Zhangxiang YANG,Zuhua DAI,Bo WANG

DOI: https://doi.org/10.3778/j.issn.1002-8331.1509-0167

2016-01-01

Abstract:This paper analyzes the principles of the existing Rootkit detection technology on Linux system, and further proposes a detection technology using Kprobe. The detection method collects the information of objects hidden by Rootkit by inserting probe points into the critical path in low-level kernel, and then compares the underlying information and the results from audit tools with cross-view validation principle to get the hided objects. The experiments are conducted to verify this detection method on several popular Rootkits. The results show that this technique has a good reliability.

Gonglong Chen,Wei Dong

DOI: https://doi.org/10.1109/icpads.2015.29

IF: 5.836

2018-01-01

Journal of Systems Architecture

Abstract:Path profiling, which aims to trace a program's execution path, has been widely adopted in various areas such as record and replay, program optimizations, performance diagnosis, and etc. Many path profiling approaches have been proposed in the literature, including B.L. algorithm, and PAP. Unfortunately, both approaches suffer from large tracing overhead for representing long execution paths. In this paper, we propose AdapTracer, a path profiling approach based on arithmetic coding. There are two salient features in Adap-Tracer. First, it is space efficient by adopting a path profiling algorithm based on arithmetic coding. Second, it is adaptive by explicitly considering the execution frequency of each edge. We have implemented AdapTracer to profile Android applications. Our experimental evaluation uses modified JGF benchmarks to show AdapTracer's efficiency. Experimental results show that AdapTracer reduces the trace size by 44% on average and incurs execution overhead by 10% at most compared to PAP.

Junfeng Yu,Shengzhi Zhang,Peng Liu,Zhitang Li

DOI: https://doi.org/10.1145/1943513.1943525

2011-01-01

Abstract:ABSTRACTIn this paper, we present the design, implementation, and evaluation of LeakProber, a framework that leverages the whole system dynamic instrumentation and the inter-procedural analysis to enable data propagation path profiling in production system. We integrate both the static analysis and runtime tracking to establish a holistic and practical approach to generating the sensitive data propagation graph (sDPG) with minimum runtime overhead. We evaluate our system on several data stealing attacks scenario for generating sDPG. The sDPG generated by our system captures multiple aspects of data accessing patterns and provides clear insights into the data leakage path. We also measure the performance of our system and find that it degrades the production system about 6% in the trace-on mode. When our prototype works in the trace-off mode, the runtime overhead is even lower, on an average of 1.5% across each benchmark we run. We believe that it is feasible to directly apply our prototype into production system environment.

Camille Coti,Kevin Huck,Allen D. Malony

2023-04-22

Abstract:This paper presents a approach for measuring the time spent by HPC applications in the operating system's kernel. We use the SystemTap interface to insert timers before and after system calls, and take advantage of its stability to design a tool that can be used with multiple versions of the kernel. We evaluate its performance overhead, using an OS-intensive mini-benchmark and a raytracing mini app.

Distributed, Parallel, and Cluster Computing

SUN Lijiang,ZHU Li,WEI Hengyi

DOI: https://doi.org/10.3969/j.issn.1000-3428.2006.20.015

2006-01-01

Abstract:PowerPC-based NC systems are gradually put into action, but the corresponding tools of runtime performance monitoring for these NCsare not yet developed. Two problems must be resolved for the collection of PowerPC-NC system runtime performance parameters: one is thecollecting kernel data and the other is communication between user space and kernel space. Performance parameter collecting methods in Linux areresearched and the virtual-device-driver method based on LKM is proposed. Based on this collecting method a data collection module ofPowerPC-NC system is designed and implemented, which can collect the performance parameters of NC server. Experiment results indicate that thistool has a high effectiveness and is easy to be used.

Anton Risberg Alaküla,Görel Hedin,Niklas Fors,Adrian Pop

DOI: https://doi.org/10.1016/j.jss.2024.111980

IF: 3.5

2024-02-03

Journal of Systems and Software

Abstract:We present property probes , a mechanism for helping a developer explore partial program analysis results in terms of the source program interactively while the program is edited. A node locator data structure is introduced that maps between source code spans and program representation nodes, and that helps identify probed nodes in a robust way, after modifications to the source code. We have developed a client–server based tool CodeProber supporting property probes, and argue that it is very helpful in debugging and understanding program analyses. We have evaluated our tool on several languages and analyses, including a full Java compiler and a tool for intraprocedural dataflow analysis. Our performance results show that the probe overhead is negligible even when analyzing large projects.

computer science, theory & methods, software engineering

XUE Zhi-ping,XUE Zhi,WANG Yi-jun

DOI: https://doi.org/10.3969/j.issn.1009-8054.2008.01.031

2008-01-01

Abstract:A Unix security auditing system based on dynamic tracing is described in this paper, and the design and realization are discussed. In the system, the detectors, set by dynamic tracing DTrace in the kernel, are used to collect audit information, and the audit logs are written in a standard format. Meanwhile, the secure storage and automatic analysis for the logs are realized in C/S mode.

