Application of software emulators for the binary code analysis.
The paper describes the experience of using software emulators as a means of dynamic analysis of binary code tools. Emulator is considered as tracer of machine commands layer and as interactive debugging tool. It describes a mechanism of deterministic replay implemented in emulator QEMU.
Deterministic replay is a process of recovery of program execution using a pre-recorded input. To replay process of program execution in virtual machine recording of all nondeterministic events to journal was implemented. Such events are indications of real time clock, messages from keyboard, mouse, sound and network cards. Currently the deterministic replay mechanism works in a modified version of QEMU 1.5 and supports x86 and ARM platforms.
To solve the problems of binary code analysis tracing is used, but it slows down the system, so it is easier to do with deterministic replay. Trace is a sequence of executed instructions and processor state (including register values). Each group "executed instruction - values of registers" is called a trace step. Currently tracing is implemented for x86 and ARM platforms. Trace does not contain information about the read and written memory, so logging of hard disk drive accesses was implemented.
Deterministic debugging is a way to find errors in nondeterministic applications, in which nondeterminism is eliminated by writing the scenario of system work. By means of deterministic replay nondeterministic debugging becomes deterministic strongly reducing the time spent on the localization of defects in the program and their description.
Reverse debugging is the possibility of studying the past states of the program. In our case the entire virtual machine is considered the program being debugged.
Emulator QEMU includes mechanism to let GNU debugger connect to virtual machine and manage the process of execution. GNU debugger supports reverse debugging commands, such as reverse-step and reverse-continue.
Proceedings of the Institute for System Programming, vol. 26, issue 1, 2014, pp. 277-296.
ISSN 2220-6426 (Online), ISSN 2079-8156 (Print).
DOI: 10.15514/ISPRAS-2014-26(1)-9Full text of the paper in pdf Back to the contents of the volume