Menu
▾
▴
Re: [Valgrind-users] x86 to VEX translation process
|
From: Philippe W. <phi...@sk...> - 2016-01-09 13:40:34
|
On Fri, 2016-01-08 at 15:35 -0700, Jon Stephens wrote: > Hello all, > I am a student at the University of Arizona doing research with Dr. > Debray relating to computer security. We have been discussing a way to > automatically generate taint propagation policies for a given x86 > instruction. This process would be similar to the translation process > from x86 to VEX and so we were wondering if anyone could provide us > with more information about how that was done. From what I understand > from reading various papers on valgrind, each instruction in x86 is > encoded using VEX micro-operations that represent the computation > performed by that instruction. Each x86 instruction is translated to IR instructions, see guest_x86_toIR.c. There is a guest_...._toIR.c for each arch (e.g. amd64, arm, arm64, ...). > If this is the case, was there some way of automating (or > semi-automating) the process of creating the equivalent VEX > operations, or were they all hand-written? guest_...._toIR.c files are hand-written. > Additionally, in the VEX source code, is there a file that includes > the VEX micro-operations that correlate with a given x86 instruction? There is no 'table'. To know the mapping for an instruction, you must read guest_x86_toIR.c. You can also use the debug trace of valgrind to see how instructions are translated from arch specific instructions to IR, then transformed by the tool, then re-translated to the arch specific instructions. See valgrind --help-debug describing the --trace-flags and related options. > > > Any information would be greatly appreciated, > Jon Stephens After reading the articles (see website), the best is to read the code. Philippe > |
