Monday, 1 December 2008

Application "HotSpots"

A great tool in the binutils package is gprof (The GNU Profiler). Gprof is a profiling program which collects and arranges statistics on a program.

The GNU Profiler is a tool that can be utilized in order to preform an analysis of a program execution. In secure code analysis and audit, malware analysis as well as other code analysis functions, this may be used to determine the program "hotspots". These are the functions that require more processing time or run-time then the rest of the application.

Hotspots are commonly the functions that are the most mathematically or I/O instensive. Where a program uses a crypto function, the processing time will increase.

Timing studies may also be used in the analysis of a cryptographic key.

gprof is not a debugger
You will need to have a working program to optimize that program. Malware analysis requires that you first reverse the code and then reassemble or recompile the code with debugging enabled. This is not an easy task and I am not going to cover this in this post.

To run gprof use the following syntax:


gprof options [executable-file [profile-data-files...]] [> outfile]
There are a number of ways to profile a program. These are listed below:

Time Profilers:
  • These provide statistics as to where a program has spent its time
  • This may also be used to determine which functions called which other functions while it was executing
  • The profiler will count how many times a program function was called and which function called it.
Space Profiler:
  • This is also known as “heap profiling” or “memory profiling
  • Space profiling is useful to help you reduce the amount of memory your program uses
  • Space profiling stops the execution and examines the stack whenever a page of memory is allocated
  • This allows it to collect data concerning the function that has been requested.
Whence the data has been collected by a profiler, an interpreter needs to be used in order to convert the data into a format that can be used. There are both text and graphical display options with gprof.

Reporting
The output from gprof may be displayed in three report formats:
  1. A flat file report listing total execution times and call counts for all functions,
  2. A list of the functions called sorted using the time associated with each function (and the children of that function),
  3. A list of the cycles. This displays the members of the cycles and the associated call counts.
The output is sent to standard out by default, but may be redirected to a file etc.

No comments: