Part 2: Diablo Data Structures

Size: px

Start display at page:

Download "Part 2: Diablo Data Structures"

Arlene Jackson
5 years ago
Views:

1 Part 2: Diablo Structures PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 1 Goals Linker data structures Internal representation Construction of graphs Concrete Structures Manipulation Dynamic Members

2 PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 2 Structures: Goal Easy to manipulate CFG SSA Reliable model control flow conservatively precise = not too conservative Retargetable abstract architecture specific details Extensible easy to augment basic data structures with extra data

3 Transition in small steps Input Structures Link Graph Coarse-grained graph,enables linking and unused section removal Direct Control Flow and Relocatable Address Graph Fine-grained graph, enables unreachable code and data removal Augmented Whole Program Control Flow Graph = DCFRAG + special edges Enables (flow)analysis of the program Interprocedural Control Flow Graph Makes analysis of the program more easy PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 3

4 Part 2: Diablo Structures PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 4 Goals Linker data structures Internal representation Construction of graphs Concrete Structures Manipulation Dynamic Members

5 PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 5 Linker Structures: our input Most are simply an abstract representation of data used by a linker: archives (containers of relocatable objects) relocatable objects (container of sections) section (containers of data) Interesting structures for Diablo: relocs (relocation information) symbols

6 PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 6 Relocatable objects Represent every entity that can need relocating have an address and a size can be used in symbols and relocs can be changed by relocs e.g. sections are relocatable objects

7 labeled address expression use the value of relocatable objects to calculate an address example: Symbols symbol offset_between_section_a_and_b_plus_10 code = R01 R00 A00 +$ section a offset in a section b offset in b 10 used during symbol resolution order > means it overwrites other symbols can create data (e.g. bss) PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 7

8 PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 8 Relocations use the address of relocatable objects and symbols to compute an address put it in the desired encoding write it somewhere in a relocatable object checks if relocation was successful (no overflow)

9 PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 9 Relocations Example for an instruction load immediate pc relative that loads the address of (an offset in) a relocatable object minus the address of a symbol plus some value (addend) and stores this address pc relative (instruction encoding) but automatically increases with the pc when executed R00 S00 A00 + \\ P- l*w \\ s0000 $ COMPUTE ENCODE CHECK (not used)

10 PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 10 Relocations Example for an instruction load immediate pc relative that loads the address of (an offset in) a relocatable object minus the address of a symbol plus some value (addend) and stores this address pc relative (instruction encoding) but automatically increases with the pc when executed R00 S00 A00 + \\ P- l*w \\ s0000 $

11 PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 11 Relocations Example for an instruction load immediate pc relative that loads the address of (an offset in) a relocatable object minus the address of a symbol plus some value (addend) and stores this address pc relative (instruction encoding) but automatically increases with the pc when executed R00 S00 A00 + \\ P- l*w \\ s0000 $

12 PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 12 Relocations Example for an instruction load immediate pc relative that loads the address of (an offset in) a relocatable object minus the address of a symbol plus some value (addend) and stores this address pc relative (instruction encoding) but automatically increases with the pc when executed R00 S00 A00 + \\ P- l*w \\ s0000 $

13 PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 13 Relocations Example for an instruction load immediate pc relative that loads the address of (an offset in) a relocatable object minus the address of a symbol plus some value (addend) and stores this address pc relative (instruction encoding) but automatically increases with the pc when executed R00 S00 A00 + \\ P- l*w \\ s0000 $

14 PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 14 Relocations Example for an instruction load immediate pc relative that loads the address of (an offset in) a relocatable object minus the address of a symbol plus some value (addend) and stores this address pc relative (instruction encoding) but automatically increases with the pc when executed R00 S00 A00 + \\ P- l*w \\ s0000 $

15 PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 15 Relocations Example for an instruction load immediate pc relative that loads the address of (an offset in) a relocatable object minus the address of a symbol plus some value (addend) and stores this address pc relative (instruction encoding) but automatically increases with the pc when executed R00 S00 A00 + \\ P- l*w \\ s0000 $ MARKERS

