Ptrace

Last updated

ptrace is a system call found in Unix and several Unix-like operating systems. By using ptrace (an abbreviation of "process trace") one process can control another, enabling the controller to inspect and manipulate the internal state of its target. ptrace is used by debuggers and other code-analysis tools, mostly as aids to software development.

Contents

Uses

ptrace is used by debuggers (such as gdb and dbx), by tracing tools like strace and ltrace, and by code coverage tools. ptrace is also used by specialized programs to patch running programs, to avoid unfixed bugs or to overcome security features. It can further be used as a sandbox [1] [2] and as a run-time environment simulator (like emulating root access for non-root software [2] [3] ).

By attaching to another process using the ptrace call, a tool has extensive control over the operation of its target. This includes manipulation of its file descriptors, memory, and registers. It can single-step through the target's code, can observe and intercept system calls and their results, and can manipulate the target's signal handlers and both receive and send signals on its behalf. The ability to write into the target's memory allows not only its data store to be changed, but also the application's own code segment, allowing the controller to install breakpoints and patch the running code of the target. [4]

As the ability to inspect and alter another process is very powerful, ptrace can attach only to processes that the owner can send signals to (typically only their own processes); the superuser account can ptrace almost any process (except init on kernels before 2.6.26). In Linux systems where POSIX capabilities are used, the ability to ptrace is further limited by the CAP_SYS_PTRACE capability [5] or by the YAMA Linux Security Module. [6] In FreeBSD, it is limited by FreeBSD jails and Mandatory Access Control policies.

Limitations

Communications between the controller and target take place using repeated calls of ptrace, passing a small fixed-size block of memory between the two (necessitating two context switches per call); this is acutely inefficient when accessing large amounts of the target's memory, as this can only be done in word sized blocks (with a ptrace call for each word). [7] For this reason the 8th edition of Unix introduced procfs, which allows permitted processes direct access to the memory of another process - 4.4BSD followed, and the use of /proc for debugger support was inherited by Solaris, BSD, and AIX, and mostly copied by Linux. [7] Some, such as Solaris, have removed ptrace as a system call altogether, retaining it as a library call that reinterprets calls to ptrace in terms of the platform's procfs. [8] Such systems use ioctls on the file descriptor of the opened /proc file to issue commands to the controlled process. [8] FreeBSD, on the other hand, extended ptrace to remove mentioned problems, and declared procfs obsolete due to its inherent design problems.[ vague ][ citation needed ]

ptrace only provides the most basic interface necessary to support debuggers and similar tools. Programs using it must have intimate knowledge of the specifics of the OS and architecture, including stack layout, application binary interface, system call mechanism, name mangling, the format of any debug data, and are responsible for understanding and disassembling machine code themselves. Further, programs that inject executable code into the target process or (like gdb) allow the user to enter commands that are executed in the context of the target must generate and load that code themselves, generally without the help of the program loader.

Support

Unix and BSD

ptrace was first implemented in Version 6 Unix, [9] and was present in both the SVr4 and 4.3BSD branches of Unix. [5] ptrace is available as a system call on IRIX, [10] IBM AIX, [11] NetBSD, [12] FreeBSD, [13] OpenBSD, [14] and Linux. [5] ptrace is implemented as a library call on Solaris, built on the Solaris kernel's procfs filesystem; Sun notes that ptrace on Solaris is intended for compatibility, and recommends that new implementations use the richer interface that proc supplies instead. [8] UnixWare also features a limited ptrace [15] but like Sun, SCO recommends implementers use the underlying procfs features instead. [16] HP-UX supported ptrace until release 11i v3 (it was deprecated in favour of ttrace, a similar OS-specific call, in 11i v1). [17]

macOS

Apple's macOS also implements ptrace as a system call. Apple's version adds a special option PT_DENY_ATTACH – if a process invokes this option on itself, subsequent attempts to ptrace the process will fail. [18] Apple uses this feature to limit the use of debuggers on programs that manipulate DRM-ed content, including iTunes. [19] PT_DENY_ATTACH on also disables DTrace's ability to monitor the process. [20] Debuggers on OS X typically use a combination of ptrace and the Mach VM and thread APIs. [21] ptrace (again with PT_DENY_ATTACH) is available to developers for the Apple iPhone. [22]

