|
From: Nicholas N. <nj...@cs...> - 2005-05-09 14:45:05
|
Hi, I don't think I've mentioned this before: www.burningcutlery.com/derek/phd.html has Derek Bruening's PhD dissertation about DynamoRIO, which is a Valgrind-like system for dynamic binary instrumentation. What's notable is that it is really fast, ie. typical slowdowns are in the 0--50% range. I believe it's less suitable for doing heavyweight instrumentation than Valgrind; eg. I don't think you could write Memcheck easily in it. It's also x86-specific, but it impressively supports both Windows and Linux. The dissertation has lots of good stuff about getting good performance. Also, there's a recent paper about another tool called Pin http://rogue.colorado.edu/Pin/docs/papers/pin-pldi05.pdf Pin works on multiple platforms, is again pretty fast, but again doesn't seem suitable for heavyweight instrumentation. They give some performance comparisons against Valgrind and DynamoRIO which are interesting. Valgrind doesn't fare very well, but it's really an apples-to-oranges comparison since the two comparisons involve no instrumentation and minimal instrumentation. Both are good reading, I believe these two systems are the strongest competitors Valgrind has of various dynamic binary instrumentation systems out there. N |
I have worked on DynamoRIO for a while. I thinks it is really fast, and more suitable for realtime application. Different from valgrind and PIN, it provides an IR which is very close to x86 instruction set, complex but fast. I am developing a realtime information flow tracing tool using DynamoRIO, which is similar to MemCheck, but more care about the speed. One weak point is that DynamoRIO source code is not public available, Quoting Nicholas Nethercote <nj...@cs...>: > Hi, > > I don't think I've mentioned this before: > > www.burningcutlery.com/derek/phd.html > > has Derek Bruening's PhD dissertation about DynamoRIO, which is a > Valgrind-like system for dynamic binary instrumentation. What's notable > is that it is really fast, ie. typical slowdowns are in the 0--50% range. > I believe it's less suitable for doing heavyweight instrumentation than > Valgrind; eg. I don't think you could write Memcheck easily in it. It's > also x86-specific, but it impressively supports both Windows and Linux. > The dissertation has lots of good stuff about getting good performance. > > Also, there's a recent paper about another tool called Pin > > http://rogue.colorado.edu/Pin/docs/papers/pin-pldi05.pdf > > Pin works on multiple platforms, is again pretty fast, but again doesn't > seem suitable for heavyweight instrumentation. They give some performance > comparisons against Valgrind and DynamoRIO which are interesting. > Valgrind doesn't fare very well, but it's really an apples-to-oranges > comparison since the two comparisons involve no instrumentation and > minimal instrumentation. > > Both are good reading, I believe these two systems are the strongest > competitors Valgrind has of various dynamic binary instrumentation systems > out there. > > N > > > ------------------------------------------------------- > This SF.Net email is sponsored by: NEC IT Guy Games. > Get your fingers limbered up and give it your best shot. 4 great events, 4 > opportunities to win big! Highest score wins.NEC IT Guy Games. Play to > win an NEC 61 plasma display. Visit http://www.necitguy.com/?r=20 > _______________________________________________ > Valgrind-developers mailing list > Val...@li... > https://lists.sourceforge.net/lists/listinfo/valgrind-developers > |
|
From: Bryan O'S. <bo...@se...> - 2005-05-09 15:51:59
|
On Mon, 2005-05-09 at 11:38 -0400, Qin Zhao wrote: > One weak point is that DynamoRIO source code is not public available, This would be the reason: http://www.determina.com/ <b |
|
From: Nicholas N. <nj...@cs...> - 2005-05-09 16:32:52
|
On Mon, 9 May 2005, Qin Zhao wrote: > I am developing a realtime information flow tracing tool using > DynamoRIO, which is similar to MemCheck, but more care about the speed. Can you give any more detail about how it will work, what it will do? Will every value (in registers and memory) be shadowed by some kind of metavalue? I'd be really interested to hear if you can get a Memcheck-like tool working well in DynamoRIO. N |
Quoting Nicholas Nethercote <nj...@cs...>: > On Mon, 9 May 2005, Qin Zhao wrote: > > > I am developing a realtime information flow tracing tool using > > DynamoRIO, which is similar to MemCheck, but more care about the speed. > > Can you give any more detail about how it will work, what it will do? > Will every value (in registers and memory) be shadowed by some kind of > metavalue? > > I'd be really interested to hear if you can get a Memcheck-like tool > working well in DynamoRIO. > > N > It is similar to MemCheck, each byte of memory and register has one byte shadow memory, and intially set as clean. User can specify some part of data or data reading from file or network as tainted, the corresponding shadow memory is marked as tainted. Then during the execution, when the data is propagated around, the instrumented code propagates data's taint status in shaodw memory. We can perform some check at some point to see if the used data are tainted. For example, we can check the data used for indirect branch's target address, if it is tainted, it is very possible a buffer overflow attack happens. From my understanding, the basic tech is similar to MemCheck. Tracing and checking. |
|
From: Nicholas N. <nj...@cs...> - 2005-05-09 18:32:30
|
On Mon, 9 May 2005, Qin Zhao wrote: >>> I am developing a realtime information flow tracing tool using >>> DynamoRIO, which is similar to MemCheck, but more care about the speed. > > It is similar to MemCheck, each byte of memory and register has one byte shadow > memory, and intially set as clean. User can specify some part of data or data > reading from file or network as tainted, the corresponding shadow memory is > marked as tainted. Then during the execution, when the data is propagated > around, the instrumented code propagates data's taint status in shaodw memory. > We can perform some check at some point to see if the used data are tainted. > For example, we can check the data used for indirect branch's target address, > if it is tainted, it is very possible a buffer overflow attack happens. Sounds similar to CMU's TaintCheck (www.ece.cmu.edu/~jnewsome/docs/taintcheck.pdf) -- are there any major differences? > From my understanding, the basic tech is similar to MemCheck. Tracing and > checking. Yes. N |
> Sounds similar to CMU's TaintCheck > (www.ece.cmu.edu/~jnewsome/docs/taintcheck.pdf) -- are there any major > differences? Yes, actually it is inspired from that. I just wants to speed it up and make it usable for application at realtime, and that's why I use DynamoRIO instead of Valgrind. |
|
From: Nicholas N. <nj...@cs...> - 2005-05-09 19:23:53
|
On Mon, 9 May 2005, Qin Zhao wrote: >> Sounds similar to CMU's TaintCheck >> (www.ece.cmu.edu/~jnewsome/docs/taintcheck.pdf) -- are there any major >> differences? > > Yes, actually it is inspired from that. I just wants to speed it up and make it > usable for application at realtime, and that's why I use DynamoRIO instead of > Valgrind. Right. I'd love to know how it goes, if you can do it. N |