57 results about "Dynamic instrumentation" patented technology

Program code loaded for execution by a computer can be dynamically instrumented to collect event data by inserting an instruction at a trace point within the program code as loaded in a memory space of a computer, where the trace point corresponds to the beginning of a predefined function of the program selected for event tracing. The instruction provides for the direction of the execution of said computer to a function proxy routine, which includes a call to an instance of the predefined function. Event data is collected in connection with the calling of the instance of the predefined function.

Method and apparatus for dynamic instrumentation of an executable application program. The application program includes a plurality of functions, each function having an entry point and an endpoint. When the application is executed, a shared memory segment is created for an instrumentation program and the application program. Upon initial invocation of the original functions in the application program, corresponding substitute functions are created in the shared memory segment, the substitute versions including instrumentation code. Thereafter, the substitute functions are executed in lieu of the original functions in the application program.

Techniques for analyzing software in which un-instrumented components can be discovered and conditionally instrumented during a runtime of the software. Initially, software such as an application can be configured with a baseline set of instrumented components such as methods. As the application runs, performance data gathered from the instrumentation may indicate that the performance of some methods is below expectations. To analyze this, any methods which are callable from a method at issue are discovered, such as by inspecting the byte code of loaded classes in a JAVA Virtual Machine (JVM). To limit and focus the diagnosis, the instrumentation which is added to the discovered components can be conditional, so that the instrumentation is executed only in a specified context. The context can involve, e.g., a specified sequence of components in which a discovered component is called, and/or transaction data in which a discovered component is called.

Described is an application program interface (API) that enables dynamic modification to applications executing in a heterogeneous distributed computing environment. The application program interface includes a navigation function, a query function, a thread management function, and a modifier function. The navigation function returns program information for a local or remote computer (i.e., specified computing device). The query function returns information about a program on the specified computing device. The thread management function controls execution of other programs on the specified computing device. The modifier function modifies a system memory on the specified computing device that stores the heterogeneous program. The API works in conjunction with a hierarchical intermediate representation of the heterogeneous program such that pre-defined program tools can modify the intermediate representation and write these modifications to the specified computing device while the heterogeneous program remains operational.

An apparatus and method are provided for the dynamic instrumentation of code to minimize system perturbation during tracing of the execution of the code. With the apparatus and method, “hot spots” in the execution of the code are dynamically determined during tracing of the execution of the code. These “hot spots” are dynamically instrumented, i.e. an event hook is inserted, to cause control to be passed to a handler that determines a caller of the “hot spot” method. The method that called the “hot spot” method, or “caller” method, is identified from a call stack and is dynamically instrumented for an appropriate metric so that the next time the calling method is executed, the dynamically inserted hooks are executed. The execution of the hooks in the caller method is continued for a predetermined period, e.g., number of invocations, to get an understanding of the caller method's characteristics. A list of callers of instrumented methods is maintained and used to determine one or more calling methods of the instrumented caller method. One or more of these calling methods may be instrumented and the hooks inserted in the instrumented caller method (called by the one or more calling methods), are removed. In this way, the call graph of the hot spots of a program execution is “walked up” and characterized over time.

The present invention provides a method, apparatus, and computer instructions for dynamic intermediate code transformation in a mixed mode compiler. In an exemplary embodiment, an object code compiler of a virtual-machine, such as the just-in-time (JIT) compiler (415) of a Java virtual machine (JVM), takes loaded classes and compiles these into object code (416). A JIT-enabled dynamic instrumentation (JEDI) interface (420) provides information to an application (e.g., a tool with a GUI), and passes requests for transformation to the JIT (415) and class-loader (410). If loaded, JEDI controls the JIT compiler (415) to compile and transform the class into object code. Thus, dynamically transformed object code is produced without transformation or re-loading of the loaded classes.

A technique for analyzing software in which un-instrumented components can be discovered and dynamically instrumented during a runtime of the software. Initially, an application configured with a baseline set of instrumented components such as methods. As the application runs, performance data is gathered from the instrumentation, and it may be learned that the performance of some methods is an issue. To analyze the problem, any methods which are callable from a method at issue are discovered by inspecting the byte code of loaded classes in a JAVA Virtual Machine (JVM). Byte code of the class is parsed to identify opcodes which invoke byte code to call other methods. An index to an entry in a constants pool table is identified based on an opcode. A decision can then be made to instrument and/or report the discovered methods.

