ISSN 1000-1239 CN 11-1777/TP

计算机研究与发展 ›› 2017, Vol. 54 ›› Issue (7): 1569-1576.doi: 10.7544/issn1000-1239.2017.20160094

• 软件技术 • 上一篇    下一篇

基于QEMU的动态函数调用跟踪

向勇1,曹睿东1,毛英明2   

  1. 1(清华大学计算机科学与技术系 北京 100084);2(北京理工大学计算机学院 北京 100081) (xyong@csnet4.cs.tsinghua.edu.cn)
  • 出版日期: 2017-07-01
  • 基金资助: 
    “核高基”国家科技重大专项基金项目(2012ZX01039-004-41,2012ZX01039-003)

QEMU-Based Dynamic Function Call Tracing

Xiang Yong1, Cao Ruidong1, Mao Yingming2   

  1. 1(Department of Computer Science and Technology, Tsinghua University, Beijing 100084);2(School of Computer Science, Beijing Institute of Technology, Beijing 100081)
  • Online: 2017-07-01

摘要: 函数调用一直是Linux内核分析研究领域的重点.获得函数调用信息主要有2种方法:静态分析和动态分析.动态跟踪方法可实时和准确地获取函数调用关系信息,在分析和调试软件程序时有极大的帮助作用.针对现有工具存在跟踪信息不全面、需要编译选项支持等不足,基于开源的QEMU模拟器,设计并实现了支持多种CPU平台的通用动态函数调用跟踪工具,可在x86_32,x86_64,ARM共3种体系架构上动态跟踪包括Linux内核启动过程在内的函数调用和返回信息.该工具在程序运行时截获调用和返回的指令,并记录相关信息,利用此种指令只会在QEMU翻译块的最后一条出现的性质,减少检查指令的数量,提高运行效率;可不依赖源代码,只依据函数符号表进行函数调用关系分析.实验结果表明:跟踪和分析结果与源代码行为一致,相比于S2E提升了分析性能和支持的CPU平台种类,且能更好地扩展至其他平台.

关键词: 函数调用, 动态跟踪, 模拟器, 多平台, Linux内核分析

Abstract: Function call has always been an important research topic in Linux kernel analysis. There are two main approaches to obtain function calls, static analysis and dynamic analysis. Using dynamic tracing approach can provide accurate and real-time function calls. It is great help to analyze and debug software programs. Considering that existing tools need some particular compile options or their tracing data is not very comprehensive, a new dynamic function call tracing tool that supports multiple CPU architectures based on an open source emulator QEMU is designed and implemented. It can provide function call and function return information including those in the Linux kernel booting phase on three architectures, x86_32, x86_64 and ARM. When the system is running, this tool intercepts procedure call and return assembly instructions. Then it logs necessary state information to file. Based on the property that these kinds of instructions must be the last one of a QEMU translation block, the amount of checked instructions is lowered and the efficiency is promoted. Only the symbol table of the program not the source code is needed to parse function call data. Test result shows that the behavior indicated by tracing data concurs with the corresponding source code. This tool has higher performance and supports more CPU architectures than S2E. It is easier to extend to other architectures.

Key words: function call, dynamic tracing, emulator, multiple platform, Linux kernel analysis

中图分类号: