A CIL Tutorial - Department of Computer Science - ETH Zürich
A CIL Tutorial - Department of Computer Science - ETH Zürich
A CIL Tutorial - Department of Computer Science - ETH Zürich
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Chapter 6<br />
Overriding Functions<br />
When performing a dynamic analysis, it happens frequently that we would like to intercept calls to<br />
the C Library, or to system calls. We can accomplish this using the dynamic linker 1 .<br />
Using the dynamic linker is preferable to using <strong>CIL</strong> to replace calls to these library functions.<br />
If you use <strong>CIL</strong>, the call is only replaced in the code that <strong>CIL</strong> touches. Other code that is linked<br />
into the program will use the original version. This will either have strange eects or render your<br />
dynamic analysis unsound. Thus, if you want to override a library or system call, don't use <strong>CIL</strong>;<br />
instead, use the dynamic linker as shown below.<br />
6.1 tut6.ml<br />
There's nothing going on here in the OCaml module corresponding to this tutorial because all <strong>of</strong><br />
the action happens in ciltut-lib/src/tut6.c.<br />
6.2 Overriding Library Calls<br />
Instead, we'll take this opportunity to discuss a few ways that overriding library calls can be useful.<br />
• You can override pthread create to keep extra state for threads spawned by the application<br />
you are analyzing.<br />
• You can override malloc and friends to analyze and prole memory allocation.<br />
• You can override system calls that request resources from the Operating System, like cores,<br />
or memory, or I/O bandwidth, in order to shape the demands placed on the system.<br />
• ...and many others.<br />
1 Intercepting system calls can be a bit more complicated than intercepting library calls. Applications may directly<br />
use the syscall system call instead <strong>of</strong> the C Library interface. Luckily, one may still wrap this call, with a bit more<br />
work.<br />
47