A failsafe mechanism for installing and removing temporary instrumentation during a runtime of an application. Initially, an application is configured with a baseline set of instrumented components such as methods. Additional instrumentation is then deployed in the application, such as to diagnose a performance problem. The failsafe mechanism ensures that the additional instrumentation is automatically removed, even when there is an interruption in a communication link to the application, a computing device failure, a software failure, or some other type of failure, which renders it impossible to manually roll back the instrumentation from a remote user interface. The failsafe mechanism can be provided using callbacks between the computing devices which detect when a connection is unexpectedly lost or closed. Termination of one callback can cascade to one or more other callbacks. The instrumentation rollback can involve reloading un-instrumented byte code of the application.

The invention relates to a software analysis method belonging to the technical field of computers, and particularly relates to a software fault analysis method based on multi-sample difference comparison. The method comprises the steps as follows: (1) executing disassemble and dynamic instrumentation of an analyzed program; (2) tracking and recording an execution instruction flow of a program to be analyzed and constructing control flow graphs of the program, which take a basic block as the minimum unit; and (3) selecting a data processing access point as a comparison basic point, constructing a multi-sample difference tree model, executing comparison of control flow graphs of multiple samples which are divided into several groups, wherein each group consists of two samples, finding out a key instruction flow branch point, and acquiring a key path from a false data input point to each difference point. The software fault analysis method, provided by the invention, effectively solves the problem that a dual-sample difference comparison method cannot achieve positioning of complex faults, thereby remarkably improving analysis efficiency of software faults.

A technique for the dynamic instrumentation of a running software system. One or more callable instrumentation functions are accessible in a first memory space associated with the software system. The one or more callable instrumentation functions are adapted to probe an operation of the software system and return data regarding the probed operation. Probed operation environment information needed by the one or more instrumentation functions is provided to a second memory space associated with the software system. First memory space addresses associated with the probed operation environment information are determined from a resource that is accessible in the second memory space. A probe handler is generated that includes calls to the one or more instrumentation functions with references to the first memory space addresses. The probe handler is callable as part of the probed operation.

A system and method for instrumenting program instructions. A processing system includes a compiler and a profiler. The compiler is configured to notify the profiler of a compilation event corresponding to first program instructions. In response to detecting the event, the profiler is configured to intercept compilation of the first program instructions, determine whether an instrumented version of the first program instructions is currently available, instruct the compiler to compile the instrumented version of the first program instructions if available, and retrieve and instrument the first program instructions if not available. The profiler may maintain an instrumentation cache for storing instrumented versions of program instructions. The instrumentation cache may further include metadata which identifies portions of program code which have been instrumented and their location. The profiler may generally instrument program instructions once during the resident life of a corresponding application.

The invention discloses a multi-thread software dynamic upgrading method based on asynchronous check points. The method includes the steps that based on a dynamic instrumentation mode, key codes are arranged in a source program in operation in an instrumentation mode at a binary level, not a source code level, so that upgrading does not need to depend on a specific compiler; based on an asynchronous check point algorithm, it can be guaranteed that all threads are in a blocked state before dynamic upgrading, so that all the threads are updated in a one-off mode, and expenditure caused by new and old version maintenance is avoided; a mode of binary system rewriting is adopted for function indirect skipping, and functions to be updated are upgraded, wherein the functions are not executed; a stack reconstruction mode can be used for upgrading functions to be updated in execution, so that in the dynamic upgrading process, unexpected waiting time which is caused by loop body and main function updating and others are eliminated. The loss, which is caused by downtime due to version maintenance, of applications and services (such as an electronic payment system) high in reliability requirement is reduced to the minimum, and cost caused by additional arrangement of redundancy hardware is reduced.

A dynamic instrumentation method and apparatus which may trace, debug, and profile the execution of a running program without affecting the operation of the program, are provided. According to the method, a break instruction is inserted and executed at start of execution of a first instruction and immediately after execution of the last instruction of a function constituting the program. Environment values of the function before and after execution may be identified. The program may be dynamically instrumented without being affected by any tracing or debugging operations.

