[panda-users] Adding a callback for clflush/clflushopt/clwb

Brendan Dolan-Gavitt brendandg at nyu.edu
Thu Mar 29 13:29:18 EDT 2018 

You can use panda_virt_to_phys for this.

Best,
Brendan

On Thu, Mar 29, 2018 at 1:09 PM, Vincent Lee <vincent_lee at utexas.edu> wrote:
> Re: above: actually, I figured it out. RAX holds virtual addresses, and I
> was comparing them to physical write addresses. Dumb mistake.
>
> So my actual question is: how do I perform a page table lookup from within a
> panda plugin? I imagine there is a QEMU call somewhere I can do to get the
> physical frame mapped to a given address.
>
> Thanks!
> Vincent
>
>
> On Mon, Mar 26, 2018 at 2:47 PM, Vincent Lee <vincent_lee at utexas.edu> wrote:
>>
>> Hi all,
>>
>> Thanks for the pointer! The instruction callbacks are very useful.
>> Now, I'm trying to get the target address the instruction is trying to
>> flush.
>>
>> But I seem to be getting bogus results, i.e.
>> for some instruction `clflush (%rax)`, I get flushes at extremely high
>> addresses such as 0xffffc90040001180,
>> even though the workload under examination is performing its writes to the
>> 1G-2G range.
>>
>> I'm trying to read the register from the instruction encoding then grab it
>> from the CPU state,
>> does this look like I'm accessing the QEMU emulated registers correctly?
>>
>> https://github.com/williewillus/panda_scratchpad/blob/master/personal_plugins/panda/plugins/writetracker/writetracker.cpp#L24-L61
>>
>> Thanks in advance,
>> Vincent
>>
>>
>>
>> On Sun, Mar 18, 2018 at 2:08 PM, Brendan Dolan-Gavitt <brendandg at nyu.edu>
>> wrote:
>>>
>>> Even though it doesn't result in native code generation, you should
>>> still be able to use an instruction hook. Use an insn_translate
>>> callback to check if QEMU is about to translate a
>>> clflush/clflushopt/clwb instruction and then return true from that
>>> callback. Then your insn_exec callback will fire whenever one of those
>>> instructions is executed. Roughly:
>>>
>>> bool insn_translate(CPUState *env, target_ulong pc) {
>>>     uint8_t bytes[2];
>>>     panda_virtual_memory_read(env, pc, bytes, 2);
>>>     if (bytes[0] == 0x0F && bytes[1] == 0xAE) return true; // clflush
>>>     else return false;
>>> }
>>>
>>> int insn_exec(CPUState *env, target_ulong pc) {
>>>     printf("Saw a clflush at " TARGET_FMT_lx "\n", pc);
>>>     return 0;
>>> }
>>>
>>> -Brendan
>>>
>>> On Sun, Mar 18, 2018 at 2:59 PM, Vincent Lee <vincent_lee at utexas.edu>
>>> wrote:
>>> > Hi all,
>>> >
>>> > I'd like to communicate to a plugin whenever a (x86_64) guest calls the
>>> > clflush, clflushopt, or clwb instructions.
>>> > Does anyone have any pointers or documentation where I should look to
>>> > begin
>>> > implementing this?
>>> >
>>> > From what I can tell so far:
>>> > * TCG translation of clwb/clflush/clflushopt simply call
>>> > "gen_nop_modrm",
>>> > which does nothing
>>> > * TCG->native codegen is where panda's memory hooks are inserted
>>> >
>>> > Would this be a valid (if ad-hoc) plan?
>>> > * Modify QEMU TCG to have some concept of "clflush/clwb/clflushopt" and
>>> > emit
>>> > this from code->TCG translation
>>> > * add a new panda callback type for "clflush/clwb/clflushopt"
>>> > * change TCG->native codegen to inject a call to panda callbacks
>>> >
>>> > Thanks,
>>> > Vincent
>>> >
>>> > _______________________________________________
>>> > panda-users mailing list
>>> > panda-users at mit.edu
>>> > http://mailman.mit.edu/mailman/listinfo/panda-users
>>> >
>>>
>>>
>>>
>>> --
>>> Brendan Dolan-Gavitt
>>> Assistant Professor, Department of Computer Science and Engineering
>>> NYU Tandon School of Engineering
>>
>>
>



-- 
Brendan Dolan-Gavitt
Assistant Professor, Department of Computer Science and Engineering
NYU Tandon School of Engineering

More information about the panda-users mailing list