ssrg-vt / dynacut Goto Github PK

It is a one-click process to disable the PUT and DELETE methods in the CRIU image. Here is the todo list:

• Write the script to find the location and inject int3 instruction to the PUT/DELETE method of the lighttpd.
• Write the script to load the signal handler.

• The tool does not work well on Ubuntu 18.04
• We need to find a name for this project (PopSnapshot will be used by another student soon)
• Apply googletest (https://github.com/google/googletest) to this project.
• madvise system call -> pages maybe swapped to disk, how to handle ?
• Generate trap list using a tool. No manual intervention

The tool when used with the snapshot image of a non statically linked binary throws up an issue

In this README, it's not clear what is the signal restorer address and how to find it. Is it possible to script everything?

Is it possible to only specify the libhandler.so with its path as one parameter. Something like: -sighandler /home/abhijit/criu-dump/elf_loader/libhandler.so

sudo ~/SSRG/PopSnapshot/criu_modified/crit/crit ash -d . -dl /home/abhijit/criu-dump/elf_loader -name libhandler.so -ha 0x7f0000001139 -ra 0x7f5ace2c3210 -vsa 0x7f0000000000

• What are those arch-specific stack map values?
• Why we have to use those values?
• How Rob's code retrieve those values?

LLVM stack map format:
https://llvm.org/docs/StackMaps.html#stack-map-format

Task: Remove the lighttpd PUT or POST feature by rewriting the CRIU image.

• Find the function used by lighttpd PUT method.
• Given a lighttpd binary, find the address of that function
• Given a lighttpd CRIU image, wipe out the function memory with nop or int3

Expect to see:

• You can use HTTP GET method to retrieve webpages from the lighttpd server.
• But when you use the HTTP PUT method to send data to the webserver, it gets failed (e.g., server crash).

[1] https://www.w3schools.com/tags/ref_httpmethods.asp

• Micro benchmark: Evaluate the overhead of the process rewriting operation on Nginx, Redis, Lighttpd, SQLite, SPEC. They have different code memory sizes.
• Measure the throughput slowdown when applying the process rewriting to the running application under the workload.
• Measure the BB size (number) that removed by DynaCut
• List the features removed?
• CVE check?

• Measure the performance overhead of the process rewriting.
• Measure the overhead of using a tmpfs RAM disk.

• Fig 1: add color for init code (R2)
• Add a comparison table for DynaCut v.s. related works (R1)
• Add a graph of code coverage (y-axis) changes through the time (x-axis), and can compare against existing works. (R1)
• Improve the init BB identification
• Correctness of the code removal.
• Different config file v.s. debloating

Commit: 9355387

BUG 1: Directory need '/'

❯ ./criu_modified/crit/crit addvma -d simple.checkpoint.deedbeef -sa 0x1000 -ea 2000 -rs 1
Traceback (most recent call last):
  File "./criu_modified/crit/crit", line 6, in <module>
    cli.main()
  File "/home/xiaoguang/git_repo/github/PopSnapshot/criu_modified/crit/pycriu/cli.py", line 418, in main
    opts["func"](opts)
  File "/home/xiaoguang/git_repo/github/PopSnapshot/criu_modified/crit/pycriu/cli.py", line 55, in addvma
    pycriu.add_vmas.add_vma_regions(start_address, end_address, nr_pages, directory)
  File "/home/xiaoguang/git_repo/github/PopSnapshot/criu_modified/crit/pycriu/add_vmas.py", line 83, in add_vma_regions
    with open(str(filepath + pgmap_file[0]), mode='rb') as f:
IOError: [Errno 2] No such file or directory: 'simple.checkpoint.deedbeefpagemap-19652.img'

BUG 2: Not handling empty parameter case. I have no idea how to use the option addvma until I looked into the code.

❯ ./criu_modified/crit/crit addvma
Traceback (most recent call last):
  File "./criu_modified/crit/crit", line 6, in <module>
    cli.main()
  File "/home/xiaoguang/git_repo/github/PopSnapshot/criu_modified/crit/pycriu/cli.py", line 418, in main
    opts["func"](opts)
  File "/home/xiaoguang/git_repo/github/PopSnapshot/criu_modified/crit/pycriu/cli.py", line 55, in addvma
    pycriu.add_vmas.add_vma_regions(start_address, end_address, nr_pages, directory)
  File "/home/xiaoguang/git_repo/github/PopSnapshot/criu_modified/crit/pycriu/add_vmas.py", line 83, in add_vma_regions
    with open(str(filepath + pgmap_file[0]), mode='rb') as f:
IndexError: list index out of range
❯ ./criu_modified/crit/crit
usage: crit [-h] {decode,encode,info,x,show,addvma} ...
crit: error: too few arguments
❯ ./criu_modified/crit/crit info
usage: crit info [-h] in
crit info: error: too few arguments

We can use the tracer from the razor project. In that project, the tracer records a list of basic blocks that are executed (a CFG). Maybe we can extend it to find the initialization CFG and remove it.

We need a (python) tool similar to crit to edit the CRIU saved files. With that tool we can have the following capabilities:

• Find out the mapped pages and unmapped pages. Please show each VMA first, the following line shows the mapped VMA (pages).
• Find out all mapped code pages, and unmapped code pages.
• Find out all stack pages, mapped and unmapped.
• Find out all heap pages, mapped and unmapped.
• Modify a global variable's value. Given that variable's offset in the ELF binary, locate the offset in pages.img and update the value in pages.img.
• Create a new VMA (page), when restoring the image, that VMA should be newly created (added to the process).
• Disassemble the code in pages.img and reassemble the code into the raw data. Using capstone or dynamorio.

Currently, the naming of crit feature cutting is unclear. Rename it as ./crit edit insert {sighandler,int3} ...

Injecting a new signal handler, with a new put libc call got error.

#include <stdio.h>
#include <unistd.h>
#include <signal.h>
#include <stdlib.h>

void trap_handler(int sig)
{
    printf("--- Printing ---\n");
    printf("The signal is: %d\n", sig);
    exit(1);
}

When updating the rewriting process (-ha), the kernel captured the int3 not the signal handler.

❯ ./criu_modified/crit/crit ash -d ./my_dump -dl /home/xiaoguang/works/proc-edit/PopSnapshot/tests/handler_example \
-name sighandler.so -ha 0x7f0000001159 -ra 0x7f5ace2c3210 -vsa 0x7f0000000000

The json file is also updated:

❯ cat my_test1/plt-file.json
{
    "entries":[
        {
            "name": "puts",
            "libc_offset": "0x875a0",
            "plt_address": "0x4018"
        },
        {
            "name": "printf",
            "libc_offset":"0x64e10",
            "plt_address":"0x4020"
        },
        {
            "name": "exit",
            "libc_offset":"0x49bc0",
            "plt_address":"0x4028"
        }
    ]
}