-situ diagnosis of systems (drill-down) In-vivo testing (ghost transactions)In-vivo testing (ghost transactions)
System-RepairsSystem-Repairs Dynamic fine-grained or coarse-Dynamic fine-grained or coarse-
grained repairsgrained repairs
5
Dynamic Emulation Dynamic Emulation ExampleExample
Proof-of-concept dynamic emulation Proof-of-concept dynamic emulation support for applications using Kheiron/C support for applications using Kheiron/C (mutator)(mutator) Allows select portions of an application to run Allows select portions of an application to run
on an x86 emulator rather than on the raw on an x86 emulator rather than on the raw CPUCPU
Security-oriented self-healing mechanismSecurity-oriented self-healing mechanism Allows users to:Allows users to:
Limit the impact of un-patched vulnerabilitiesLimit the impact of un-patched vulnerabilities Test/verify interim (auto-generated) patchesTest/verify interim (auto-generated) patches Manage the performance impact of whole-Manage the performance impact of whole-
program emulationprogram emulation
6
Background on the x86 Background on the x86 EmulatorEmulator
Selective Transaction Emulator Selective Transaction Emulator (STEM)(STEM) An x86 instruction-level emulator An x86 instruction-level emulator
developed by Michael Locasto, Stelios developed by Michael Locasto, Stelios Sidiroglou-Douskos, Stephen Boyd and Sidiroglou-Douskos, Stephen Boyd and Prof. Angelos KeromytisProf. Angelos Keromytis
Developed as a recovery mechanism for Developed as a recovery mechanism for illegal memory references, division by illegal memory references, division by zero exceptions and buffer overflow zero exceptions and buffer overflow attacksattacks
7
Big Picture Idea for Big Picture Idea for STEMSTEM
Building a Reactive Immune System for Software Systems, Stelios Sidiroglou Michael E. Locasto Stephen W. Boyd Angelos D. Keromytis
USENIX 2005
8
Limitations of the Original Limitations of the Original STEMSTEM
Inserted via source-codeInserted via source-code Manual identification of locations to emulateManual identification of locations to emulate Re-compilation and (static) re-linking needed Re-compilation and (static) re-linking needed
to emulate different sections of an to emulate different sections of an applicationapplication
Minimum observed runtime over-head of Minimum observed runtime over-head of 30%.30%.
9
Proposed SolutionProposed Solution
Dynamic,No
re-compilation
10
Solution RequirementsSolution Requirements
Dynamic Loading of the STEM x86 Dynamic Loading of the STEM x86 Emulator.Emulator.
Clean CPU-to-Emulator handoffClean CPU-to-Emulator handoff Correct Emulator initializationCorrect Emulator initialization Correct Emulator executionCorrect Emulator execution
Clean Emulator-to-CPU handoffClean Emulator-to-CPU handoff Correct Emulator unloadCorrect Emulator unload
11
Requirements Met Out-of-Requirements Met Out-of-the-Box by Dyninst 5.0.1the-Box by Dyninst 5.0.1
Dynamic Loading of the STEM x86 Dynamic Loading of the STEM x86 Emulator.Emulator.
Clean CPU-to-Emulator handoffClean CPU-to-Emulator handoff Correct Emulator initializationCorrect Emulator initialization Correct Emulator executionCorrect Emulator execution
Clean Emulator-to-CPU handoffClean Emulator-to-CPU handoff Correct Emulator unloadCorrect Emulator unload
But…with a few simple modifications to But…with a few simple modifications to Dyninst, Dyninst,
we are able to satisfy all these we are able to satisfy all these requirements.requirements.
