1、Binary Rewriting with Dyninst,Madhavi Krishnan and Dan McNulty,Talk Outline,Binary Rewriter Review Implementation Challenges New Features Rewriting Statically Linked Binaries Conclusion,2,Binary Rewriting with Dyninst,Binary Rewriting,3,Binary Rewriting with Dyninst,libc,Dyninst Binary Rewriter,a.ou
2、t.rewritten,libprofile,Rewrite executablesRewrite librariesAdd new libraries to binaries,a.out,libc.rewritten,Binary Rewriter Capabilities,Instrument once, run many Support more systems (BlueGene, FreeBSD, ) Operate on unmodified binaries No debug information required No linker relocations required
3、No symbols required Rewritten binary need not be compiled or linked,4,Binary Rewriting with Dyninst,Dynamic instrumentation and binary rewriting use the same abstractions and interfaces,/* Setup */ BPatch_addressSpace *addr_space; if (use_bin_edit)addr_space = BPatch.openFile(“a.out”); elseaddr_spac
4、e = BPatch.createProcess(“a.out”);/* Instrumentation */ addr_space-loadLibrary(“libInstrumentation.so”); addr_space-getImage()-findFunction(“func”, funcs); addr_space-insertSnippet(callExpr, point);/* Finalize */ if (use_bin_edit) app_bin-writeFile(a.rewritten.out); else app_proc-continueExecution()
5、; ,Binary Rewriter Example,6,Binary Rewriting with Dyninst,Challenges,Complex Standards Executable and Linkable Format(ELF) System V Standard Linux Standard Base (LSB) Accessing information in the original binary file Redundant information Inconsistent! E.g., Section size stored in headers and dynam
6、ic section Writing a new binary file Updating sections with new information Not precisely defined by standards! E.g., Adding new symbol to hash section,7,Binary Rewriting with Dyninst,Challenges,Implementation of the standards Libraries and tools OS Assigning meaning to undefined behavior Symbols wi
7、th no name and no type Stringent requirements by libelf Section alignment Unexpected restrictions by the OS Program header must be on first page Loader assumes relocation sections are adjacent,8,Binary Rewriting with Dyninst,What is New in the Binary Rewriter?,Linux/PowerPC32 portHandling run time e
8、vents with the binary rewriterSupport for rewriting static binaries,9,Binary Rewriting with Dyninst,Dealing with Position Independent Code (PIC) What is PIC? Why deal with PIC? PowerPC specific challenges Identifying PIC idiom Determining current PC,Linux/PowerPC32 Port,10,Binary Rewriting with Dyni
9、nst,0x1000,0x2000,0x3000,Code,Data,Shared library,Address space,PC relative references,Initialize and finalize instrumentation,Handling Run Time Events,11,Binary Rewriting with Dyninst,Dyninst Mutator,Mutatee Process,process load ,Events,OneTimeCode Callback,Initialize and finalize instrumentation,H
10、andling Run Time Events,12,Binary Rewriting with Dyninst,Mutatee Binary,process load,Events,?,Snippet to handle the event,init/fini section,A general framework to handle run time events,Rewriting Static Binaries,13,Binary Rewriting with Dyninst,Dynamic Binary,Static Binary,Headers,Dynamic Linker,Cod
11、e,Shared Libraries,?,Static Library,Code,Data,Headers,Code,Data,Adding New Libraries to Static Binaries,Link code and data from the new libraries into the binary Can we use use an existing linker? Dyninst must become a linker,14,Binary Rewriting with Dyninst,Static Binary,Headers,Code,Data,Rewriting
12、 a Static Binary,15,Binary Rewriting with Dyninst,Headers,Code,Data,Lets start with this simple picture of a binary,Rewriting a Static Binary,16,Binary Rewriting with Dyninst,First, load new libraries,Headers,Code,Data,Rewriting a Static Binary,17,Binary Rewriting with Dyninst,Second, generate instr
13、umentation to reference new libraries,References,Headers,Code,Data,Instrumentation,Rewriting a Static Binary,18,Binary Rewriting with Dyninst,Third, link code and data from the new libraries into the binary,Headers,Code,Data,Instrumentation,libdyninstRT.a Code,libprofile.a Code,libc.a Code,libdynins
14、tRT.a Data,libprofile.a Data,libc.a Data,References,Rewriting a Static Binary,19,Binary Rewriting with Dyninst,Finally, update the headers,Old Headers,Code,Data,Instrumentation,libdyninstRT.a Code,libprofile.a Code,libc.a Code,libdyninstRT.a Data,libprofile.a Data,libc.a Data,New Headers,Challenges
15、in Rewriting Static Binaries,Dyninst must become a linker,20,Binary Rewriting with Dyninst,Object File,Object File,Static Library,Linker,Not Finalized,Static Binary,Finalized,relinker,Dyninst Binary Rewriter,New Library,Challenges in Rewriting Static Binaries,Relinking is harder than linking Thread
16、Local Storage (TLS) Constructor and destructor tables Supporting TLS Need to link together multiple TLS sections TLS sections must be adjacent Move existing TLS section to the end and append new TLS sections Update program header,21,Binary Rewriting with Dyninst,Challenges in Rewriting Static Binari
17、es,Unexpected interactions within the tool chain,22,Binary Rewriting with Dyninst,gcc,ld,Standard Format,Unpublished conventions,Dyninst Binary Rewriter,New Library,Linked Binary,/* Setup */ BPatch_addressSpace *addr_space; if (use_bin_edit)addr_space = BPatch.openFile(“a.out”); elseaddr_space = BPa
18、tch.createProcess(“a.out”);/* Instrumentation */ if( addr_space-isStaticExecutable() ) addr_space-loadLibrary(“libprofile.a”);addr_space-loadLibrary(“libc.a”); else addr_space-loadLibrary(“libprofile.so”); /* Finalize */ if (use_bin_edit) app_bin-writeFile(a.rewritten.out); else app_proc-continueExe
19、cution(); ,Binary Rewriter Example,Binary Rewriter Status,Rewriting dynamic binaries Linux/x86 Linux/x86_64 Linux/PowerPC32 Rewriting static binaries Linux/x86 Linux/x86_64,24,Binary Rewriting with Dyninst,Future Directions,Rewriting dynamically linked binaries PowerPC64 Rewriting statically linked binaries PowerPC Family Ports to new platforms and object formats FreeBSD (ELF) Windows (PE, PDB) AIX (XCOFF) Update debug information (DWARF) in rewritten binaries,25,Binary Rewriting with Dyninst,Demo on Tuesday: Scalasca, TAU, ParaverQuestions?,26,Binary Rewriting with Dyninst,
