[panda-users] Adding a callback for clflush/clflushopt/clwb

Thu Mar 29 13:09:09 EDT 2018

Re: above: actually, I figured it out. RAX holds *virtual* addresses, and I
was comparing them to *physical* write addresses. Dumb mistake.

So my actual question is: how do I perform a page table lookup from within
a panda plugin? I imagine there is a QEMU call somewhere I can do to get
the physical frame mapped to a given address.

Thanks!
Vincent

On Mon, Mar 26, 2018 at 2:47 PM, Vincent Lee <vincent_lee at utexas.edu> wrote:

> Hi all,
>
> Thanks for the pointer! The instruction callbacks are very useful.
> Now, I'm trying to get the target address the instruction is trying to
> flush.
>
> But I seem to be getting bogus results, i.e.
> for some instruction `clflush (%rax)`, I get flushes at extremely high
> addresses such as 0xffffc90040001180,
> even though the workload under examination is performing its writes to the
> 1G-2G range.
>
> I'm trying to read the register from the instruction encoding then grab it
> from the CPU state,
> does this look like I'm accessing the QEMU emulated registers correctly?
> https://github.com/williewillus/panda_scratchpad/
> blob/master/personal_plugins/panda/plugins/writetracker/
> writetracker.cpp#L24-L61
>
> Thanks in advance,
> Vincent
>
>
>
> On Sun, Mar 18, 2018 at 2:08 PM, Brendan Dolan-Gavitt <brendandg at nyu.edu>
> wrote:
>
>> Even though it doesn't result in native code generation, you should
>> still be able to use an instruction hook. Use an insn_translate
>> callback to check if QEMU is about to translate a
>> clflush/clflushopt/clwb instruction and then return true from that
>> callback. Then your insn_exec callback will fire whenever one of those
>> instructions is executed. Roughly:
>>
>> bool insn_translate(CPUState *env, target_ulong pc) {
>>     uint8_t bytes[2];
>>     panda_virtual_memory_read(env, pc, bytes, 2);
>>     if (bytes[0] == 0x0F && bytes[1] == 0xAE) return true; // clflush
>>     else return false;
>> }
>>
>> int insn_exec(CPUState *env, target_ulong pc) {
>>     printf("Saw a clflush at " TARGET_FMT_lx "\n", pc);
>>     return 0;
>> }
>>
>> -Brendan
>>
>> On Sun, Mar 18, 2018 at 2:59 PM, Vincent Lee <vincent_lee at utexas.edu>
>> wrote:
>> > Hi all,
>> >
>> > I'd like to communicate to a plugin whenever a (x86_64) guest calls the
>> > clflush, clflushopt, or clwb instructions.
>> > Does anyone have any pointers or documentation where I should look to
>> begin
>> > implementing this?
>> >
>> > From what I can tell so far:
>> > * TCG translation of clwb/clflush/clflushopt simply call
>> "gen_nop_modrm",
>> > which does nothing
>> > * TCG->native codegen is where panda's memory hooks are inserted
>> >
>> > Would this be a valid (if ad-hoc) plan?
>> > * Modify QEMU TCG to have some concept of "clflush/clwb/clflushopt" and
>> emit
>> > this from code->TCG translation
>> > * add a new panda callback type for "clflush/clwb/clflushopt"
>> > * change TCG->native codegen to inject a call to panda callbacks
>> >
>> > Thanks,
>> > Vincent
>> >
>> > _______________________________________________
>> > panda-users mailing list
>> > panda-users at mit.edu
>> > http://mailman.mit.edu/mailman/listinfo/panda-users
>> >
>>
>>
>>
>> --
>> Brendan Dolan-Gavitt
>> Assistant Professor, Department of Computer Science and Engineering
>> NYU Tandon School of Engineering
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/panda-users/attachments/20180329/65caa579/attachment.html