Pin is a platform for creating analysis tools. A pin tool comprises instrumentation, analysis and callback routines. Instrumentation routines are called when code that has not yet been recompiled is about to be run, and enable the insertion of analysis routines. Analysis routines are called when the code associated with them is run. Callback routines are only called when specific conditions are met, or when a certain event has occurred. Pin provides an extensive application programming interface (API) for instrumentation at different abstraction levels, from one instruction to an entire binary module. It also supports callbacks for many events such as library loads, system calls, signals/exceptions and thread creation events.
Pin performs instrumentation by taking control of the program just after it loads into the memory. Then just-in-time recompiles (JIT) small sections of the binary code using pin just before it is run. New instructions to perform analysis are added to the recompiled code. These new instructions come from the Pintool. A large array of optimization techniques are used to obtain the lowest possible running time and memory use overhead. As of June 2010, Pin's average base overhead is 30 percent (without running a pintool).
Features
Instrumentation modes
Pin supports two modes of instrumentation called JIT mode and Probe mode. JIT mode supports all features of Pin, while Probe mode supports a limited feature set but is far faster, adding almost no overhead to program's running time. JIT mode uses a just-in-time compiler to recompile all program code and insert instrumentation, while Probe mode uses code trampolines for instrumentation.
Platform independence
Pin was designed for tool portability, and despite JIT compiling from one ISA to the same ISA (and not using a single intermediate representation for all code), most of its APIs are architecture and operating system independent. It was also designed to be portable itself, carefully isolating platform-specific code from generic code, allowing the fast adaptation of Pin to new platforms. Approximately half of the code is generic and the rest is either architecture or OS dependent.
Optimizations
Pin uses many techniques to optimize instrumentation and analysis code, using techniques such as inlining, liveness analysis and smart register spilling. Pin performs these optimizations automatically whenever possible, without needing users to insert any extra code to allow inlining. Naturally, some optimizations still require user hints, and some code structures are easier to inline than others. Direct linking of jitted code sections, a technique called trace linking, and register binding reconciliation, which minimizes register spilling and remapping, are also used.
Ease of use
Pinâs API and implementation are focused on making pin tools easy to write. Pin takes full responsibility for assuring that the instrumentation code from the pin tool does not affect the application state. Also, the API enables instrumentation code to request many pieces of information from Pin. For example, the instrumentation code in the pin tool can use the Pin API to get the memory address being accessed by an instruction, without having to examine the instruction in detail.
Tools
There are many Pintools that are used for varying tasks.
- Components of Intel Parallel Studio make heavy use of pintools for memory debugging, performance analysis, multithreading correctness analysis and parallelization preparation.
- Intel Software Development Emulator is a pintool that enables the development of applications using instruction set extensions that are not currently implemented in hardware.
- CMP$IM is a cache profiler built using pin.
- PinPlay enables the capture and deterministic replay of the running of multithreaded programs under pin. Capturing the running of a program helps developers overcome the non-determinism inherent in multithreading.
- Pin itself comes with many example tools that make use of its abilities. These tools are licensed under a BSD-like license.
Uses
Uses as a Defence Mechanism
Some scholars think that one can use Pin tool or binary instrumentation techniques to detect malware. Unlike traditional antiviruses where scanning files is used to detect viruses, one can use tools like Pin tool to scan program's resources to detect abnormalities; thus detect malware.
Utilizing System Resource Monitoring
Unlike traditional techniques of scanning files, this approach doesnât need to be updated regularly and uses a more efficient way to detect malware rather than burdening the processor by scanning all the files. This approach keeps track of the systemâs resources used by a program and terminates the program if its resource usage goes beyond a given threshold limit. The good thing about this approach is that it can be implemented inside a program itself or in an antivirus.
Alternatives to Pin Tool
There are many other tools available to collect resource usage of running programs on the system such as Bell Labâs strapon tool and Dyninst tool etc. Bell Labâs tool uses the strap on technology which runs a tool to collect resources simultaneously with the program but this tool is only compatible with the programs which allow other programs to run simultaneously with them. Furthermore, Dyninst tool uses binary rewriting of the programâs executable and implementable commands inside the program to check for resource usage and is very efficient. However, it is very unstable as it is a relatively new tool and crashes on large scale programs. Lastly, Intel Pin tool uses static binary instrumentation and runs the program as a part of itself while keeping track of all its resources. This approach is more suitable for an antivirus as it can easily run all the processes under itself and can kill programs if they reach a maximum allocated limit as defined by the antivirus.
See also
- Dynamic program analysis
- Valgrind
- DynamoRIO
Notes
References
External links
- Pin: a dynamic binary instrumentation tool home page
- Pinheads, a mailing list for the Pin users community
- Detecting Read-Before-Write Bugs (a la Valgrind)
- Pin++, a framework for authoring Pintools