Binary Rewriting with Dyninst

Binary Rewriting with Dyninst Madhavi Krishnan and Dan McNulty

Talk Outline • Binary Rewriter Review • Implementation Challenges • New Features • Rewriting Statically Linked Binaries • Conclusion Binary Rewriting with Dyninst

Binary Rewriting Dyninst Binary Rewriter a.out a.out.rewritten libc libc.rewritten libprofile • Rewrite executables • Rewrite libraries • Add new libraries to binaries Binary Rewriting with Dyninst

Binary Rewriter Capabilities • Instrument once, run many • Support more systems (BlueGene, FreeBSD, …) • Operate on unmodified binaries • No debug information required • No linker relocations required • No symbols required • Rewritten binary need not be compiled or linked Dynamic instrumentation and binary rewriting use the same abstractions and interfaces Binary Rewriting with Dyninst

Binary Rewriter Example /* Setup */ BPatch_addressSpace *addr_space; if (use_bin_edit) addr_space = BPatch.openFile(“a.out”); else addr_space = BPatch.createProcess(“a.out”); /* Instrumentation */ addr_space->loadLibrary(“libInstrumentation.so”); addr_space->getImage()->findFunction(“func”, funcs); … addr_space->insertSnippet(callExpr, point); /* Finalize */ if (use_bin_edit) { app_bin->writeFile(a.rewritten.out); } else { app_proc->continueExecution(); }

Binary Rewriting with Dyninst

Challenges • Complex Standards • Executable and Linkable Format(ELF) • System V Standard • Linux Standard Base (LSB) • Accessing information in the original binary file • Redundant information • Inconsistent! • E.g., Section size stored in headers and dynamic section • Writing a new binary file • Updating sections with new information • Not precisely defined by standards! • E.g., Adding new symbol to hash section Binary Rewriting with Dyninst

Challenges • Implementation of the standards • Libraries and tools • OS • Assigning meaning to undefined behavior • Symbols with no name and no type • Stringent requirements by libelf • Section alignment • Unexpected restrictions by the OS • Program header must be on first page • Loader assumes relocation sections are adjacent Binary Rewriting with Dyninst

What is New in the Binary Rewriter? • Linux/PowerPC32 port • Handling run time events with the binary rewriter • Support for rewriting static binaries Binary Rewriting with Dyninst

Linux/PowerPC32 Port • Dealing with Position Independent Code (PIC) • What is PIC? • Why deal with PIC? • PowerPC specific challenges • Identifying PIC idiom • Determining current PC Shared library Code PC relative references Data Address space 0x1000 0x2000 0x3000 Binary Rewriting with Dyninst

Handling Run Time Events Initialize and finalize instrumentation Mutatee Process DyninstMutator Events process load … OneTimeCode Callback Binary Rewriting with Dyninst

Handling Run Time Events Initialize and finalize instrumentation Mutatee Binary ? Events process load … init/fini section Snippet to handle the event A general framework to handle run time events Binary Rewriting with Dyninst

Rewriting Static Binaries Dynamic Binary Static Binary Headers Headers Code Code Data Data Dynamic Linker Shared Libraries ? libm.so libc.so Code libnew.so libnew.a libnew.so Static Library Binary Rewriting with Dyninst

Adding New Libraries to Static Binaries Static Binary • Link code and data from the new libraries into the binary • Can we use use an existing linker? • Dyninst must become a linker Headers Code Data libnew.a Binary Rewriting with Dyninst

Rewriting a Static Binary Let’s start with this simple picture of a binary Headers Code Data Binary Rewriting with Dyninst

Rewriting a Static Binary First, load new libraries Headers Code Data libdyninstRT.a Code libprofile.a Data Code libc.a Code Data Data Binary Rewriting with Dyninst

Rewriting a Static Binary Second, generate instrumentation to reference new libraries Headers Code Data References Instrumentation libdyninstRT.a Code libprofile.a Data Code libc.a Code Data Data Binary Rewriting with Dyninst