12
Unmodified Dyninst Unmodified Dyninst OperationOperation
13
Dynamic STEM Dynamic STEM OperationOperation
14
Correct Emulator Correct Emulator InitializationInitialization
– Dyninst Modifications – Dyninst Modifications Emitter32::emitBTSaves modificationsEmitter32::emitBTSaves modifications
Save CPU state before instrumentation on Save CPU state before instrumentation on the real CPU stack AND at a location in the the real CPU stack AND at a location in the target program address space (Register target program address space (Register storage area address)storage area address)
Save the instructions mangled by inserting Save the instructions mangled by inserting the trampoline at a KNOWN location in the the trampoline at a KNOWN location in the target program address space (Code storage target program address space (Code storage area address)area address)
instPoint, BPatch_point modificationsinstPoint, BPatch_point modifications Added extra fields and methods to the type Added extra fields and methods to the type
definitions to set/get the extra informationdefinitions to set/get the extra information
15
Dynamic Emulation Dynamic Emulation Mutator SnippetMutator Snippet
16
Correct Emulator Correct Emulator ExecutionExecution
Register storage area address used Register storage area address used to initialize STEM’s registersto initialize STEM’s registers
Code storage area address used to Code storage area address used to prime STEM’s execution pipelineprime STEM’s execution pipeline
STEM tracks its current stack depthSTEM tracks its current stack depth Initially set to 0Initially set to 0 Call and Return instructions modify the Call and Return instructions modify the
stack depthstack depth A return instruction at depth 0 signals A return instruction at depth 0 signals
the end of emulationthe end of emulation
17
Correct Emulator UnloadCorrect Emulator Unload
CleanupCleanup Copy emulator registers to real CPU registersCopy emulator registers to real CPU registers Push the saved_eip onto the real CPU stackPush the saved_eip onto the real CPU stack Make it the return address for the current Make it the return address for the current
stack frame – pop it into 4(%ebp)stack frame – pop it into 4(%ebp) Push the saved_ebp onto the real cpu stackPush the saved_ebp onto the real cpu stack Restore that value into the real EBP registerRestore that value into the real EBP register
18
Current StatusCurrent Status
Doesn’t crash on our simple test programs.Doesn’t crash on our simple test programs. Correct computation results for these Correct computation results for these
programs.programs. Multiple emulator entries/exits e.g. in a Multiple emulator entries/exits e.g. in a
loop.loop. More refinements to x86 emulator needed More refinements to x86 emulator needed
to support more complicated programsto support more complicated programs Emulator-state rollbacks in the worksEmulator-state rollbacks in the works Clean up the CPU-to-Emulator and Emulator-Clean up the CPU-to-Emulator and Emulator-
to-CPU handoffsto-CPU handoffs
19
Role of Runtime-Role of Runtime-AdaptationsAdaptations
Fault-DetectionFault-Detection Transparently adding/modifying detection Transparently adding/modifying detection
mechanismsmechanisms Replacing/removing under-performing mechanismsReplacing/removing under-performing mechanisms
Failure-DiagnosisFailure-Diagnosis In-situ diagnosis of systems (drill-down)In-situ diagnosis of systems (drill-down) In-vivo testing (ghost transactions)In-vivo testing (ghost transactions)
System-RepairsSystem-Repairs Dynamic fine-grained or coarse-grained repairsDynamic fine-grained or coarse-grained repairs
Fault-InjectionFault-Injection Exercise the detection, diagnosis and repair Exercise the detection, diagnosis and repair
mechanisms so we can perform a quantitative mechanisms so we can perform a quantitative evaluationevaluation
20
Fault-Injection Tool Fault-Injection Tool DevelopmentDevelopment Kheiron/CLR and Kheiron/JVMKheiron/CLR and Kheiron/JVM
Fault-injection tools for .NET applications and Fault-injection tools for .NET applications and JVM applications/application-servers based JVM applications/application-servers based runtime adaptations (bytecode-rewriting)runtime adaptations (bytecode-rewriting)
Kheiron/C extensionsKheiron/C extensions Dynamic fault-injection tool for databases Dynamic fault-injection tool for databases
using Dyninst. Specifically targeting the query using Dyninst. Specifically targeting the query (re)-planning and processing sub-systems of (re)-planning and processing sub-systems of the databasethe database
Device driver fault-injection tools for Device driver fault-injection tools for Linux 2.4, Linux 2.6, Windows 2003 Linux 2.4, Linux 2.6, Windows 2003 Server and Solaris 10Server and Solaris 10 Evaluating device-driver recovery frameworks Evaluating device-driver recovery frameworks
e.g. Nooks and Solaris 10 Fault Isolation e.g. Nooks and Solaris 10 Fault Isolation ServicesServices
21
ConclusionsConclusions
We have described and implemented We have described and implemented an example of dynamically inserting an example of dynamically inserting and removing a recovery mechanism and removing a recovery mechanism based on selective emulation.based on selective emulation.
More work needs to be done to More work needs to be done to polish our prototype and polish our prototype and experimentally evaluate the efficacy experimentally evaluate the efficacy of this recovery mechanism.of this recovery mechanism.
22
AcknowledgementsAcknowledgements
This work was conducted under the This work was conducted under the supervision of Prof. Gail Kaiser and supervision of Prof. Gail Kaiser and with the help of Stelios with the help of Stelios Sidiroglou We would like to thank Matthew We would like to thank Matthew
Legendre, Drew Bernat and the Dyninst Legendre, Drew Bernat and the Dyninst Team for their assistance/guidance as Team for their assistance/guidance as we worked with Dyninst 4.2.1 and we worked with Dyninst 4.2.1 and Dyninst 5.0.1 to develop our dynamic Dyninst 5.0.1 to develop our dynamic emulation techniques.emulation techniques.
23
Thank YouThank You
Questions, Comments Queries?Questions, Comments Queries?
For more details please contact:For more details please contact:Rean GriffithRean Griffith
Programming Systems Lab Columbia Programming Systems Lab Columbia UniversityUniversity
[email protected]@cs.columbia.edu