A technique for building a callgraph for a software program that includes multiple function entry points using dynamic instrumentation. In one example embodiment, this is achieved by inserting function count probe code at each function entry point of each multiple entry function having multiple function entry points in the software program. Inter-entry point arc probe code is then inserted substantially before each arc source address of an arc. A performance analysis tool is then used to collect data resulting from execution of the software program including the function count probe code and the inter-entry point arc probe code and to obtain an actual function count value for each multiple entry function. A callgraph is then built using the obtained actual function count values.

The invention discloses a malicious code detecting system and method based on dynamic instrumentation. The method comprises the steps that a software to be detected is uploaded on a system simulator of a mobile terminal; a framework of the software to be detected of the system simulator is ordered again by an instrumentation manger of a server, an instrumentation strategy file is implanted into the system simulator, and one or more probe functions monitor an API function of the framework according to the instrumentation strategy file; a sound monitor of the server communicates with the mobile terminal and receives the operation behaviors and content of the software to be detected which are conducted to the API function and obtained by the probe functions; the detected content is compared with a malicious API sequence feature library, if the detected content exists in the malicious API sequence feature library, the software is marked to have malicious behavior operation, and if the detected extent does not exist in the malicious API sequence feature library, the software is marked to be safe, so that the safety of the software to be detected is determined. By means of the system and method, it is achieved that the software to be detected is installed and operated in the system simulator of the mobile terminal, and malicious codes are detected through instrumentation, so that it is avoided that safety hazards or hidden dangers are caused to the mobile terminal.

The invention provides a static analysis and dynamic operation based detection method of atomic violation. The method comprises the following steps: a function and a method related to asynchronous call in JS are acquired through static analysis of a JS code, and code coverage is guaranteed; a dynamic instrumentation record mechanism of a cross-language platform is adopted, a probe point is arranged in an asynchronous call function, not only can elements in JS program be obtained, but also elements in an HTML (hypertext markup language) mode can be recorded, and the accuracy of detection of potential atomic violation is improved; decision rules of atomic violation are designed according to the elements related in the whole process from a request to response of the a Web application, so that effective detection of atomic violation can be performed.

The invention provides a dynamic key command sequence birthmark-based software plagiarism detecting method, which comprises the steps of (1) monitoring a program to be analyzed based on a dynamic instrumentation and identifying and recording a key command by combining with dynamic stain analysis in real time; (2), preprocessing the recorded key command sequence, stripping an operation number and extracting a mnemonic sequence; (3) on the basis, respectively generating a dynamic key command sequence birthmark for two software to be detected; (4) calculating the similarity of the birthmarks; (5) making the design of plagiarism or not by the average value of the similarity of the birthmarks and a given threshold value. The dynamic key command sequence birthmark-based software plagiarism detecting method directly aims at the binary codes without the need of existence of source codes and has more practical significance; the detection means does not depend on a specific platform or programming language, has wider application range and has better resistance to the code obfuscation technology with reversed semantics, so the detection capability of deep plagiarism is improved.

The invention discloses a rule-based JavaScript security testing method. A program analysis method in which static analysis and dynamic analysis are combined is utilized for testing the security problem of a JavaScript code in a website and performing feedback, thereby finding out the security problems which comprise JavaScript coding standardization un-qualification and over-site script attack malicious codes. The method comprises the steps of dynamically finding out a JavaScript coding standardization un-qualification problem by means of a DLint tool, then testing the branched parts of a source code by means of an open-source static code standardization testing tool ESLint; then filtering a page which may contain over-site script attack malicious codes in the source code according to JavaScript page characteristics and a preset threshold according to a static analysis method; and then performing dynamic Instrumentation on the filtered page for performing strain analysis by means of a Jalangi frame, thereby determining whether the filtered page contains an over-site script attack. The rule-based JavaScript security testing method effectively improves testing efficiency for code standardization and malicious codes based on miss rate reduction.

