Abstract: Methods, apparatus, systems and articles of manufacture are disclosed to facilitate malware detection using compressed data. An example apparatus includes an input processor to obtain a model, the model identifying a first sequence associated with a first trace of data known to be repetitive, a sequence identifier to identify a second sequence associated with a second trace of data, a comparator to compare the first sequence with the second sequence, and an output processor to when the first sequence matches the second sequence, transmit an encoded representation of the second sequence to the central processing facility using a first channel of communication, and when the first sequence fails to match the second sequence, transmit the second sequence to the central processing facility using a second channel of communication, the second sequence to be analyzed by the central processing facility to identify whether the second sequence is indicative of malware.

Abstract: An approach for determining a trace of a system dump. The approach receives a system dump request, wherein the system dump request includes performing, by one or more computer processors, a system dump utilizing a dumping tool, wherein the system dump includes a trace wherein the trace comprises one or more trace entries collected in a trace table. The approach determines an initial trace of the system dump. The approach determines a time period to collect trace entries following the system dump. The approach determines an updated trace table. The approach determines an extra trace utilizing an exit program.

Abstract: Systems and methods for modeling memory access behavior and memory traffic timing behavior are disclosed. According to an aspect, a method includes receiving data indicative of memory access behavior resulting from instructions executed on a processor. The method also includes determining a statistical profile of the memory access behavior, the profile including tuple statistics of memory access behavior. Further, the method includes generating a clone of the executed instructions based on the statistical profile for use in simulating the memory access behavior.

Abstract: Analysis system, analysis method and program. The system includes: trace means for acquiring a command issued by software executed in an information processing system and a physical address of a memory used by the command as trace data, and recording the trace data to storage means; event detecting means for detecting an event caused to occur by the software and acquiring event information; conversion means for converting the event information to a memory access pattern configured with a plurality of commands for accessing the memory and a plurality of physical addresses; and memory accessing means for accessing the memory using the converted memory access pattern, causing the trace means to acquire trace data and record the trace data to the storage means.

Abstract: Analysis system, analysis method and program. The system includes: trace means for acquiring a command issued by software executed in an information processing system and a physical address of a memory used by the command as trace data, and recording the trace data to storage means; event detecting means for detecting an event caused to occur by the software and acquiring event information; conversion means for converting the event information to a memory access pattern configured with a plurality of commands for accessing the memory and a plurality of physical addresses; and memory accessing means for accessing the memory using the converted memory access pattern, causing the trace means to acquire trace data and record the trace data to the storage means.

Abstract: Various embodiments test an optimized binary module. In one embodiment, a region in a set of original binary code of an original binary module in which branch coverage is expected to be achieved is selected based on a set of profile information. The region is selected as a target region to be optimized. An optimized binary module is created, where the target region has been optimized in the optimized binary module. The optimized binary module is verified by synchronizing execution of the optimized binary module with execution of the original binary module at a checkpoint while executing both the optimized binary module and the original binary module. The optimized binary module is further verified by comparing an output from executing the optimized binary module to an output from executing the original binary module.

Abstract: Various embodiments test an optimized binary module. In one embodiment, a region in a set of original binary code of an original binary module in which branch coverage is expected to be achieved is selected based on a set of profile information. The region is selected as a target region to be optimized. An optimized binary module is created, where the target region has been optimized in the optimized binary module. The optimized binary module is verified by synchronizing execution of the optimized binary module with execution of the original binary module at a checkpoint while executing both the optimized binary module and the original binary module. The optimized binary module is further verified by comparing an output from executing the optimized binary module to an output from executing the original binary module.

Abstract: One or more circular debug buffers can allow terminal output data to be provided from the target system to a host without halting the target system or causing significant delays. One or more circular debug buffers may also allow input (such as keyboard input) to be provided from the host to the target without halting the target system or causing significant delays. Accordingly, communications between the target and host may be performed in real time or near real time. These communications may be used for debugging purposes or more generally, for any purpose, including purposes unrelated to debugging.

Abstract: In an embodiment, a peripheral component may include multiple sources of commands, such as command queues and/or macro memories. The commands may be performed in the peripheral component and may result in an error. The peripheral component may include a trace queue into which the commands may be written, independent of the source of the commands. Thus, the trace queue may provide a record of recently performed commands.

Abstract: The problem signature extraction technique extracts problem signatures from trace data collected from an application. The technique condenses the manifestation of a network, software or hardware problem into a compact signature, which could then be used to identify instances of the same problem in other trace data. For a network configuration, the technique uses as input a network-level packet trace of an application's communication and extracts from it a set of features. During the training phase, each application run is manually labeled as GOOD or BAD, depending on whether the run was successful or not. The technique then employs a learning technique to build a classification tree not only to distinguish between GOOD and BAD runs but to also sub-classify the BAD runs into different classes of failures. Once a classification tree has been learned, problem signatures are extracted by walking the tree, from the root to each leaf.