XIAO Xin-feng

DOI: https://doi.org/10.3969/j.issn.1000-1220.2006.03.025

2006-01-01

Abstract:Most utilities gather Linux kernel data by means of reading proc files. But the method is inefficient when use for performance measuring purpose. This paper proposed a LKM and char-device-driver based method that gathers data from the Linux kernel directly via its ioctl method. Experiments showed that the new method is not only simpler but also more efficient than reading proc files.

Miryeong Kwon,Jie Zhang,Gyuyoung Park,Wonil Choi,David Donofrio,John Shalf,Mahmut Kandemir,Myoungsoo Jung

DOI: https://doi.org/10.48550/arXiv.1709.04806

2017-09-14

Distributed, Parallel, and Cluster Computing

Abstract:Block traces are widely used for system studies, model verifications, and design analyses in both industry and academia. While such traces include detailed block access patterns, existing trace-driven research unfortunately often fails to find true-north due to a lack of runtime contexts such as user idle periods and system delays, which are fundamentally linked to the characteristics of target storage hardware. In this work, we propose TraceTracker, a novel hardware/software co-evaluation method that allows users to reuse a broad range of the existing block traces by keeping most their execution contexts and user scenarios while adjusting them with new system information. Specifically, our TraceTracker's software evaluation model can infer CPU burst times and user idle periods from old storage traces, whereas its hardware evaluation method remasters the storage traces by interoperating the inferred time information, and updates all inter-arrival times by making them aware of the target storage system. We apply the proposed co-evaluation model to 577 traces, which were collected by servers from different institutions and locations a decade ago, and revive the traces on a high-performance flash-based storage array. The evaluation results reveal that the accuracy of the execution contexts reconstructed by TraceTracker is on average 99% and 96% with regard to the frequency of idle operations and the total idle periods, respectively.

Adel Belkhiri,Martin Pepin,Mike Bly,Michel Dagenais

DOI: https://doi.org/10.1016/j.jpdc.2022.10.012

IF: 4.542

2022-11-13

Journal of Parallel and Distributed Computing

Abstract:The Data Plane Development Kit (DPDK) is an efficient framework developed based on the kernel bypass approach to accelerate packet processing in userspace. This framework includes many libraries and Poll Mode Drivers (PMDs) that are optimized for maximum network performance. Several studies have demonstrated that porting existing data plane applications to DPDK can considerably increase their performance. Unfortunately, kernel bypassing makes traditional network monitoring and debugging tools obsolete. Therefore, considering the complexity of networking software, detecting unexpected behaviors, and diagnosing its root causes became a tedious task. The literature reports a few tools intended for debugging DPDK application bugs, but they are mostly ineffective against performance bugs. In this paper, we propose a tracing-based performance analysis framework that is dedicated to DPDK applications. The framework provides many analyses enabling the practitioner to gain insights into the application internals and diagnose performance bugs. We use an efficient approach to collect tracing data from DPDK libraries and drivers, with a very low overhead (<0.2%). Our framework correlates the data collected to build a data model that illustrates the states of the monitored application' components. We leverage this data model to calculate adapted performance metrics and display them in time-synchronized graphical views. The numerous use cases that we present demonstrate the ability of our tool to identify and diagnose efficiently various performance bugs.

computer science, theory & methods

Xiang Yong,Cao Ruidong,Mao Yingming

DOI: https://doi.org/10.7544/issn1000-1239.2017.20160094

2017-01-01

Abstract:Function call has always been an important research topic in Linux kernel analysis.There are two main approaches to obtain function calls, static analysis and dynamic analysis.Using dynamic tracing approach can provide accurate and real-time function calls.It is great help to analyze and debug software programs.Considering that existing tools need some particular compile options or their tracing data is not very comprehensive, a new dynamic function call tracing tool that supports multiple CPU architectures based on an open source emulator QEMU is designed and implemented.It can provide function call and function return information including those in the Linux kernel booting phase on three architectures, x86_32, x86_64 and ARM.When the system is running, this tool intercepts procedure call and return assembly instructions.Then it logs necessary state information to file.Based on the property that these kinds of instructions must be the last one of a QEMU translation block, the amount of checked instructions is lowered and the efficiency is promoted.Only the symbol table of the program not the source code is needed to parse function call data.Test result shows that the behavior indicated by tracing data concurs with the corresponding source code.This tool has higher performance and supports more CPU architectures than S2E.It is easier to extend to other architectures.

