Abstract |
Control-Flow reconstruction is a critical part of many security, profiling and analysis mechanisms.
A challenging limitation in previous works is that they do not support tracing in JIT environments.
Already existing mechanisms of obtaining the Control-Flow of a process, include the use of
instrumentation, either dynamic or static. However, these approaches suffer from certain
drawbacks.
Obtaining the Control-Flow through dynamic instrumentation during the execution of a process,
imposes severe slowdowns, while static instrumentation can lead to inaccurate results. We
leverage Intel Processor Trace, a new hardware feature of modern Intel CPUs, in order to acquire
the Control-Flow of a process correctly, while at the same time minimizing the impact on the
performance.
Previous works have shown the effectiveness of utilizing Intel PT in order to reconstruct the
Control-Flow of a process. However, none of them, to the best of our knowledge, has attempted
to perform Control-Flow reconstruction on a process executing inside a JIT environment. To
showcase our mechanism in JIT environments, we trace the execution of a process in Intel Pin
dynamic instrumentation framework. To achieve this we implemented a custom Intel PT driver
and a new decoder which enables us to reconstruct the Control-Flow at runtime and not after the
completion of the process. This approach imposes significantly less overhead, compared to
dynamic binary instrumentation, while being more accurate than the static one.
Finally, we evaluate the correctness of our mechanism and measure its performance by running
SPEC2006 benchmark suit. Our results indicate that the overhead imposed by our mechanism, is
marginally lower than previously developed mechanisms, while the Control-Flow is accurately
reconstructed.
|