|
From: Jon S. <ste...@em...> - 2016-01-08 23:04:12
|
Hello all, I am a student at the University of Arizona doing research with Dr. Debray relating to computer security. We have been discussing a way to automatically generate taint propagation policies for a given x86 instruction. This process would be similar to the translation process from x86 to VEX and so we were wondering if anyone could provide us with more information about how that was done. From what I understand from reading various papers on valgrind, each instruction in x86 is encoded using VEX micro-operations that represent the computation performed by that instruction. If this is the case, was there some way of automating (or semi-automating) the process of creating the equivalent VEX operations, or were they all hand-written? Additionally, in the VEX source code, is there a file that includes the VEX micro-operations that correlate with a given x86 instruction? Any information would be greatly appreciated, Jon Stephens |
|
From: Philippe W. <phi...@sk...> - 2016-01-09 13:40:34
|
On Fri, 2016-01-08 at 15:35 -0700, Jon Stephens wrote: > Hello all, > I am a student at the University of Arizona doing research with Dr. > Debray relating to computer security. We have been discussing a way to > automatically generate taint propagation policies for a given x86 > instruction. This process would be similar to the translation process > from x86 to VEX and so we were wondering if anyone could provide us > with more information about how that was done. From what I understand > from reading various papers on valgrind, each instruction in x86 is > encoded using VEX micro-operations that represent the computation > performed by that instruction. Each x86 instruction is translated to IR instructions, see guest_x86_toIR.c. There is a guest_...._toIR.c for each arch (e.g. amd64, arm, arm64, ...). > If this is the case, was there some way of automating (or > semi-automating) the process of creating the equivalent VEX > operations, or were they all hand-written? guest_...._toIR.c files are hand-written. > Additionally, in the VEX source code, is there a file that includes > the VEX micro-operations that correlate with a given x86 instruction? There is no 'table'. To know the mapping for an instruction, you must read guest_x86_toIR.c. You can also use the debug trace of valgrind to see how instructions are translated from arch specific instructions to IR, then transformed by the tool, then re-translated to the arch specific instructions. See valgrind --help-debug describing the --trace-flags and related options. > > > Any information would be greatly appreciated, > Jon Stephens After reading the articles (see website), the best is to read the code. Philippe > |