265 lines
7.9 KiB
TeX
265 lines
7.9 KiB
TeX
\section{\staticdeps: static extraction of memory-carried dependencies}
|
|
|
|
\begin{frame}[fragile]{Dependencies, through registers}
|
|
\begin{minipage}[c]{0.35\textwidth}
|
|
|
|
\begin{lstlisting}[language={[x86masm]Assembler}, numbers=none]
|
|
0: mov (%rax), (§\alert{\reg{rcx}}§)
|
|
...
|
|
3: add (§\alert{\reg{rcx}}§), %rdx
|
|
\end{lstlisting}
|
|
\end{minipage}\hfill
|
|
\begin{minipage}[c]{0.5\textwidth}
|
|
\begin{itemize}
|
|
\item Track register writes
|
|
\item Generate dependency upon read
|
|
\end{itemize}
|
|
\end{minipage}
|
|
|
|
\begin{center}
|
|
0 $\to$ 3 through \reg{rcx}
|
|
\end{center}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}[fragile]{Dependencies, loop-carried}
|
|
\begin{minipage}[c]{0.40\textwidth}
|
|
\begin{lstlisting}[language={[x86masm]Assembler}, numbers=none]
|
|
loop:
|
|
0: add %rcx, %rdx
|
|
...
|
|
3: mov (%rax), %rcx
|
|
6: jmp loop
|
|
\end{lstlisting}
|
|
\end{minipage}\hfill
|
|
\begin{minipage}[c]{0.1\textwidth}
|
|
$\longrightarrow$
|
|
\end{minipage}\hfill
|
|
\begin{minipage}[c]{0.40\textwidth}
|
|
\begin{lstlisting}[language={[x86masm]Assembler}, numbers=none]
|
|
0: add %rcx, %rdx
|
|
...
|
|
3: mov (%rax), (§\alert{\reg{rcx}}§)
|
|
0: add (§\alert{\reg{rcx}}§), %rdx
|
|
...
|
|
3: mov (%rax), %rcx
|
|
\end{lstlisting}
|
|
\end{minipage}
|
|
|
|
\begin{center}
|
|
3 $\to$ 0 through \reg{rcx}, \alert{loop-carried}
|
|
\end{center}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}[fragile]{Dependencies, through memory}
|
|
\begin{minipage}[c]{0.30\textwidth}
|
|
\begin{lstlisting}[language={[x86masm]Assembler}, numbers=none]
|
|
mov %r10, (§\alert{4(\reg{rax})}§)
|
|
add $4, %rax
|
|
add (§\alert{(\reg{rax})}§), %rbx
|
|
\end{lstlisting}
|
|
\end{minipage}\hfill
|
|
\begin{minipage}[c]{0.68\textwidth}
|
|
\begin{itemize}
|
|
\item Through memory: indirections, arithmetics, …
|
|
\item Requires comparison of arbitrary symbolic expressions
|
|
\medskip{}
|
|
\item Use randomness as a kind of hash table instead
|
|
\item Loop-carried: luckily, ROB is finite and small
|
|
\end{itemize}
|
|
\end{minipage}
|
|
|
|
\pause{}
|
|
\bigskip
|
|
\begin{center}
|
|
\textbf{Hypothesis:} pointers from context \alert{do not
|
|
alias}.\\
|
|
Compilers prefer passing a single pointer.
