Skip to content
/ qinst Public

Draft of generic instrumentation tool based on QEMU using eBPF to implement trivial instrumentations with trivial code

License

Unknown and 2 other licenses found

Licenses found

Unknown
LICENSE
GPL-2.0
COPYING
LGPL-2.1
COPYING.LIB
18 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

atrosinenko/qinst

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

69,033 Commits
accel
accel
 
 
audio
audio
 
 
authz
authz
 
 
backends
backends
 
 
block
block
 
 
bsd-user
bsd-user
 
 
capstone @ 22ead3e
capstone @ 22ead3e
 
 
chardev
chardev
 
 
contrib
contrib
 
 
crypto
crypto
 
 
default-configs
default-configs
 
 
disas
disas
 
 
docs
docs
 
 
dtc @ 88f1890
dtc @ 88f1890
 
 
fpu
fpu
 
 
fsdev
fsdev
 
 
gdb-xml
gdb-xml
 
 
hw
hw
 
 
include
include
 
 
instrumentation-examples
instrumentation-examples
 
 
io
io
 
 
libdecnumber
libdecnumber
 
 
linux-headers
linux-headers
 
 
linux-user
linux-user
 
 
migration
migration
 
 
nbd
nbd
 
 
net
net
 
 
pc-bios
pc-bios
 
 
po
po
 
 
python/qemu
python/qemu
 
 
qapi
qapi
 
 
qga
qga
 
 
qobject
qobject
 
 
qom
qom
 
 
replay
replay
 
 
roms
roms
 
 
scripts
scripts
 
 
scsi
scsi
 
 
slirp @ f0da672
slirp @ f0da672
 
 
stubs
stubs
 
 
target
target
 
 
tcg
tcg
 
 
tests
tests
 
 
trace
trace
 
 
ui
ui
 
 
util
util
 
 
.cirrus.yml
.cirrus.yml
 
 
.dir-locals.el
.dir-locals.el
 
 
.editorconfig
.editorconfig
 
 
.exrc
.exrc
 
 
.gdbinit
.gdbinit
 
 
.gitignore
.gitignore
 
 
.gitlab-ci.yml
.gitlab-ci.yml
 
 
.gitmodules
.gitmodules
 
 
.gitpublish
.gitpublish
 
 
.mailmap
.mailmap
 
 
.shippable.yml
.shippable.yml
 
 
.travis.yml
.travis.yml
 
 
.travis.yml-upstream
.travis.yml-upstream
 
 
CODING_STYLE
CODING_STYLE
 
 
COPYING
COPYING
 
 
COPYING.LIB
COPYING.LIB
 
 
Changelog
Changelog
 
 
HACKING
HACKING
 
 
Kconfig.host
Kconfig.host
 
 
LICENSE
LICENSE
 
 
MAINTAINERS
MAINTAINERS
 
 
Makefile
Makefile
 
 
Makefile.objs
Makefile.objs
 
 
Makefile.target
Makefile.target
 
 
README
README
 
 
README.md
README.md
 
 
VERSION
VERSION
 
 
arch_init.c
arch_init.c
 
 
balloon.c
balloon.c
 
 
block.c
block.c
 
 
blockdev-nbd.c
blockdev-nbd.c
 
 
blockdev.c
blockdev.c
 
 
blockjob.c
blockjob.c
 
 
bootdevice.c
bootdevice.c
 
 
bt-host.c
bt-host.c
 
 
bt-vhci.c
bt-vhci.c
 
 
configure
configure
 
 
cpus-common.c
cpus-common.c
 
 
cpus.c
cpus.c
 
 
device-hotplug.c
device-hotplug.c
 
 
device_tree.c
device_tree.c
 
 
disas.c
disas.c
 
 
dma-helpers.c
dma-helpers.c
 
 
dump.c
dump.c
 
 
exec.c
exec.c
 
 
gdbstub.c
gdbstub.c
 
 
gitdm.config
gitdm.config
 
 
hmp-commands-info.hx
hmp-commands-info.hx
 
 
hmp-commands.hx
hmp-commands.hx
 
 
hmp.c
hmp.c
 
 
hmp.h
hmp.h
 
 
ioport.c
ioport.c
 
 
iothread.c
iothread.c
 
 
job-qmp.c
job-qmp.c
 
 

Repository files navigation

QInst is a dynamic instrumentation tool based on QEMU and supposed to perform trivial instrumentation with trivial code. It inserts snippets of code before the specified ops of QEMU internal representation. To achieve this, it takes arbitrary plugin.so with native code of the instrumenter run-time as well as little plugin-bpf.a with specially named functions that are hooked to QEMU internal ops. This allows to very easily hook into deep internals of QEMU between the disasm/codegen and dead code elimination/optimization logic.

This software is at the very early development stage, still it is already able to run instrumentation of AFL.

The AFL instrumentation looks like the following (this is the actual working example):

#include <stdint.h>
  
extern uint8_t *__afl_area_ptr;
extern uint64_t prev;

void inst_qemu_brcond_i64(uint64_t tag, uint64_t x, uint64_t y, uint64_t z, uint64_t u)
{
    __afl_area_ptr[((prev >> 1) ^ tag) & 0xFFFF] += 1;
    prev = tag;
}

void inst_qemu_brcond_i32(uint64_t tag, uint64_t x, uint64_t y, uint64_t z, uint64_t u)
{
    __afl_area_ptr[((prev >> 1) ^ tag) & 0xFFFF] += 1;
    prev = tag;
}

The nice fact about this tool is that its instrumentations are not tied to QEMU. Sure, they use QEMU opcode names and signatures but it should be probably easy to make the instrumentation cross-tool if other implementation will become available (such as LLVM or DynamoRIO).

Possibilities from slowest to fastest:

(a) Dynamic instrumentation: QEMU, DynamoRIO (you are here)
(b) Static instrumentation: LLVM
--
(c) Hardware-assisted generic instrumentation
(d) Hardware-assisted instrumentation baked into instantiated softprocessor
  • (a) is already implemented as an early draft
  • (b) is not very hard to implement
  • (d) is already implemented (early draft) as a RoCC accelerator for RocketChip and patched RocketChip
  • (c) would be the most flexible (if possible at all) but requires some configurable FPGA-like additions to CPU :)

Examples

Examples are in the instrumentation-examples directory. Compile the eBPF part with compile-bpf.sh, then compile native part and run

NATIVE_INST=./path/to/native.so BPF_INST=./path/to/bpf.o ./x86_64-linux-user/qemu-x86_64 -- /bin/gzip -d

For now, Pull Requests are not accepted. I hope to upstream it someday, but QEMU has a non-trivial policy on pushing the changes (Signed-Off's, etc.).

About

Draft of generic instrumentation tool based on QEMU using eBPF to implement trivial instrumentations with trivial code

Topics

instrumentation qemu ebpf dynamic-instrumentation

Resources

Readme

License

Unknown and 2 other licenses found

Licenses found

Unknown
LICENSE
GPL-2.0
COPYING
LGPL-2.1
COPYING.LIB

Security policy

Security policy
Activity

Stars

18 stars

Watchers

4 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Contributors 948
+ 934 contributors

Languages