| Date post: | 08-Jan-2018 |
| Category: |
Documents |
| Upload: | melinda-walsh |
| View: | 216 times |
| Download: | 1 times |
Rémi Douence, Thomas FritzNicolas Loriant, Jean-Marc MenaudMarc Ségura-Devillechaise, Mario
Südholt
OBASCO groupEMN/INRIA
An expressive aspect language for system
applications with Arachne
2
Outline
Why another aspect system?How to program with Arachne? How does Arachne work?How fast are Arachne aspects?
3
Aspects for adapting legacy applications
● Adaptation and evolution usually mismatch with the original program architecturelegacy C applications
● Difficult to anticipate adaptation and evolution
● How to adapt, evolve an application?Highly available server, waste of money/resources
● Can AOP help?
4
Three concerns from the squid web cache
Switching network protocols uses UDP instead of TCP when safe to improve
performance
Buffer overflows programming error where data written in an array (ie
buffer) exceeds the array size often exploited by hackers (Slammer, Code Red,...) crosscutting: all squid source files use buffers
Prefetching predict the page that the user will access and download
before the user asks for it
5
Motivations for a new aspect system
in the imperative world of C-written applications: sequence of events in the execution of the base program
Weaving:needs to be dynamiccan not be anticipatedshould not suspend the base program execution
Efficiencyadaptation often occurs for performance reasons
6
Outline
Why another aspect system?How to program with Arachne?How does Arachne work?How fast are Arachne aspects?
7
Sequence instances
Buggy base program:char* two = malloc(2); gets(two);/*fills one with input typed by the user*/free(two);char* one = malloc(1);gets(one);/*fills two with input typed by the user*/free(one);
Sample naive gets implementation (standard C library):
char* gets(char* buffer) {int i=0; do { buffer[i]=getchar(); i++;} while(buffer[i]!='\n'); buffer[i-1]='\0'; return buffer;
}
8
The problem: relating events
Execution trace when user types “A”create two, a one character long buffer [two=malloc(2)]call gets, buffer now alias two [gets(two)]
set i to 0 [int i=0;]read A [getchar()]put A in two at index 0 [buffer[i]=...] Ok set i to 1 [i++]compare with \n [buffer[i]!='\n']put O in two at index 1 [buffer[i]=...] Ok
9
Sequence instances
Execution trace when user types “A” then “OP”create two a 2 characters buffer [two=malloc(2)address 0x800]call gets, buffer now alias two [gets(two)] ...
put A in two at index 0 [buffer[i]=...], ...put \n in two at index 1 [buffer[i]=...], ...replace \n by \0 in two at index 1 [buffer[i-1]='\0'],...
destroy two a 2 characters buffer [free(two)]create one a 1 characters buffer [one=malloc(1)address 0x800]call gets, buffer now alias one [gets(one)] ...
put O in one at index 0 [buffer[i]=...], ...put P in one at index 1 [buffer[i]=...],...
10
A solution: aspect detecting overflowseq(call(void* malloc(size_t))&& args(size)
&& return(buffer);
/*possibly other events in between*/
write(buffer)&& size(newSize) && if(newSize>size))
then reportOverflow(buffer);*
/*possibly other events in between*/
call(void free(void*))&& args(array) && if(buffer==array));
);
11
Advice definition (around semantic)
seq(call(void* malloc(size_t))&& args(size) && return(buffer);
write(buffer)&& size(newSize) && if(newSize>size)) then reportOverflow(buffer);*
call(void free(void*))&& args(array) && if(buffer==array));
);
12
Defining the steps of the sequence
A step has the form pointcut [then advice]opt ; [*]opt
with * the pointcut can match 0 or n times
A step has a pointcut defined with:● call: direct function calls ● cflowstar, cflow: sequence of nested function calls● readGlobal, writeGlobal: global variable accesses● read, write: memory accesses
Each step can retain some information about its joinpoint: args, return, size ...if can be used to test against this information
Possible to write sequence less aspect
13
Relating events through time: start
seq(call(void* malloc(size_t))&& args(size)
&& return(buffer);
write(buffer)&& size(newSize) && if(newSize>size)) then
reportOverflow(buffer);*
call(void free(void*))&& args(array) && if(buffer==array));
);
14
Relating events through time: step 2
seq(call(void* malloc(size_t))&& args(size)
&& return(buffer);
write(buffer)&& size(newSize) && if(newSize>size)) then
reportOverflow(buffer);*
call(void free(void*))&& args(array) && if(buffer==array));
);
15
Relating events through time: end
seq(call(void* malloc(size_t))&& args(size)
&& return(buffer);
write(buffer)&& size(newSize) && if(newSize>size)) then
reportOverflow(buffer);*
call(void free(void*))&& args(array) && if(buffer==array));
);
16
Relating events through data
seq(call(void* malloc(size_t))&& args(size)
&& return(buffer);
write(buffer)&& size(newSize) && if(newSize>size)) then
reportOverflow(buffer);*
call(void free(void*))&& args(array) && if(buffer==array));
);
17
Outline
Why another aspect system?How to program with Arachne?How does Arachne work?How fast are Arachne aspects?
18
The Arachne aspect system: core features
Weaver for x86/Linux/C applicationInternally rewrites binary code
Weaving and deweaving are fully dynamicWeaving and deweaving are directed by the end userNo need to “prepare” the base programCompatible with threaded applications
19
Weaving process
Arachnerewriting
thread
codeanalysis
binarycode
rewritingaspectactivation
Weaving request
compiled aspect loading
Arachneinjection
Base programprocess
20
Outline
Why another aspect system?How to program with Arachne?How does Arachne work?How fast are Arachne aspects?