|
|
\end{center}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}{The \staticdeps{} algorithm}
|
|
\begin{itemize}
|
|
\item \alert{Unroll} kernel until $\card{\kerK} \geq \card{\text{ROB}} +
|
|
\card{\kerK_0}$
|
|
\item \alert{Simulate} execution
|
|
\item Unknown value (reg./mem.)? \alert{Sample} uniformly in $0\ldots2^{64}-1$
|
|
(\alert{``fresh''})
|
|
\item \alert{Compute arithmetics} normally (overflow is fine)
|
|
\item Float or unknown operands $\leadsto \alert{\bot}$
|
|
\item Upon write, remember from which instruction
|
|
\item Upon read, if writer known, \alert{generate dependency}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}[fragile]{An example: memoized Fibonacci sequence}
|
|
\begin{minipage}[c]{0.46\textwidth}
|
|
\begin{lstlisting}[language=C]
|
|
int fibo(int* F, int n) {
|
|
for(int i=2; i <= n; ++i) {
|
|
F[i] = F[i-1] + F[i-2];
|
|
}
|
|
return F[n];
|
|
}
|
|
\end{lstlisting}
|
|
\end{minipage}\hfill\begin{minipage}[c]{0.06\textwidth}
|
|
\contour{black}{$\longrightarrow$}
|
|
\end{minipage}\hfill\begin{minipage}[c]{0.40\textwidth}
|
|
\begin{lstlisting}[language={[x86masm]Assembler}, numbers=none]
|
|
0: mov (%rax),%edx
|
|
1: add 0x4(%rax),%edx
|
|
2: mov %edx,0x8(%rax)
|
|
3: add $0x4,%rax
|
|
4: cmp %rcx,%rax
|
|
5: jne 0
|
|
\end{lstlisting}
|
|
\end{minipage}
|
|
\end{frame}
|
|
|
|
\begin{frame}[fragile]
|
|
\vspace{1cm}
|
|
\newcommand{\unk}{{\color{gray}?}}
|
|
\newcommand{\h}{\cellcolor[HTML]{D0ECFF}}
|
|
\newcommand{\w}{\cellcolor[HTML]{d6bf86}}
|
|
\newcommand{\dep}[1]{{\color{red}#1\,$\to$}}
|
|
\begin{columns}
|
|
\column{\dimexpr\paperwidth-8pt}
|
|
\centering
|
|
\hfill\begin{minipage}{0.29\textwidth}
|
|
{\footnotesize
|
|
\begin{tabular}{c c c}
|
|
Mem. read\h & & Mem. write\w \\
|
|
\end{tabular}
|
|
}
|
|
\vspace{1em}
|
|
\vfill
|
|
\begin{lstlisting}[language={[x86masm]Assembler}, numbers=none]
|
|
0: mov (%rax),%edx
|
|
1: add 0x4(%rax),%edx
|
|
2: mov %edx,0x8(%rax)
|
|
3: add $0x4,%rax
|
|
4: cmp %rcx,%rax
|
|
5: jne 0
|
|
\end{lstlisting}
|
|
\end{minipage}\hfill
|
|
\begin{minipage}{0.69\textwidth}
|
|
\centering
|
|
\footnotesize
|
|
\begin{tabular}{c c c c c c c c c l}
|
|
\toprule
|
|
\textbf{After} & \multicolumn{2}{c}{\textbf{Registers}} &&
|
|
\multicolumn{5}{c}{\textbf{Memory}} & \textbf{Dep}\\
|
|
\textbf{instr} & \reg{rax} & \reg{edx}
|
|
&& \texttt{100} & \texttt{104} & \texttt{108} & \texttt{112} & \texttt{116} & \\
|
|
\midrule
|
|
Start & \unk& \unk&& \unk & \unk & \unk & \unk & \unk & \\
|
|
\midrule
|
|
\pause{}
|
|
0 & 100 & 200 && 200\h& \unk & \unk & \unk & \unk & \\
|
|
\pause{}
|
|
1 & 100 & 376 && 200 & 176\h& \unk & \unk & \unk & \\
|
|
\pause{}
|
|
2 & 100 & 376 && 200 & 176 & 376\w& \unk & \unk & \\
|
|
\pause{}
|
|
3 & \alert{104} & 376 && 200 & 176 & 376 & \unk & \unk{} & \\{} % Oskour.