The invention relates to an Android malicious behavior dynamic detection method based on binary dynamic instrumentation, and belongs to the technical field of computer and information science. The method comprises the following steps: firstly, triggering all potential malicious behaviors of tested software through an Android dynamic detection framework; then, through a dynamic binary instrumentation technology, constructing a calling sequence of a program to a system API, using an N-Gram model to extract call timing relationship characteristics of a function; finally, inputting the generated time sequence relation characteristics into a trained GBDT (Gradient Boosting Decision Tree, Gradient Boosting Decision Tree) multi-classification algorithm detection model, identifying malicious software, and carrying out fine-grained classification on malicious behaviors of the software. According to the invention, a dynamic binary instrumentation technology is used.A system function calling timesequence feature of the software is extracted without knowing a program source code. Compared with the prior art, the Android malicious behavior detection method has high accuracy for Android malicious behavior detection, malicious behaviors of the software can be divided into six classes. More detailed detection conclusion granularity is achieved, and the detection efficiency of the Android malicious software is effectively improved.

This invention provides a new mechanism for “Hot-Tracing” using a novel placeholder mechanism and binary rewriting techniques, which leverages existing compiler flags in order to enable light-weight and highly flexible dynamic instrumentation. Broadly, I-Probe can be divided in 2 distinct workflows—1. Pre-processing (ColdPatch), and 2. Hot Tracing. The first phase is a pre-processing mechanism to prepare the binary for phase 2. The second phase is the actual hot-tracing mechanism, which allows users to dynamically instrument functions (more specifically symbols) of their choice.

The invention relates to a webpage malicious JavaScript code recognition and anti-obfuscation method based on hybrid analysis. The webpage malicious JavaScript code recognition and anti-obfuscation method comprises the following steps: firstly, collecting related webpage source codes, and extracting malicious JS files in the source codes and malicious JS codes embedded in HTML documents; then, constructing an abstract syntax tree in the syntax analysis stage, and expressing nodes as conventional JS objects for program analysis and feature extraction; then, carrying out instrumentation on the JS code, carrying out overwriting on basic operation, needing to be monitored, during running, of the JS code, dynamically monitoring the state and information during JS execution, and extracting an execution track and dynamic characteristic information during running; then, rewriting the dynamic and static features into feature vectors, and training a malicious JS code recognition model based on arandom forest algorithm model; and then, based on a dynamic instrumentation method, monitoring and recording memory overwriting related operations, and carrying out effective anti-obfuscation on obfuscated malicious JS codes.

The invention discloses a method and system for automatically generating dynamic breakpoints, wherein the system comprises a dynamic dependence graph creation module, a debugging range refinement module, a state-flow graph creation module, a dynamic breakpoint generation module and a debugging feedback collection module, wherein the dynamic dependency graph creation module is used for not only collecting execution examples of program statements, but also collecting execution sequences and dependency relationship between the examples by utilizing a dynamic instrumentation technique during the program execution process, so as to create a dynamic program dependence graph on the bases; the debugging range refinement module is used for extracting parts of the dynamic program dependence graph relevant with program failure descriptions by utilizing a program dynamic-slicing technique; the state-flow graph creation module is used for interchanging connection points and sides in the dynamic dependence graph output by the debugging range refinement module and transforming a debugging range into a state-flow graph; the dynamic breakpoint generation module is used for generating dynamic breakpoints and aggregations of expressions required being inspected at the breakpoints; and the debugging feedback collection module is used for collecting the results of judgments made by a user about the provided breakpoints and the aggregations of the expressions required being inspected at the breakpoints.

The invention discloses a Heapspray detection method based on intermediate command dynamic instrumentation, belonging to the technical field of computer security. The method comprises the following steps of: (1) setting a virtual machine used for explaining and implementing webpage dynamic script into a single-step operating state; (2) judging whether an intermediate command to be implemented currently is an assignment type intermediate command or not; (3) if so, then judging whether a rvalue parameter type in command parameters is a alphabetic string type or not; if the rvalue parameter is the alphabetic string type and a value thereof is less than a set threshold value P, then checking whether shellcode exists or not; if the rvalue parameter is larger than the set threshold value P, then calculating an information entropy value thereof; and (4) taking a next intermediate command and repeating the step (2) and the step (3); if a rvalue parameter of an assignment type intermediate command has the shellcode and an entropy value of a rvalue parameter of the other assignment type intermediate command is less than the set threshold value, then judging the script to have a Heapspray action. The invention can reduce system overhead and improve the accuracy rate of detection.