ˇ ˘ ˇ ˆ ˇ ˇ˙evans/talks/utsa/utsa.pdf · 1 ˘ ˇ ˆ ˇ ˇ˙ ˘ ˇ ˆ. 2 ˛ˇ ˛˚ ˛˜˙ ˚...

1

��

��

�� !��!��"��!��#��

��$��"��

%�&�#��

��

��#�� #"��' ��(�%�&�#��")��#*�#��+ ��*��&��&��**��&��**�#��"��&��

' ,��*�"��*��+ �**�#��#*��#��&��&-��.��&��

' %�&�#��#��/%��0�12/3��4 0512/%� ��4��612/,��4

��612/7�4 ��612/,��8��4��612/9#��4 ��12/,��8��2��8��2�#$�� 1

!��

:��#��;��&�<��/,��42%%��61/7�42%%��61

' %��=��8��8�� "��&&��(��#��

' ��#��&�**�&�8��"��#��

+ :��"�� :�� #�*�� &��

"��

��&�<��

>��

�#��&��":�;

;��&�<��

��#��

��"��*%��

��"��*��#��*�

;��&�<��#��*�

$��

��&�<��

>��

:�;��#��8�

;��&�<��

��#��

��"��*��#��*�

;��&�<��#��*�

)�*��#�:�=��%��

,��8��)�*��#�%��

%��

:�;��"��

�� -$�*"��.?�� &�<��

@�� &�%�&��*� �&� ��&�� &�

��"��&*��"��-��*��A�;�� .

6��-��&�8�#��***��.

7��<�

A�;A�;��

6�B��

;��&�<��3#��

;:��/,�� 61%�*#&��/7��61

2

&��

?� ��#��:�;C

�*� �� 8��#�D&��#��E

��"��#&��F

G��(��3��,C��:��#��;��&�<��

:��H:A��#��&��#&2�#"#��!��H��*2��H��*>�#*!

'��

)�&��;��&�<��8

' ,�#��8��&�&��&�<��-��&��!�*!/%%��1.��B��8��

' %��&�*��8 ��8�"��:�;C

+ @��"��8��&#��8��"&��

+ H��**��*"#��

()��

:�;��8

��8%*��

:�;B��

:��I#��

%��E

��8%*�� %��I#�� :�;B��

��*�,��

((��

��;�J#��&��

' $#*��*��#��*� ��

' ��*��&�8��"#��

+ H��&�<��

+ @�8�*��8��J#��-��.

' ��*��

' %��*<��*�

+ @��8��&��B�*��

+ �� A�;

(��

��8:��

' ;� -��%6.��#��&��#��

+ KB��#��#��D"#��

+ ;��#��2*��8��

' ��* ��8��&��"��*��"

' 9)>B�-��,3�.�=#&��B�

+ �B��#��#��KD"#��

+ >��#��*��

' :��"#��#�#�** ��

3

(!��

9#&��8

$#*��*�,#��

�� ;��#��

��,-9)>.

��3�-B�.

��8�� )��8�

%��"#��#��*��

�KD��*�"#��B��#��

("��

:��&��*9#&��8

I#��"��L��D��&��

$#*��*�,#��

�� ;��#��

��,-9)>.

��3�-B�.��8�� )��8�

I#��"��&��8�

�� ;��#��

��,-9)>.��3�-B�.

��8�� )��8�

��%�-:H .

I#��

)��8�

($��

I#��#��&��

>��"��3�*��>��:��I#��

3�*��H�"��#��%��I#��

��M:��N,��

��M%��N,��

(%��

3�*��>��

' :�=��#��*��

+ 9)>B�

+ 9HOB�

' :�=��M��&*��N2*��#��#��#��*��

' :�=��"#��#��2�#��&��#��&��8��

(&��

3�*��>��+ I��H� �' %��"#��&��8#��"��#��

' ��=��"�M��&*��N��B��#��

+ %��"��*��

+ :��#�#�** ��

' ��#*��

+ H��**��*��*��&�#**��

�� ;��#��

��0�-H��>.��,-9)>.

��8�� )��8�

��3�-B�.

I#��

)��8�

(*��

3�*��>��+ ,��H� �

' 3�*��&+%��*=#&��#��

+��)(((��B)(((KKK

'+��&�*�&��

�KKKxyz� ��8��⇔ �KKKxyzP ��E' 6�"#��* ��*��

' ��#�Q��*"#��&��&��8

4

('��

��8

M%��O��N

�� ;��#��

��%�-:H .��0-H��9#&�.

32-b

itof

fset

(to ju

mp

to

orig

inal

re

turn

addr

ess)

��%�-:H .

��%�-:H .��%�-:H .

��%�-:H .��%�-:H .��D-��.��,-9)>.

' H��=#&��#��*��

+ ��#��#��&�**

+ H��*��

' ��%��%��#��#��"#��

�)��

��&��

RK�S��=#&��"��#��

4RQ��&��&��8

�6S ��&��

M%��O��N

�� ;��#��

��%�-:H .��0-H��9#&�.

32-b

itof

fset

(to ju

mp

to

orig

inal

re

turn

addr

ess)

��%�-:H .

