Efficient, Transparent, and Comprehensive Runtime Code Manipulation

Derek Bruening
PhD Defense
August 26th, 2004

01: Efficient, Transparent, and Comprehensive Runtime Code Manipulation
02: Motivation: Computer Worms
03: Stages of a Worm Attack
04: Attacks Violate Execution Model
05: Constrained Execution Model
06: Protecting a Web Server
07: Possible Control Points
08: Runtime Code Manipulator
09: Design Goals
10: Design Goals + Customizable
11: Runtime Information Gathering
12: Runtime Code Manipulation
13: DynamoRIO
14: Contributions
15: Outline
16: Outline: Efficient
17: Basic Interpreter
18: Interpreter + Basic Block Cache
19: Linking Direct Branches
20: Linking Indirect Branches
21: Picking Traces
22: Base Performance
23: Where Is Time Spent?
24: Time Breakdown for SPECINT: DynamoRIO
25: Time Breakdown for SPECINT: Code Cache
26: Time Breakdown for SPECINT: Indirect Branches
27: Memory Usage
28: Added Memory + Application Code
29: Total Added Memory
30: Reducing Memory Usage
31: Software Code Cache Sizing
32: Single-Entry Eviction
33: Adaptive Sizing Algorithm
34: Adaptive Sizing Results
35: Outline: Transparent
36: Painful, But Necessary
37: Rule 1: Avoid Resource Conflicts
38: Rule 2: If It's Not Broken, Don't Change It
39: Example Transparency Violation
40: Rule 3: If You Change It, Emulate Original Behavior's Visible Effects
41: Cache Consistency
42: Detecting Code Changes
43: Invariant: Code Is Read-Only
44: Execute: Mark Read-Only
45: Write: Invalidate, Mark Writable
46: Non-Precise Flushing
47: Execute Again
48: Self-Modifying Code
49: Outline: Comprehensive
50: Above The Operating System
51: Kernel-Mediated Control Transfers
52: Challenge #1: Interception
53: Intercepting Linux Signals
54: Windows Messages
55: Intercepting Windows Messages
56: Challenge #2: Continuation
57: Callback Suspension Points
58: Challenge #3: Self-Interruption
59: Challenge #4: Kernel Emulation
60: Outline: Customizable
61: Clients
62: Example Client
63: Secure Execution Environment
64: Security Invariants of the Code Cache
65: Technique 1: Restricted Code Origins
66: Security Policies: Code Origins
67: Technique 2: Restricted Control Transfers
68: Technique 3: Un-circumventable Sandboxing
69: Unique Entry Points
70: Secure Execution Results
71: Related Work
72: Summary
73: Future Work: Limitations
74: Server Memory Usage
75: Future Work: Limitations
76: Future Work: Extensions
77: Real-World Impact
78: Acknowledgements