Rewriting a Static Binary Third, link code and data from the new libraries into the binary Headers Code Data References Instrumentation libdyninstRT.a libdyninstRT.a Code Code libprofile.a Code libprofile.a libc.a Code Data Code libc.a libdyninstRT.a Data Code libprofile.a Data Data libc.a Data Data Binary Rewriting with Dyninst

Rewriting a Static Binary Finally, update the headers Old Headers Code Data Instrumentation libdyninstRT.a Code libprofile.a Code libc.a Code libdyninstRT.a Data libprofile.a Data libc.a Data New Headers Binary Rewriting with Dyninst

Challenges in Rewriting Static Binaries relinker Dyninst must become a linker Not Finalized Finalized Object File Linker Static Binary Object File Static Library Dyninst Binary Rewriter New Library Binary Rewriting with Dyninst

Challenges in Rewriting Static Binaries • Relinking is harder than linking • Thread Local Storage (TLS) • Constructor and destructor tables • Supporting TLS • Need to link together multiple TLS sections • TLS sections must be adjacent • Move existing TLS section to the end and append new TLS sections • Update program header Binary Rewriting with Dyninst

Challenges in Rewriting Static Binaries Unexpected interactions within the tool chain Standard Format gcc ld Unpublished conventions New Library Linked Binary Dyninst Binary Rewriter Binary Rewriting with Dyninst

Binary Rewriter Example /* Setup */ BPatch_addressSpace *addr_space; if (use_bin_edit) addr_space = BPatch.openFile(“a.out”); else addr_space = BPatch.createProcess(“a.out”); /* Instrumentation */ if( addr_space->isStaticExecutable() ) { addr_space->loadLibrary(“libprofile.a”); addr_space->loadLibrary(“libc.a”); } else { addr_space->loadLibrary(“libprofile.so”); } … /* Finalize */ if (use_bin_edit) { app_bin->writeFile(a.rewritten.out); } else { app_proc->continueExecution(); }

Binary Rewriter Status • Rewriting dynamic binaries • Linux/x86 • Linux/x86_64 • Linux/PowerPC32 • Rewriting static binaries • Linux/x86 • Linux/x86_64 Binary Rewriting with Dyninst

Future Directions • Rewriting dynamically linked binaries • PowerPC64 • Rewriting statically linked binaries • PowerPC Family • Ports to new platforms and object formats • FreeBSD (ELF) • Windows (PE, PDB) • AIX (XCOFF) • Update debug information (DWARF) in rewritten binaries Binary Rewriting with Dyninst

Demo on Tuesday: Scalasca, TAU, Paraver Questions? Binary Rewriting with Dyninst

Binary Rewriting with Dyninst

Binary Rewriting with Dyninst

Presentation Transcript

Binary Rewriting with Dyninst

A Dynamic Binary-Rewriting Approach to Software Transactional Memory

Rewriting Service

(Static) binary rewriting: where do we go?

X86 Binary Rewriting Many Binaries. Such Secure. Wow.

Securing Untrusted Code via Compiler-Agnostic Binary Rewriting

Modifying Binaries with Dyninst

Using Dyninst for Program Binary Analysis and Instrumentation

Revising = Rewriting

Rewriting Services

Rewriting sentences

DynC : High Level Instrumentation With Dyninst

Modifying Binaries with Dyninst

Rewriting Formulas

Rewriting Formulas

A Dynamic Binary-Rewriting Approach to Software Transactional Memory

Static Slicing of Binary Executables with DynInst

A Binary Rewriting Defense Against Buffer Overflow Attacks

parseThat: A Robust Arbitrary-Binary Tester for Dyninst

Programmed Graph Rewriting with DEVS

Binary Program Rewriting with Diablo

Using Dyninst for Program Binary Analysis and Instrumentation