��%�-:H .��%�-:H .

��%�-:H .��%�-:H .��D-��.��,-9)>.

�(��

��&��

' :&�*�&��8�"��#��#*��*�� ;:��/,�� !�*2��61+ )�&��&�<�� 8�E' #��3��(��&�<��

+ H��&��;:��' ��#��8��#��&��&�<��8�-��:�;�&�*�&�� #*��(��.

' ��8��0�T��&�+ ��&��&��(��#��#��*��=��H�@@�

��

��&��;�J#��

�660

��&��"��

��

K�K2D�K��&��

��"��

��0D��

�!��

��* �&�

�B��8�-%�*#&��

�&�*�&��.��L6S&��#��

��0DB��8�

��Q&��#��

��8��M:��"��#"�CN ��M:��#"�CN

�"��

?� &��8��C

' :�=��&�*�� :�;B��

+�� &U65D��

' %�� &�� 8��:�;B��

+��3��,��8��6�25�6��

+H��RQ��7��&��

5

�$��

)��*��FC

' $)G�� 62�6�2Q�K��

' 9��$)� K6�26�Q��

' )��8(�� )�5��2��*��

',��,- ())�.��

�%��

/��)��$)%�� push dword ebp mov ebp, WORM_ADDRESS + WORM_REG_OFFSET

pop dword [ebp + WORM_DATA_OFFSET] xor eax, eax ; WormIP = 0 (load from ebp + eax)

read_more_worm: ; read NUM_BYTES at a time until worm is donecld xor ecx, ecx mov byte cl, NUM_BYTESmov dword esi, WORM_ADDRESS ; get saved WormIPadd dword esi, eax mov edi, begin_worm_execrep movsb ; copies next Worm block into execution bufferadd eax, NUM_BYTES ; change WormIPpushad ; save register valsmov edi, dword [ebp] ; restore worm registersmov esi, dword [ebp + ESI_OFFSET] mov ebx, dword [ebp + EBX_OFFSET]mov edx, dword [ebp + EDX_OFFSET] mov ecx, dword [ebp + ECX_OFFSET]mov eax, dword [ebp + EAX_OFFSET]

begin_worm_exec: ; this is the worm execution buffernop nop nop nop nop nop nop nop nop nop nop nopnop nop nop nop nop nop nop nop nop nop nop nopmov [ebp], edi ; save worm registersmov [ebp + ESI_OFFSET], esi mov [ebp + EBX_OFFSET], ebxmov [ebp + EDX_OFFSET], edx mov [ebp + ECX_OFFSET], ecxmov [ebp + EAX_OFFSET], eaxpopad ; restore microVM register valsjmp read_more_worm

�&��

�� &��

"#��-��"��.&��8�

��8�&��8�

��&��

��"��

=&��*��8

*��)��$)��"��

�� &��"��

��B�� &

��#��#��

*�� &��"��

��)��$)��"��

#��G��&:>

�� &��#��

G��&:> ← �&��8��&��

�� &��.�

@��7�,��

5D��4��#��4 � ��H�@@UK��#"�

V00T��&�

)��$)

G��&��&#��*��8��

��#��#��-�� #��

��*��8��#��.

�*��

)�8��"9#&��

' G��*��8B ��*��=#&��

' ,�� &�*��8�

+ 3��&��*��82��"��"��*��8

+ ��G��&:> ��8

+%��*=#&�201�� &��

0�14�W��2�8��,2�/��4G�;):>X�33�� 1��

�'��

��*��"�G��&

' @��K��8��=��)��$)

+ )��&��6KK��2Q��&��

+ 3��#"�� &��*

' :�=��B�� &��

+ A�;�� 8�� 8��*��

+ :��H��>� ��H�@@�

' :�=��8��

+ H��"�� &

!)��

>��"��8�,��8��8;�J#��&��

' $#*��*��*�&��#*��*��

+ ;� ��**�#��*��"#�"�

' ��*��&�8��"#��

+ ;��&�<� ��

' ��*��

+ )��*��8��C

' %��*<��*�

+ ��"��*�8��A�;

6

!(��

,��*#��

' ��E

+7��"��&��

+ ��8��*��

' >��#�� #��*��"��#&��#��*��"#&��

!��

>�*"��">��H $��

��&��*��#��

9��(�>�*"��

?��(�>�*"��?��(�>�*"��

��8 ��,��%��29��8��2�� 3�*��2

9�� ?��2G�� ?#29��7��"��2

��H"#�� #��"2

9�� ;� ��**

!!��

�B$��&

:��#�->��*)�*��#�.

��$��)

��$��(

)��#��#�

>�*"��

!"��

HB$��>��"��&&��" ��

' )#*��*��&��"��&&��&�*�&��&��

' $��&��#*��*��&��&&��

' H�"#��&�&�&�8��&�&��8�

' ��&��#��&��**��#��

' )��&��#*��8

' I#��*��#*��#��*��

/��<�� Y%��2K0551

!$��

HB$��&3��&� ��8

' >�*"��+ ;��*��#��**��

' $��+ H ��&�*�&��&��

+ $��#��8��&�&��*��2��#��2��*��&��2��&��**�#&��2��#*��2��**��"��2F

$��

)

$��

(

)��>�*B"��

' )��

+ ��

+ ��*��*��#��*�**��"��

+ :��"�

!%��

$��;�J#��&��

' �� >��

��8��&��&��$��#��$��K��M��N-�� *��&��.

