\section{\staticdeps: static extraction of memory-carried dependencies} \begin{frame}[fragile]{Dependencies, through registers} \begin{minipage}[c]{0.35\textwidth} \begin{lstlisting}[language={[x86masm]Assembler}, numbers=none] 0: mov (%rax), %rcx ... 3: add %rcx, %rdx \end{lstlisting} \end{minipage}\hfill \begin{minipage}[c]{0.5\textwidth} \begin{itemize} \item Track register writes \item Generate dependency upon read \end{itemize} \end{minipage} \begin{center} 3 $\rightarrow$ 0 through \reg{rcx} \end{center} \end{frame} \begin{frame}[fragile]{Dependencies, loop-carried} \begin{minipage}[c]{0.40\textwidth} \begin{lstlisting}[language={[x86masm]Assembler}, numbers=none] loop: 0: add %rcx, %rdx ... 3: mov (%rax), %rcx 6: jmp loop \end{lstlisting} \end{minipage}\hfill \begin{minipage}[c]{0.1\textwidth} $\longrightarrow$ \end{minipage}\hfill \begin{minipage}[c]{0.40\textwidth} \begin{lstlisting}[language={[x86masm]Assembler}, numbers=none] 0,0: add %rcx, %rdx ... 0,3: mov (%rax), %rcx 1,0: add %rcx, %rdx ... 1,3: mov (%rax), %rcx \end{lstlisting} \end{minipage} \begin{center} 1,0 $\rightarrow$ 0,3 through \reg{rcx}\\ \ie{} \alert{loop-carried 1 $\rightarrow$ 3} \end{center} \end{frame} \begin{frame}[fragile]{Dependencies, through memory} \begin{minipage}[c]{0.30\textwidth} \begin{lstlisting}[language={[x86masm]Assembler}, numbers=none] mov %r10, 4(%rax) add $4, %rax add %rbx, (%rax) \end{lstlisting} \end{minipage}\hfill \begin{minipage}[c]{0.68\textwidth} \begin{itemize} \item Through memory: indirections, arithmetics, … \item Requires comparison of arbitrary symbolic expressions \medskip{} \item Use randomness as a kind of hash table instead \item Loop-carried: luckily, ROB is finite and small \end{itemize} \end{minipage} \end{frame} \begin{frame}{The \staticdeps{} algorithm} \begin{itemize} \item \alert{Unroll} kernel until $\card{\kerK} \geq \card{\text{ROB}} + \card{\kerK_0}$ \item \alert{Simulate} execution \item Unknown value (reg./mem.)? \alert{Sample} uniformly in $0\ldots2^{64}-1$ (\alert{``fresh''}) \item \alert{Compute arithmetics} normally (overflow is fine) \item Float or unknown operands $\leadsto \alert{\bot}$ \item Upon write, remember from which instruction \item Upon read, if writer known, \alert{generate dependency} \end{itemize} \end{frame} \begin{frame}[fragile]{An example: memoized Fibonacci sequence} \begin{minipage}[c]{0.46\textwidth} \begin{lstlisting}[language=C] int fibo(int* F, int n) { for(int i=2; i <= n; ++i) { F[i] = F[i-1] + F[i-2]; } return F[n]; } \end{lstlisting} \end{minipage}\hfill\begin{minipage}[c]{0.06\textwidth} \contour{black}{$\longrightarrow$} \end{minipage}\hfill\begin{minipage}[c]{0.40\textwidth} \begin{lstlisting}[language={[x86masm]Assembler}, numbers=none] 0: mov (%rax),%edx 1: add 0x4(%rax),%edx 2: mov %edx,0x8(%rax) 3: add $0x4,%rax 4: cmp %rcx,%rax 5: jne 0 \end{lstlisting} \end{minipage} \end{frame} \begin{frame}[fragile] \vspace{1cm} \newcommand{\unk}{{\color{gray}?