[panda-users] Adding a callback for clflush/clflushopt/clwb

Vincent Lee vincent_lee at utexas.edu
Mon Mar 26 15:47:23 EDT 2018 

Hi all,

Thanks for the pointer! The instruction callbacks are very useful.
Now, I'm trying to get the target address the instruction is trying to
flush.

But I seem to be getting bogus results, i.e.
for some instruction `clflush (%rax)`, I get flushes at extremely high
addresses such as 0xffffc90040001180,
even though the workload under examination is performing its writes to the
1G-2G range.

I'm trying to read the register from the instruction encoding then grab it
from the CPU state,
does this look like I'm accessing the QEMU emulated registers correctly?
https://github.com/williewillus/panda_scratchpad/blob/master/personal_plugins/panda/plugins/writetracker/writetracker.cpp#L24-L61

Thanks in advance,
Vincent



On Sun, Mar 18, 2018 at 2:08 PM, Brendan Dolan-Gavitt <brendandg at nyu.edu>
wrote:

> Even though it doesn't result in native code generation, you should
> still be able to use an instruction hook. Use an insn_translate
> callback to check if QEMU is about to translate a
> clflush/clflushopt/clwb instruction and then return true from that
> callback. Then your insn_exec callback will fire whenever one of those
> instructions is executed. Roughly:
>
> bool insn_translate(CPUState *env, target_ulong pc) {
>     uint8_t bytes[2];
>     panda_virtual_memory_read(env, pc, bytes, 2);
>     if (bytes[0] == 0x0F && bytes[1] == 0xAE) return true; // clflush
>     else return false;
> }
>
> int insn_exec(CPUState *env, target_ulong pc) {
>     printf("Saw a clflush at " TARGET_FMT_lx "\n", pc);
>     return 0;
> }
>
> -Brendan
>
> On Sun, Mar 18, 2018 at 2:59 PM, Vincent Lee <vincent_lee at utexas.edu>
> wrote:
> > Hi all,
> >
> > I'd like to communicate to a plugin whenever a (x86_64) guest calls the
> > clflush, clflushopt, or clwb instructions.
> > Does anyone have any pointers or documentation where I should look to
> begin
> > implementing this?
> >
> > From what I can tell so far:
> > * TCG translation of clwb/clflush/clflushopt simply call "gen_nop_modrm",
> > which does nothing
> > * TCG->native codegen is where panda's memory hooks are inserted
> >
> > Would this be a valid (if ad-hoc) plan?
> > * Modify QEMU TCG to have some concept of "clflush/clwb/clflushopt" and
> emit
> > this from code->TCG translation
> > * add a new panda callback type for "clflush/clwb/clflushopt"
> > * change TCG->native codegen to inject a call to panda callbacks
> >
> > Thanks,
> > Vincent
> >
> > _______________________________________________
> > panda-users mailing list
> > panda-users at mit.edu
> > http://mailman.mit.edu/mailman/listinfo/panda-users
> >
>
>
>
> --
> Brendan Dolan-Gavitt
> Assistant Professor, Department of Computer Science and Engineering
> NYU Tandon School of Engineering
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/panda-users/attachments/20180326/84378b92/attachment.html

More information about the panda-users mailing list