Abstract: A temporal rule-based feature extraction system and method for extracting features from temporal-based rules satisfied by a trace. Once a temporal-based rule is found that is satisfied by the trace, then embodiments of the temporal rule-based feature extraction system and method leverage that rule to either use as a feature or to extract additional features. The extracted feature then is used to characterize the trace. Embodiments of the system include a feature definition module, which defines features based on the temporal-based rules satisfied by a trace, and a similarity measure module, which defines a similarity measure for the defined features. The defined features include both extrinsic features, which are based on extrinsic properties of the rule, and intrinsic features, which are based on intrinsic properties of the rule. The similarity module generates similarity measures that indicate the similarity of two traces.

Abstract: A method for selectively generating trace data is disclosed. Such a method includes executing a first module on a processor. The processor is operably coupled to a memory storing the first module and one or more branch modules. The method further includes detecting the execution of an instruction of the first module to execute a branch module. In response to detecting execution of the instruction, traces of branch modules subsequently executed by the processor are generated. Upon detecting a return of execution by the processor to the first module, the generation of traces is terminated and a trace report is generated. A corresponding apparatus and computer program product are also disclosed herein.

Abstract: A data processing system has a trace message filtering circuit. A method includes: receiving a current page address corresponding to a current instruction in a sequence of instructions; determining that the current page address is for a different page of memory than a previous page address corresponding to a previous instruction in the sequence of instructions; comparing the current page address with a plurality of page addresses stored in a message filtering circuit; and when the current page address is determined to be different than any of the plurality of page addresses, storing the current page address in the message filtering circuit.

Abstract: A method of detecting a fault attack including generating a first signature of a first group of data values by performing a single commutative non-Boolean arithmetic operation between all the data values of the first group; generating a second set of data values by performing a permutation of the first set of data values; generating a second signature of the second group of data values by performing said single commutative non-Boolean arithmetic operation between all the data values of the second group; and comparing the first and second signatures to detect a fault attack.

Abstract: A data processing system and method generates debug messages by permitting an external debug tool to have real-time trace functionality. A data processor executes a plurality of data processing instructions and uses a memory for information storage. Debug module generates debug messages including address translation trace messages. A memory management unit has address translation logic for implementing address translation to translate addresses between virtual and physical forms. The debug module includes message generation module that is coupled to the memory management unit for receiving notice when one or more address translation mappings are modified. The message generation module generates an address translation trace message in response to a detection of a modification of an address translation mapping occurs and provides the address translation trace message external to the debug module.

Abstract: A data processing system and method generates debug messages by permitting an external debug tool to have real-time trace functionality. A data processor executes a plurality of data processing instructions and uses a memory for information storage. Debug circuitry generates debug messages including address translation trace messages. A memory management unit has address translation logic for implementing address translation to translate addresses between virtual and physical forms. The debug circuitry includes message generation circuitry that is coupled to the memory management unit for receiving notice when one or more address translation mappings are modified. The message generation circuitry generates an address translation trace message in response to a detection of a modification of an address translation mapping occurs and provides the address translation trace message external to the debug circuitry.

Abstract: A data processing system and method includes a data processor and memory that are coupled to debug circuitry that generates debug messages including address translation trace messages. A memory management unit (MMU) includes a translation lookaside buffer (TLB) for implementing address translation to translate addresses between virtual and physical forms. The debug circuitry includes message generation circuitry coupled to the MMU for receiving notice when TLB entries are modified and generating both an address translation trace message and a corresponding program correlation message containing at least one of branch history information and instruction count information. The branch history information is a history of direct branch instructions that are executed and whether, when executed, the direct branch instructions were taken. The instruction count information is a count of one or more data processing instructions executed up to a point in time when a new TLB entry is established in the TLB.

Abstract: Techniques to ascertain physical cabling connections of electronic systems are provided for situations where there are numerous systems interconnected by a very large number of electrical or optical cables. A cable identifying code is inserted into a message sent from a local endpoint system to remote endpoint system over the identified cable. Each intermediate system that is in the interconnection path between the two endpoint systems of interest appends its code for the cable connected to the I/O port from which the message will egress that system and be sent to the next system along the path. The remote endpoint system receives the message which now contains codes for all the cables transited along the path, extract the codes, and thereby determines the exact cabling used in the interconnection of the two endpoint systems.