JiTI86 is a novel method for instrumenting binaries. The technique
correctly deals with programs that contain traditionally hard to instrument
features such as data in code and
code in data. The technique does not require reverse engineering,
program understanding tools or heuristics about the compiler or linker
used. The basic idea is that instrumented code is generated on the
fly, while the original process is used for data accesses. JiTI86
comes with a number of useful backends to check programs for faulty
memory accesses, data races, deadlocks,... and perform basic
tracing operations, e.g. tracing all memory accesses, all code being
executed, to perform coverage analysis, ...
JiTI86 has been completely implemented for the IA32
architecture as a dynamic loadable library that can be attached to
arbitrary Linux programs.
At this moment, JiTI86 can instrument:
-all memory operations in the statically linked part of the executable
-calls of dynamic linked procedures (e.g. malloc(), printf(), ...)
Prerequisites
The only prerequisite is a fairly recent binutils package
(binutils-2.9.5.0.22 is OK).
How it works
The modules are attached to applications using the LD_PRELOAD
environment variable. Source SO/alias (cd SO; . alias)
in order to set a number of aliases that change the LD_PRELOAD variable for
you.
Normally, JiTI attaches itself to all programs, even `ls`, `cat`, ... In
order to limit the number of trace files generated, JiTI releases itself
from programs that are not started in their own directory. E.g. in order to
trace `ls`, you should copy it to a directory where you have write access
and execute `ls` using `./ls`.
For more information about the internal working of JiTI86, we refer to
Ronsse, M.; De Bosschere, K.
JiTI: A Robust Just in Time Instrumentation Technique
Proceedings of Workshop on Binary Translation - 2000
Vol. 29, No. 1, pp. 43-54, Computer Architecture News
March, 2001. ACM Press, Philadelphia
a paper on JiTI for the SPARC processor. Although the Intel instruction set bares
no resemblance whatsoever with a clean RISC instruction set, comparable instrumentation
techniques are used. Contact me for a copy of the paper.
Available backends
In order to show the usefulness of JiTI86, JiTI86 is accompanied by a number
of backends:
-a module that traces all memory operations
-a module that traces all executed code
-a module that detects all kinds of memory errors
-a coverage analysis tool
-...
backends/bandwidth.c is a sample backend.
scripts contains some interesting script that
perform some processing of log files that contain information about the
executed code. show_source uses
debug information in the executable to transform the list of executed
assembly instructions in a list of executed C instructions. profile_code shows, for each C line,
the number of times it has been executed.
Download & install
You can download the latest version here. Installation is
quite easy: just type make.
A sample session showing the compilation and
usage of JiTI86.
The Future
In the (near) future, the following features will be added to JiTI86:
the possibility to intercept calls of statically linked code (at
this moment JiTI86 only intercepts calls to dynamically linked code).