ProfilingHow do you know what your program does?How much time does your program spend in which function?How often are specific functions called?What can this tell us?Which functions take more/less time than you expected?Which functions get called more/less than you expected?1ProfilingProfiling requirescompiling and linking the program with profiling enabledrunning the program to generate profiling datarunning a profiler (e.g., gprof ) to analyze the profiling data2ProfilingProfiling can do more than just see how much time we spend wherehow often a function is calledetc.Profiling can be used to detect ongoing attackslet’s take a look at an attack as it unfolds in timethe demo is from an attack called hiperbomb2Let’s look at the latter first...3Page: Axel W. KringsSSGRR Presentation 2001Profiles!We view a system as a collection of profiles of its functionalities Pik is the number of functionalities active during !t!Functionality Profilefj(!t) is the number of times identity Fj has been invoked during !tPage: Axel W. KringsSSGRR Presentation 2001Attack Signatures!Atomic Attacks Ai–the smallest attack technology unit–e.g. a port sweep, sequence of unsuccessful login attempts!Attack Signature Si–the portion of a profile that is attributable to Ai " is a one-to-one mapping from indices of Si to indices of the identities Fj profiledPage: Axel W. KringsSSGRR Presentation 2001!Attack Signature over Time–Example: “teardrop” (overlapping IP(TCP) fragments are formatted to cause reassembly crashes) Attack SignatureFunctions iTime [s]FrequencyA Three-Dimensional ProfileWhat does it look like?Page: Axel W. KringsSSGRR Presentation 2001!Example “teardrop” Attack SignatureFunctions iFrequencyPage: Axel W. KringsSSGRR Presentation 2001Real-Time Attack Recognition!Vector Analysis–Profile Pi(!t), Idle Signature S0(!t), and Attack Signature Si(!t) are vectors!“Strictly Speaking”–there are three possible scenariosPage: Axel W. KringsSSGRR Presentation 2001Signature Analysis–Relationship between Signatures –Common functions–Signature CorrelationPage: Axel W. KringsSSGRR Presentation 2001!Example “teardrop” vs. “bonk” –bonk: malformed IP header causes packet size violation upon reassembly–Note: scales differ–Correlation is 1.0Attack Signatureteardrop attackbonk attackPage: Axel W. KringsSSGRR Presentation 2001!Example “teardrop” vs. “gewse”–Gewse: (DoS - attack) floods identd on port 139–Note: scales differ–Correlation is 0.54Attack Signatureteardrop attackgewse attackPage: Axel W. KringsSSGRR Presentation 2001Correlation!“Some things seem too good to be true”ProfilingGNU Profiler: gprofUtility: gprof -b [ executableFile [ profileFile ] ]gprof generates a table of time and repetitions of each function in the executable executableFile based on the performance trace stored in the file profileFile. If profileFile or executableFile are omitted, "gmon.out" or "a.out" is assumed respectively. The executable file must have been compiled using the -pg option of gcc, which instructs the compiler to generate special code that writes a "gmon.out" file when the program runs. The gprof utility looks at this output file after the program has terminated and displays the information. The output of gprof is verbose (but helpful); to instruct gprof to be brief, use the -b option. 15ProfilingFor more information on GNU gprof check out http://www.cs.utah.edu/dept/old/texinfo/as/gprof.html#SEC1the rest of the profiling discussion presented here is based on their discussion and the examples are restatednote that the authors are using cc rather than gcc. Check your Linux system and you will likely see a link from cc to gcc16ProfilingExecution to generate profiling dataCompilation must specify the -pg optionthis option works with compilation and linkingDeterministic vs nondeterministic executiondoes you program depend on the value of arguments?how about other dependencies, e.g., time, file size, number of users etc. -- all of that may or will have changed the next time you run the programProgram must exit normally for the file gmon.out to be generated17ProfilingFlat Profileshows the total number of time spent in each functionunless explicitly indicated (-z option) zero time functions are not listeda function not compiled with -pg is indistinguishable from a function that was never called18Profilingexample from above cited source19Flat profile:Each sample counts as 0.01 seconds. % cumulative self self total time seconds seconds calls ms/call ms/call name 33.34 0.02 0.02 7208 0.00 0.00 open 16.67 0.03 0.01 244 0.04 0.12 offtime 16.67 0.04 0.01 8 1.25 1.25 memccpy 16.67 0.05 0.01 7 1.43 1.43 write 16.67 0.06 0.01 mcount 0.00 0.06 0.00 236 0.00 0.00 tzset 0.00 0.06 0.00 192 0.00 0.00 tolower 0.00 0.06 0.00 47 0.00 0.00 strlen 0.00 0.06 0.00 45 0.00 0.00 strchr 0.00 0.06 0.00 1 0.00 50.00 main 0.00 0.06 0.00 1 0.00 0.00 memcpy 0.00 0.06 0.00 1 0.00 10.11 print 0.00 0.06 0.00 1 0.00 0.00 profil 0.00 0.06 0.00 1 0.00 50.00 reportProfilingInterpretation of examplefunctions mcount and profile are part of profiling and their time represents pure profiling overheadcolumns% time: total execution time of program spent in this functioncumulative seconds: time spent in the function and everything above it in the tableself seconds: time spent in the function alone, which is the time that determines the position of the function in the listcalls: the total number of times the function was called. A function that was never called or was not compiled for profiling will show a blank field here.20ProfilingInterpretation of examplecolumns, cont.self ms/call: the average number of milliseconds spent in the function per calltotal ms/call: average number of ms spent in this function and its dependents per callname: the name of the function21ProfilingCall GraphA dependency graph reflecting the caller callee relationshipStatic call graphshows all dependancies the program impliesDynamic call graphthe call graph as it unfolds during execution 22Profilinggprof call graphshows ho