16 Relocations Example for an instruction load immediate pc relative that loads the address of (an offset in) a relocatable object minus the address of a symbol plus some value (addend) and stores this address pc relative (instruction encoding) but automatically increases with the pc when executed R00 S00 A00 + \\ P- l*w \\ s0000 $ section a offset in a symbol 42 section c offset in c section b offset in b TO FROM PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 16

17 Relocation subtleties pointer: code = S00 A #include <stdio.h> void v1() { printf("v1\n"); } void v2() { printf("v2\n"); } void (*pointer)() = v1; v1 code = R00.text 0 bad_pointer: code = S00A int *bad_pointer = ((int *) v2) + 1; int main(int argc, char ** argv) { pointer(); ((void (*)()) (bad_pointer -1))(); return 0; } PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 17 v2 code = R00.text 20 1

18 Relocation subtleties pointer: code = S00 A #include <stdio.h> void v1() { printf("v1\n"); } void v2() { printf("v2\n"); } void (*pointer)() = v1;.text code = R00.text 0 bad_pointer: code = S00A int *bad_pointer = ((int *) v2) + 1; int main(int argc, char ** argv) { pointer(); ((void (*)()) (bad_pointer -1))(); return 0; } PLDI 06 Tutorial - Binary Rewriting with Diablo - part

19 Relocation subtleties pointer: code = S00 A #include <stdio.h> void v1() { printf("v1\n"); } void v2() { printf("v2\n"); } void (*pointer)() = v1;.text code = R00.text 0x0 bad_pointer: code = S00A int *bad_pointer = ((int *) v2) + 1; int main(int argc, char ** argv) { pointer(); ((void (*)()) (bad_pointer -1))(); return 0; } RELOCATIONS & SYMBOLS SHOULD NOT BE RELAXED PLDI 06 Tutorial - Binary Rewriting with Diablo - part

20 Part 2: Diablo Structures PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 20 Goals Linker data structures Internal representation Construction of graphs Concrete Structures Manipulation Dynamic Members

21 PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 21 Object file b Object files Code Symbol _start: Symbol a: order 0 to undefined to sym aptr S00\l*w\s000$ Symbol b: from data to sym a S00\l*w\s000$ Symbol aptr:

22 Graph representation Object file b to sym aptr S00\l*w\s000$ Symbol _start: Symbol aptr: from data to sym a S00\l*w\s000$ Code Symbol a: order 0 to undefined Symbol b: PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 22

23 Part 2: Diablo Structures PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 23 Goals Linker data structures Internal representation Construction of graphs Concrete Structures Manipulation Dynamic Members

24 PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 24 Reading information Entry EXE MAP

25 PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 25 Reading information Entry.text 0x x5e4d40 EXE.text 0x x24 /usr/lib/crt1.o 0x _start.text 0x x22 /usr/lib/crti.o *fill* 0x text 0x xc4 /usr/lib/crtbegint.o *fill* 0x text 0x x56f app_procs.o 0x app_run 0x80482a0 app_abort 0x80482e0 app_exit 0x app_libs_init *fill* 0x80487af.text 0x80487b0 0xf33 main.o 0x80487b0 main MAP

26 Reading information Entry Object file b to sym aptr S00\l*w\s000$ EXE Symbol _start: Symbol aptr: from data to sym a S00\l*w\s000$ Code Symbol a: order 0 to undefined Object file a Code to sym array S00\l*w\s000$ MAP Symbol b: Symbol a: Symbol array: PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 26

27 Reading information Entry Object file b to sym aptr S00\l*w\s000$ EXE Symbol _start: Symbol aptr: from data to sym a S00\l*w\s000$ Code Symbol a: order 0 to undefined Object file a Code to sym array S00\l*w\s000$ MAP Symbol b: Symbol a: Symbol array: PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 27

28 Reading information Entry to sym aptr S00\l*w\s000$ Symbol _start: Symbol aptr: from data to sym a S00\l*w\s000$ Code Symbol a: order 0 to undefined Code to sym array S00\l*w\s000$ Symbol b: Symbol a: Symbol array: PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 28

29 Symbol Resolution Entry to sym aptr S00\l*w\s000$ Symbol _start: Symbol aptr: from data to sym a S00\l*w\s000$ Code Symbol a: order 0 to undefined Code to sym array S00\l*w\s000$ Symbol b: Symbol a: Symbol array: PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 29