Z. Fan

DOI: https://doi.org/10.1117/12.2675203

2023-05-25

Abstract:Nowadays, with the increasing diversity of Internet programs, more and more programs have launched more functions. However, many system vulnerabilities have gradually surfaced, and the process of finding and repairing vulnerabilities has become an imminent problem for developers. Code snippets related to dynamic memory allocation and resource preemption operations are a major source of operating system failures. In this paper, a new fault detection technique based on dynamic kernel tracing is proposed. The fault source and fault type are determined by collecting kernel call stack and global state transition information. The fault detection technology is implemented as a loadable kernel module in Linux system, which can effectively collect kernel information without adding hardware or modifying the original system code. The experimental results of fault injection show that the proposed method can detect faults effectively, and the detection delay is smaller than the method based on timeout time and performance index. How to deal with these vulnerabilities is the subject of this article.

Engineering,Computer Science

J. Zhang,Baigen Cai,Jianhua Wu

DOI: https://doi.org/10.3969/j.issn.1673-0291.2003.03.019

2003-01-01

Abstract:The probe vehicle techniques discussed here are one of the typically intelligent transportation system (ITS) applications designed primarily for collecting data in real_time. In this paper,concept, advantages and disadvantages of probe vehicle techniques are introduced. Some key problems are presented particularly, such as percentage of probe vehicles, estimation and prediction indices by probe vehicle, as well as the estimation and prediction methods. In conclusion, how to determine probe vehicle sample sizes is pointed out. Travel speed and travel time are main estimation and prediction indices, and direct measuring of path_based travel time rather than link_based travel times could generate a more accurate result.

JUN HONG,XUEDAN ZHANG,ZHONGYA WEI,YONG REN

DOI: https://doi.org/10.3969/j.issn.1008-0570.2008.03.001

2008-01-01

Abstract:It is important to use distributed probes to detect real-time traffic information which is an essential factor in ITS. This paper analyzes the process of traffic data collection by mobile probes, and evaluates the time interval between data collecting and transferring, and the minimal probe sample size. It also discusses how to adjust the time interval between data transferring and the minimum probe node sample size when there is an accident.

He Sun,Chao Zhang,He Li,Zhenhua Wu,Lifa Wu,Yun Li

DOI: https://doi.org/10.1109/access.2019.2939566

IF: 3.9

2019-01-01

IEEE Access

Abstract:Program tracing solutions (i.e., tracers) can faithfully record runtime information about a program's execution and enable flexible and powerful offline analysis. Therefore, they have become fundamental techniques extensively utilized in software analysis applications. However, few tracers have paid attention to the size of traces and corresponding overheads introduced to offline analysis, as well as the Control Flow Graph (CFG) support. This paper presents ATOS, an efficient tracing solution, to address these issues. It adaptively adjusts the granularity of tracing while conservatively preserving the essential execution information. We implement a prototype of ATOS and evaluate it on several benchmarks. The results show that ATOS can greatly reduce the size of a trace and accelerate offline analysis, while preserving the execution states and supporting existing applications seamlessly. For example, using ATOS, the trace produced by the application CryptoHunt is reduced by 46 times, while the analysis time is reduced by 34 times.

Haibo Mi,Huaimin Wang,Hua Cai,Yangfan Zhou,Michael R. Lyu,Zhenbang Chen

DOI: https://doi.org/10.1109/COMPSAC.2012.69

2012-01-01

Abstract:In large-scale cloud computing systems, the growing scale and complexity of component interactions pose great challenges for operators to understand the characteristics of system performance. Performance profiling has long been proved to be an effective approach to performance analysis; however, existing approaches do not consider two new requirements that emerge in cloud computing systems. First, the efficiency of the profiling becomes of critical concern; second, visual analytics should be utilized to make profiling results more readable. To address the above two issues, in this paper, we present P-Tracer, an online performance profiling approach specifically tailored for large-scale cloud computing systems. P-Tracer constructs a specific search engine that adopts a proactive way to process performance logs and generates particular indices for fast queries; furthermore, PTracer provides users with a suite of web-based interfaces to query statistical information of all kinds of services, which helps them quickly and intuitively understand system behavior. The approach has been successfully applied in Alibaba Cloud Computing Inc. to conduct online performance profiling both in production clusters and test clusters. Experience with one real-world case demonstrates that P-Tracer can effectively and efficiently help users conduct performance profiling and localize the primary causes of performance anomalies.