' H��&�*�J#��*��>��

��&�*��#��2��J#��*��

��(S0) ≡ �

�(S1)

��#�*��2�#��J#��*��

7

!&��

)�&��>��"

' $��

+ $��**�� )

+ $��K��**�� (

' H��&�*�J#��*��

+ )��&��

' ��>��

+ ��*#�� *��*��

!*��

9�

9H�

9,

9H,

9O

9HO

9)>

%�@@

F$�� $��,

9H�

9H,

9HO

%�@@

9�

9,

9O

9)>

:��#��>��"

!'��

:��#�� ""��"

' $��**��

+ $��"��)

+ $��K��"��(

+ ��#�B��&��8��&��

' @� B�� &��*��#��"��

/��2��*!2%I��61

' H��&�*�J#��*��;�&��"��

' ��>��

+ ��-��""��.��*��

+ :�=��-��*��.��#��

")��

� K�

%�&��"$��

)#��&�*�J#��*��

P1 P2 P3

)�&��

:��#�� "�

K K�

��&�&��8

��=��

"(��

:��%��:�=��8

' :�=��#��

' ��"��*��&��#��-A�;��"�� *#��>K ��>� .

' ;�*��=#&��#��=��2��&��

' G�� "CH��&�*�J#��*��*��8�� &��#*��*��#��

"��

:&�*�&��"HB$��&�

' %�&��""��*��

+ :��*��&��2��*"��2��

+ ��<��&#��&��&�*�J#��*��-��&��&.

+ >��&��*��- ��**��.��#"��#�-��*��.

' ��&�*�&��

+ ��8��-��<��*��.

+ 7��*&��-��*��.

8

"!��

:&�*�&��8��/��3�*��1

' >��-��.

' ��8��*��-��&��.

' G��#��*�**��J#��#��"��*��

' ��=#�� %>��J#��#&��&�*��

""��

6B$��&

��((

��

��

��!!��

:��#��&%*��

>�*"��

)��

�#��#��%*��

"$��

:&�*�&��7��*)��/,��%��1

' )��*��

' %�� 8��#��*�#��

' :��&��**��

+ �Q0��**��@��#�

+ %��8��&��&��**��

+ )�8��**��

' @� ��2*��8��*��

"%��

G��"��&%�**�' :��&��**�-�� *��.-�!"!2��2��2 ��.

+ )�8��**��2��&��#*��**��

' >��&��**�-�!"2��82��2 ��.

+ )�8��**��2��=#��"*

' ��*�

+ &&��&��"&�� 2��*�**� )�>X�H�HZ)��-��"&��&��*�.��)�>X>;:$� �- ��"��8��*�.

"&��

��&%�**G��&�*�ssize_t sys_read(int fd, const void *buf, size_t count) {

if (hasSibling (current)) { record that this variant process entered callif (!inSystemCall (current->sibling)) { // this variant is first

save parameterssleep // sibling will wake us upget result and copy *buf data back into address spacereturn result;

} else if (currentSystemCall (current->sibling) == SYS_READ) {// this variant is second, sibling is waitingif (parameters match) { // match depends on variation

perform system callsave result and data in kernel bufferwake up siblingreturn result;

} else {DIVERGENCE ERROR! }

} else { // sibling is in a different system call!DIVERGENCE ERROR! } }

...}

"*��

%#��#�

' %��#�� #��"��+ � ��8��"��*#��#��"��=��

' ��*�&�+ H��B��&��&2��

+ ��*��"��&�*�J#��*��

' %��+ ��&�*�&��2��2��&��@��!6

+ 7��*&��-��#**��2��#&��.

9

"'��

9� �

��

��#�

��

�*��&&��H:A��#�� *82G��,��*�"%��-��%��(�. ��#��#��#��

$)��

�#&&��

' >��#��"��*��+ ��#��&��

' 7��"��+ ;�&��8��8:�;B��LD&��#��

' HB��&��&� ��8��*�-�#��.��+ �� "��&��8

$(��

[#��C[#��C

@��8��@��8�� !��!��"��!��#�� !��!��"��!��#��

%��#��,��%��29��8%��#��,��%��29��8��2��2�� 3�*��3�*��22

9��9�� ?��2G��?��2G�� ?#?#29��29�� 7��"��2��7��"��2�� H��H�� *2��*2��H"#��H"#�� #��"2 #��"2H��H�� >�#*29��>�#*29�� ;� ��**;� ��**

3#��"�H�33#��"�H�3%�� #��%�� #��2��;>��;�2��;>��;�

ˇ ˘ ˇ ˆ ˇ ˇ˙evans/talks/utsa/utsa.pdf · 1 ˘ ˇ ˆ ˇ ˇ˙ ˘ ˇ ˆ. 2 ˛ˇ ˛˚ ˛˜˙ ˚...

Documents