30 Symbol Resolution Entry to sym aptr S00\l*w\s000$ Symbol _start: Symbol aptr: from data to sym a S00\l*w\s000$ Code Code to sym array S00\l*w\s000$ Symbol b: Symbol a: Symbol array: PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 30

31 Linkgraph Entry Symbol _start: Symbol aptr: from data Code Code Symbol b: Symbol a: Symbol array: PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 31

32 Linkgraph Entry Symbol _start: from data Code Code Symbol b: Symbol a: PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 32

33 PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 33 Uses of the linkgraph Linking (placing sections, relocating) Apply linker optimizations (remove unused sections) fine-grained transformations Need for a more fine-grained graph: DCFRAG Direct Control Flow and Relocatable Addresses

34 Linkgraph Entry Symbol _start: from data Code Code Symbol b: Symbol a: PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 34

35 Disassembler Entry Symbol _start: from data Symbol b: Symbol a: PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 35

36 Disassembler Disassemble Instruction Architecture independent - instruction type (jump, cmp,...) - conditional? - register lists (used, defined) Architecture dependent - backend decides - opcode - regs Architecture independent analyses and optimizations work on architecture independent part or use callbacks PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 36

37 PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 37 Detect basic blocks Disassemble Split sections into basic blocks Basic Block Linked list of instructions Type (for special block)

38 Detect basic blocks Entry Symbol _start: from data Symbol b: Symbol a: PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 38

39 Detect basic blocks Entry Symbol _start: from data Symbol b: Symbol a: PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 39

40 Detect basic blocks Entry Symbol _start: from data Symbol b: Symbol a: PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 40

41 Detect basic blocks Entry Symbol _start: from data Symbol b: Symbol a: PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 41

42 Detect basic blocks Entry Symbol _start: from data Symbol b: Symbol a: PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 42

43 Detect basic blocks Entry Symbol _start: from data Symbol b: Symbol a: PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 43

44 PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 44 Add edges Disassemble Split sections into basic blocks Targets direct jumps + successors conditional jumps To's of relocs analyze switches (computed) to find switch targets Add direct control flow edges and switch edges Edge Connector for two basic blocks Type (jump, ft, call, return,...)

45 Add edges Entry Symbol _start: from data Symbol b: Symbol a: PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 45

46 Add edges: direct jumps Entry Symbol _start: from data Symbol b: Symbol a: PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 46

47 Add edges: fall-through paths Entry Symbol _start: from data Symbol b: Symbol a: PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 47

48 Add edges: system calls Entry Symbol _start: from data Sys Symbol b: Symbol a: PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 48

49 PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 49 Partition the code into functions Function - Name - list of basic blocks - register lists (used, defined,...)

50 Partition the code into functions Entry Symbol _start: from data Sys Symbol b: Symbol a: PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 50

51 Partition the code into functions Function program_entry Entry Function _start Symbol _start: Function a from data Function b Return Return Function syscall hell Sys Symbol b: Symbol a: PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 51

52 PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 52 Function Calls Function caller Function callee Return Return

53 PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 53 Interprocedural Goto's Function caller Function callee Return Return

54 DCFRAG Function program_entry Entry Function _start Symbol _start: Function a from data Function b Return Return Function syscall hell Sys Symbol b: Symbol a: PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 54

55 PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 55 DCFRAG Function program_entry Entry Function _start Function a from data Function b Return Return Function syscall hell Sys

56 PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 56 Uses of the DCFRAG Fine grained removal of unused code and data flow We need a graph for data flow analyses (ICFG)

57 PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 57 DCFRAG Function program_entry Entry Function _start Function a from data Function b Return Return Function syscall hell Sys

58 PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 58 Augmented Whole-Program CFG Function program_entry Entry Function _start Function hell Hell Return Function a from data Function b Return Return Function syscall hell Sys

59 PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 59 ICFG Function program_entry Entry Function _start Function hell Hell Return Function a Function b Return Return Function syscall hell Sys

60 PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 60 Uses of the ICFG Good for analysis and transformations Bad for writing out the program Use the combined ICFG + DCFRAG = AWPCFG