}} \newcommand{\h}{\cellcolor[HTML]{D0ECFF}} \newcommand{\w}{\cellcolor[HTML]{d6bf86}} \newcommand{\dep}[1]{{\color{red}$\veryshortarrow$\,#1}} \begin{columns} \column{\dimexpr\paperwidth-8pt} \centering \hfill\begin{minipage}{0.29\textwidth} {\footnotesize \begin{tabular}{c c c} Mem. read\h & & Mem. write\w \\ \end{tabular} } \vspace{1em} \vfill \begin{lstlisting}[language={[x86masm]Assembler}, numbers=none] 0: mov (%rax),%edx 1: add 0x4(%rax),%edx 2: mov %edx,0x8(%rax) 3: add $0x4,%rax 4: cmp %rcx,%rax 5: jne 0 \end{lstlisting} \end{minipage}\hfill \begin{minipage}{0.69\textwidth} \centering \footnotesize \begin{tabular}{c c c c c c c c c l} \toprule \textbf{Before} & \multicolumn{2}{c}{\textbf{Registers}} && \multicolumn{5}{c}{\textbf{Memory}} & \textbf{Dep}\\ \textbf{instr} & \reg{rax} & \reg{edx} && \texttt{100} & \texttt{104} & \texttt{108} & \texttt{112} & \texttt{116} & \\ \midrule 0,0 & \unk& \unk&& \unk & \unk & \unk & \unk & \unk & \\ \pause{} 0,1 & 100 & 200 && 200\h& \unk & \unk & \unk & \unk & \\ \pause{} 0,2 & 100 & 376 && 200 & 176\h& \unk & \unk & \unk & \\ \pause{} 0,3 & 100 & 376 && 200 & 176 & 376\w& \unk & \unk & \\ \pause{} 0,4 & \alert{104} & 376 && 200 & 176 & 376 & \unk & \unk & \\ 0,5 & 100 & 376 && 200 & 176 & 376 & \unk & \unk & \\ \midrule \pause{} 1,1 & 104 & \alert{176} && 200 & 176\h& 376 & \unk & \unk & \\ \pause{} 1,2 & 104 & \alert{552} && 200 & 176 & 376\h& \unk & \unk & \dep{-1,3}\\ \pause{} 1,3 & 104 & 552 && 200 & 176 & 376 & 552\w& \unk & \\ \midrule \pause{} 2,1 & 108 & \alert{376} && 200 & 176 & 376\h& 552 & \unk & \dep{-2,3}\\ \pause{} 2,2 & 108 & \alert{928} && 200 & 176 & 376 & 552\h& \unk & \dep{-1,3}\\ \pause{} 2,3 & 108 & 928 && 200 & 176 & 376 & 552 & 928\w &\\ \bottomrule{} \end{tabular} \end{minipage}\hfill \end{columns} \let\unk\unefined \let\h\unefined \let\w\unefined \let\dep\unefined \end{frame} \begin{frame}{Practical implementation} \begin{itemize} \item Python code \item Reads asm / elf / symbol in elf \item Disassembly: \texttt{capstone} \item Semantics: \texttt{VEX} (aka Valgrind) \end{itemize} \begin{center} $\leadsto$ fast; supports many architectures \end{center} \end{frame} \begin{frame}{Limitations} \begin{itemize} \item Randomness may generate false positives \begin{itemize} \item Very unlikely: $2^{64}$ vs. $\sim~10^{4}$ \item If needed, amplify (run twice) \end{itemize} \item No false negatives caused by randomness, however \bigskip \item Unaware of context: \emph{assumes no pointers alias} \begin{itemize} \item Intrinsic limitation of block-based code analyzers \item Future works: abstract interpretation? \end{itemize} \end{itemize} \end{frame} \begin{frame}{Evaluation: coverage} \begin{itemize} \item Baseline: instrumentation (extract deps at runtime) \item On all \cesasme{} benchmarks \end{itemize} \begin{minipage}{0.4\textwidth} \[ \cov_u = \frac{\card{\text{found}}}{\card{\text{found}}+\card{\text{missed}}} \] \end{minipage}\hfill \begin{minipage}{0.4\textwidth} \[ \cov_w = \frac{\sum_{d\in\text{found}}\rho_d} {\sum_{d\in\text{found}~\cup~\text{missed}}\rho_d} \] \end{minipage} \vfill \begin{center} \begin{tabular}{r r} \toprule $\cov_u$ (\%) & $\cov_w$ (\%) \\ \midrule \alert{94.4} & \alert{98.3} \\ \bottomrule \end{tabular} \end{center} \end{frame} \begin{frame}{Evaluation: use in \uica} \begin{columns} \column{\dimexpr\paperwidth-8pt} \centering \begin{minipage}[c]{0.57\textwidth} \centering \footnotesize \begin{tabular}{l l r r r r} \toprule \textbf{Dataset} & \textbf{Bencher} & \textbf{MAPE} & \textbf{Median} & \textbf{$K_\tau$}\\ && (\%) & (\%) & \\ \midrule \multirow{2}{*}{Full} & \uica{} & 29.59 & 18.26 & 0.58\\ & + \staticdeps{} & 19.15 & 14.44 & 0.81\\ \midrule \multirow{2}{*}{Pruned} & \uica{} & 18.42 & 11.96 & 0.80\\ & + \staticdeps{} & 18.77 & 12.18 & 0.80\\ \bottomrule \end{tabular} \end{minipage} \hfill \begin{minipage}[c]{0.4\textwidth} \centering \includegraphics[width=0.98\textwidth]{uica_sd_boxplot.svg} \end{minipage} \end{columns} \end{frame}