|
|
4 & 104 & 376 && 200 & 176 & 376 & \unk & \unk & \\
|
|
\midrule
|
|
\pause{}
|
|
0 & 104 & \alert{176} && 200 & 176\h& 376 & \unk & \unk & \\
|
|
\pause{}
|
|
1 & 104 & \alert{552} && 200 & 176 & 376\h& \unk & \unk & \dep{-1,2}\\
|
|
\pause{}
|
|
2 & 104 & 552 && 200 & 176 & 376 & 552\w& \unk & \\
|
|
\midrule
|
|
\pause{}
|
|
0 & 108 & \alert{376} && 200 & 176 & 376\h& 552 & \unk & \dep{-2,2}\\
|
|
\pause{}
|
|
1 & 108 & \alert{928} && 200 & 176 & 376 & 552\h& \unk & \dep{-1,2}\\
|
|
\pause{}
|
|
2 & 108 & 928 && 200 & 176 & 376 & 552 & 928\w &\\
|
|
\bottomrule{}
|
|
\end{tabular}
|
|
\end{minipage}\hfill
|
|
\end{columns}
|
|
\let\unk\unefined
|
|
\let\h\unefined
|
|
\let\w\unefined
|
|
\let\dep\unefined
|
|
|
|
\end{frame}
|
|
|
|
\begin{frame}{Practical implementation}
|
|
\begin{itemize}
|
|
\item Python code
|
|
\item Reads asm / elf / symbol in elf
|
|
\item Disassembly: \texttt{capstone}
|
|
\item Semantics: \texttt{VEX} (aka Valgrind)
|
|
\end{itemize}
|
|
|
|
\begin{center}
|
|
$\leadsto$ fast; supports many architectures
|
|
\end{center}
|
|
\end{frame}
|
|
|
|
\begin{frame}{Limitations}
|
|
\begin{itemize}
|
|
\item Randomness may generate false positives
|
|
\begin{itemize}
|
|
\item Very unlikely: $2^{64}$ vs. $\sim~10^{4}$
|
|
\item If needed, amplify (run twice)
|
|
\end{itemize}
|
|
\item No false negatives caused by randomness, however
|
|
|
|
\bigskip
|
|
\item Unaware of context: \emph{assumes no pointers alias}
|
|
\begin{itemize}
|
|
\item Intrinsic limitation of block-based code analyzers
|
|
\item Future works: abstract interpretation?
|
|
\end{itemize}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}{Evaluation: coverage}
|
|
\begin{itemize}
|
|
\item Baseline: instrumentation (extract deps at runtime)
|
|
\item On all \cesasme{} benchmarks
|
|
\end{itemize}
|
|
\begin{minipage}{0.4\textwidth}
|
|
\[
|
|
\cov_u =
|
|
\frac{\card{\text{found}}}{\card{\text{found}}+\card{\text{missed}}}
|
|
\]
|
|
\end{minipage}\hfill
|
|
\begin{minipage}{0.4\textwidth}
|
|
\[
|
|
\cov_w =
|
|
\frac{\sum_{d\in\text{found}}\rho_d}
|
|
{\sum_{d\in\text{found}~\cup~\text{missed}}\rho_d}
|
|
\]
|
|
\end{minipage}
|
|
|
|
\vfill
|
|
|
|
\begin{center}
|
|
\begin{tabular}{r r}
|
|
\toprule
|
|
$\cov_u$ (\%) & $\cov_w$ (\%) \\
|
|
\midrule
|
|
\alert{94.4} & \alert{98.3} \\
|
|
\bottomrule
|
|
\end{tabular}
|
|
\end{center}
|
|
\end{frame}
|
|
|
|
\begin{frame}{Evaluation: use in \uica}
|
|
\begin{columns}
|
|
\column{\dimexpr\paperwidth-8pt}
|
|
\centering
|
|
\begin{minipage}[c]{0.5\textwidth}
|
|
\centering
|
|
\includegraphics[width=0.98\textwidth]{uica_sd_boxplot.svg}
|
|
\end{minipage}
|
|
\end{columns}
|
|
\end{frame}
|