Federico Alessi,Alessandro Tundo,Marco Mobilio,Oliviero Riganelli,Leonardo Mariani

2024-05-23

Abstract:Modern distributed systems are highly dynamic and scalable, requiring monitoring solutions that can adapt to rapid changes. Monitoring systems that rely on external probes can only achieve adaptation through expensive operations such as deployment, undeployment, and reconfiguration. This poster paper introduces ReProbes, a class of adaptive monitoring probes that can handle rapid changes in data collection strategies. ReProbe offers controllable and configurable self-adaptive capabilities for data transmission, collection, and analysis methods. The resulting architecture can effectively enhance probe adaptability when qualitatively compared to state-of-the-art monitoring solutions.

Software Engineering

Dajia Peng,Yunlong Feng,Yong Liu,Xin Liu,Wei Xue,Dexun Chen,Jiawei Song,Zuoning Chen

DOI: https://doi.org/10.1109/tpds.2022.3157690

IF: 5.3

2022-01-01

IEEE Transactions on Parallel and Distributed Systems

Abstract:This article presents Jdebug, a fast, non-intrusive and scalable fault locating tool for extreme-scale parallel applications. Large-scale debugging has drawn more attention with the increasing scale of supercomputers and applications. To eliminate program intrusion caused by traditional instrumentation or interception during debugging information acquisition, we introduce the out-of-band management into large-scale debugging. We propose a rapid information gathering scheme that separates user and debugging traffic to solve scalability problem and to eliminate program interference during merging data. Observations of Program Counters (PC) and performance characteristics in suspended applications find abnormalities and help locate abnormal threads caused by software errors or hardware failures effectively. Evaluation shows that Jdebug collects PCs of over 20 million cores on the new Sunway supercomputer within 1.97 seconds, and can locate the abnormal threads in 1.4 seconds with an accuracy of 92.5%. In the running test of three fundamental benchmarks (HPL, HPCG, Graph500) and seventeen real-world applications, Jdebug quickly and accurately locates abnormal threads to help find scalability errors and hardware failures including memory access failures, communication failures, and execution component failures, which validates its effectiveness.

computer science, theory & methods,engineering, electrical & electronic

Tao Yan,Qingguo Xu,Jiyu Luo,Jingwei Sun,Guangzhong Sun

DOI: https://doi.org/10.1109/IPDPSW59300.2023.00123

2023-01-01

Abstract:Tracing is a basic approach to analyzing performance and understanding MPI program behavior patterns. However, MPI event trace requires increasingly large storage space as the parallel scale grows. Besides MPI event trace, many performance analysis tasks (e.g., performance variance detection, proxy synthesis) also require detailed runtime performance metrics, which further aggravates the storage issue. In this paper, we propose a scalable tracing tool to effectively record and compress MPI event trace and related runtime performance metrics. The tool analyzes the data redundancy caused by loops and SPMD (single program multiple data) property of MPI programs. According to the analysis, the tool can compactly reorganize and store the data. Compared with existing trace compression methods, our tool can achieve generally higher compression ratio and less time cost.

Weina Niu,Zhenqi Yu,Zimu Li,Beibei Li,Runzi Zhang,Xiaosong Zhang

DOI: https://doi.org/10.1109/globecom48099.2022.10000804

2022-01-01

Abstract:Information systems have penetrated into all areas of social life, however, unknown threats represented by APT attacks pose serious challenges to their security. In recent years, approaches based on log analysis and provenance graph have been extensively used in the anomaly detection and tracing of malicious attacks. However, traditional method has low detection accuracy, high complexity and low efficiency. To address those shortcomings, we propose an efficient anomaly tracing approach (LogTracer), which combines system log detection and provenance graph together. The proposed LogTracer extracts the attack path from provenance graph, which is constructed with the anomaly degrees of the system logs anomaly detection results. Compar-ative experiments with OmegaLog, NoDoze and ALchemist are conducted on a simulated dataset with 16 attack types totaling 290 million logs. The experimental results show that our method approximately 5.4x, 0.2x and 7.2x faster than these three methods in processing efficiency, and its malicious node coverage rate reaches 98.1%.