21
Evaluation on real application: method
Goal compare the overhead of using Arachne to
editing/recompiling the source code to adapt an application
MethodAdd prefetching to squid by
editing/recompiling its source codeweaving Arachne aspect
Use a well known benchmark (polygraph)Report the performance variations between versions
22
-2
-1
0
1
2
3
4
5
Variations (%)
Experiment 1 0 1.2 0.2 -0.6 -0.6 1.9Experiment 2 -0.17 -1 1.8 3.8 0.7 0
Through-put
Response time
Miss response
time
Hit response
timeHit ratio Errors
Benchmark 1Benchmark 2
Results
23
ConclusionPractice suggested
need for aspect constructs relating eventsneed for dynamic weaving
The Arachne aspect system:language to adapt applications
call, variable accesses, cflow, sequences towards a formal semantic
weaver for adapting applicationsdynamic enforcement of continuous servicesupport of legacy C programs
without preparation of the base program
www.emn.fr/x-info/arachne
Questions?
25
Why another aspect language?
Single buffer overflow● Useful to correct a known
published bug
● Pointcut based on the name of the vulnerable buffer
● Action checks the access
● Solution = µDyner● state of the art aspect
language ● a dynamic weaver
Any buffer overflow● Useful when you do not trust
the base program program under hacker attacks…
● Pointcuts based on a sequence of events
● Buffer creation● Then access to the buffer
● Action checks the access
Solution = ?
26
The problem: buffer overflow
Buggy base program:char* in = malloc(1); gets(in);/*fills in with input typed by the user*/free(in);
Sample naive gets implementation (standard C library):
char* gets(char* buffer) {int i=0; do {
buffer[i]=getchar(); i++;} while(buffer[i]!='\n'); buffer[i-1]='\0'; return buffer;
}
27
The problem: relating events
Execution trace when user types “AOP”create in, a one character long buffer [in=malloc(1)]call gets, buffer now alias in [gets(in)]
set i to 0 [int i=0;]read A [getchar()]put A in in at index 0 [buffer[i]=...] Ok set i to 1 [i++]compare with \n [buffer[i]!='\n']put O in in at index 1 [buffer[i]=...] Bug
28
Number of matching instances1 2 53 4
5
10
200.
6 C
ycle
s
293.
2 C
ycle
s
380.
8 C
ycle
s
466.
3 C
ycle
sseq
577
Cyc
les
Ratio
readGlobal
Size of variable (bits)8 128643216
1000
2000
3000
2466
Cyc
les
2487
Cyc
les
2762
Cyc
les
3363
Cyc
les
4990
Cyc
les
Rat
iocflow28 C
ycle
s
228
Cyc
les 32
7 C
ycle
s
424
Cyc
les 52
2 C
ycle
s
1 2 53 4
10
20
30
Number of imbricated calls
Ratio Ratio
Arachne language constructs versus the speed of their C equivalent
29
Goalcompare the speed of Arachne with C
Method
ratio=
Base programvoid f() { return; }int main(int argc,
char**argv){startTimer();f(); /*joinpoint*/endTimer();
}
Aspectcall(void f())then f();
Arachne language constructs versus the speed of their C equivalents
runtime with the aspect
runtime without aspect
30
1
10
100
1000
10000
call seq cflow readGlobal read
ResultsRatio Ratio
Pointcut
31
Mapping protocols
listen
accept
read
write
close
write
read
close
connect
socket
Server Client
TCP Protocol
socket
bind
close close
socket
Server Client
UDP Protocol
recvfrom
sendto recvfrom
socket
bind
NetworkNetwork
sendto
Time
32
Another aspect example
seq( call(int socket(…)) && args(…) && return(fd) then socket(…);
call(int connect(int,…)) && args(fd1,…) && if(fd1 == fd)
then returnZero();
( call(size_t read(int,…)) && args(fd2…) && if(fd2 == fd) then recvfrom(fd,…);
|| call(size_t write(int,…)) && args(fd3…) && if(fd3 == fd) then sendTo(fd,…); ) (*)
call(int close(int)) && args(fd4) && if(fd4 == fd) )
33
Arachne architecture
ARACHNE‘s Compiler
ARACHNE‘s Kernel
Manager
(provides weave/
unweave)
ARACHNE‘s Kernel DLL
Running Thread
Base Program Code &
Data
Process executing Base Program 1
ARACHNE‘s Runtime Environment
Loaded Rewriting DLL
Loaded Rewriting DLL
Loaded MetaData DLL
Loaded MetaData DLL
Aspects Aspect DLLs
wea
ve
Run
time
Aspe
ctC
ompi
le T
ime
Loaded Aspect DLL
Loaded Aspect DLL
Loaded Aspect DLL
34
Implementation model
shadow: rewritingsite replaced by a
x86 instruction
x86 instruction
x86 instruction
x86 instruction
execution flow
jump
Binary code of thecompiled base
program
and/or advicesResidue (dynamic tests)
Entry hooksave registers
Return hookRestore registers
instruction(s)Relocated tailored
updating registers
Base program process
Hooks generated at
weaving time
Legacy base binary code Aspect DLLgenerated at
aspect compile time
35
The future
Continue the exploration of efficient language constructs to relate events together
Extend Arachneto C++
in progress, already using an application to medical imaging
to the linux kernel