61 PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 61 AWPCFG Function program_entry Entry Function _start Function hell Hell Return Function a from data Function b Return Return Function syscall hell Sys

62 Part 2: Diablo Structures PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 62 Goals Linker data structures Internal representation Construction of graphs Concrete Structures Manipulation Dynamic Members

63 PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 63 Concrete Structures t_reloc_table t_reloc t_reloc_ref t_i386_ins t_ppc_ins t_arm_ins t_relocatable t_object t_symbol_table t_symbol t_symbol_ref t_ins t_bbl t_function t_cfg_edge t_section t_cfg

64 PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 64 Accessing fields With getters and setters t_bbl * head = CFG_EDGE_HEAD(cfg_edge) ARM_INS_SET_REGA(arm_ins, reg) Reason: Dynamic Members

65 Iterating the ICFG t_cfg * cfg; t_function * fun; t_bbl * bbl; t_ins * ins; t_cfg_edge * edge; CFG_FOREACH_FUNCTION(cfg, fun) FUNCTION_FOREACH_BBL(fun, bbl) CFG_FOREACH_BBL(cfg, bbl) BBL_FOREACH_INS(bbl, ins) BBL_FOREACH_SUCC_EDGE(bbl, edge) BBL_FOREACH_PRED_EDGE(bbl, edge) PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 65

66 Part 2: Diablo Structures PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 66 Goals Linker data structures Internal representation Construction of graphs Concrete Structures Manipulation Dynamic Members

67 PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 67 Primitive Transformations Relocations Add: RelocTableAddRelocToRelocatable Remove: RelocTableRemoveReloc Modify: RelocSetFrom, RelocSetToRelocatable Sections Create: SectionCreateForObject Functions Create: FunctionMake Remove: FunctionKill

68 Primitive Transformations Basic blocks Create: New Remove: Kill Duplicate: Dup Split: SplitBlock ICFG edges Create: CfgEdgeCreate Remove: CfgEdgeKill Instructions Create: InsNewFor Remove: InsKill PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 68

69 PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 69 On the DCFRAG SECTION_REFED_BY(sec) SECTION_REFERS_TO(sec) BBL_REFED_BY(bbl) BBL_REFED_BY_SYM(bbl) INS_REFERS_TO(ins)

70 PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 70 Consistency of the AWPCFG Manipulate one view, what happens on other? Diablo tries to keep things consistent Kill reloc, and its ICFG-edge is also killed Kill ins, and to-relocs are also killed Remove a section, and all to-relocs are also killed Makes sure that you do the proper thing Try to kill an object with refers_to relocs, and it fatals

71 Part 2: Diablo Structures PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 71 Goals Linker data structures Internal representation Construction of graphs Concrete Structures Manipulation Dynamic Members

72 PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 72 Dynamic Members Diablo needs to be extensible Many analyses compute different kinds of information on very large data sets We cannot include all of them in the main libraries, or even store all information together Dynamic members augment basic data structures with members that can be allocated on the fly

73 PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 73 Dynamic Members Example: member for reachability t_bool BBL_REACHABLE(t_bbl) BBL_SET_REACHABLE(t_bbl, t_bool) InitReachable(t_cfg *) Allocates space for this field and calls init callback for each bbl FiniReachable(t_cfg *) Calls fini callback and deallocates space

74 PLDI 06 Tutorial - Binary Rewriting with Diablo - part 2 74 To instantiate the member: Dynamic Members DYNAMIC_MEMBER( bbl, /* data structure to extend */ t_cfg *, /* manager type */ bbl_reachable_array, /* array to hold members */ t_bool, /* the type of the member */ reachable, /* lowercase name */ REACHABLE, /* UPPERCASE name */ Reachable, /* CamelCase name*/ CFG_FOREACH_BBL, /* iterator */ ReachableInitCb, /* init callback*/ ReachableFiniCb, /* fini callback */ ReachableDupCb, /* dup callback */ );

DIABLO: a reliable, retargetable and extensible link-time rewriting framework

DIABLO: a reliable, retargetable and extensible link-time rewriting framework (Invited Paper) Ludo Van Put, Dominique Chanet, Bruno De Bus, Bjorn De Sutter and Koen De Bosschere Ghent University Sint-Pietersnieuwstraat