Linux

Linux also gives processes the ability to prevent other processes from attaching to them. Processes can call the prctl syscall and clear their PR_SET_DUMPABLE flag; in later kernels this prevents non-root processes from ptracing the calling process; the OpenSSH authentication agent uses this mechanism to prevent ssh session hijacking via ptrace. [23] [24] [25] Later Ubuntu versions ship with a Linux kernel configured to prevent ptrace attaches from processes other than the traced process' parent; this allows gdb and strace to continue to work when running a target process, but prevents them from attaching to an unrelated running process. [23] Control of this feature is performed via the /proc/sys/kernel/yama/ptrace_scope setting. [23] On systems where this feature is enabled, commands like "gdb --attach" and "strace -p" will not work.

Starting in Ubuntu 10.10, ptrace is only allowed to be called on child processes. [23]

Android

For some Android phones with a locked boot loader, ptrace is used to gain control over the init process to enable a '2nd boot' and replace the system files.[ citation needed ]

Related Research Articles

<span class="mw-page-title-main">Executable and Linkable Format</span> Standard file format for executables, object code, shared libraries, and core dumps.

In computing, the Executable and Linkable Format, is a common standard file format for executable files, object code, shared libraries, and core dumps. First published in the specification for the application binary interface (ABI) of the Unix operating system version named System V Release 4 (SVR4), and later in the Tool Interface Standard, it was quickly accepted among different vendors of Unix systems. In 1999, it was chosen as the standard binary file format for Unix and Unix-like systems on x86 processors by the 86open project.

<span class="mw-page-title-main">GNU Debugger</span> Source-level debugger

The GNU Debugger (GDB) is a portable debugger that runs on many Unix-like systems and works for many programming languages, including Ada, Assembly, C, C++, D, Fortran, Haskell, Go, Objective-C, OpenCL C, Modula-2, Pascal, Rust, and partially others.

In computing, a core dump, memory dump, crash dump, storage dump, system dump, or ABEND dump consists of the recorded state of the working memory of a computer program at a specific time, generally when the program has crashed or otherwise terminated abnormally. In practice, other key pieces of program state are usually dumped at the same time, including the processor registers, which may include the program counter and stack pointer, memory management information, and other processor and operating system flags and information. A snapshot dump is a memory dump requested by the computer operator or by the running program, after which the program is able to continue. Core dumps are often used to assist in diagnosing and debugging errors in computer programs.

<span class="mw-page-title-main">System call</span> Way for programs to access kernel services

In computing, a system call is the programmatic way in which a computer program requests a service from the operating system on which it is executed. This may include hardware-related services, creation and execution of new processes, and communication with integral kernel services such as process scheduling. System calls provide an essential interface between a process and the operating system.

The Open Sound System (OSS) is an interface for making and capturing sound in Unix and Unix-like operating systems. It is based on standard Unix devices system calls. The term also sometimes refers to the software in a Unix kernel that provides the OSS interface; it can be thought of as a device driver for sound controller hardware. The goal of OSS is to allow the writing of sound-based applications that are agnostic of the underlying sound hardware.

<span class="mw-page-title-main">Kernel panic</span> Fatal error condition associated with Unix-like computer operating systems

A kernel panic is a safety measure taken by an operating system's kernel upon detecting an internal fatal error in which either it is unable to safely recover or continuing to run the system would have a higher risk of major data loss. The term is largely specific to Unix and Unix-like systems. The equivalent on Microsoft Windows operating systems is a stop error, often called a "blue screen of death".

<span class="mw-page-title-main">/dev/random</span> Pseudorandom number generator file in Unix-like operating systems

In Unix-like operating systems, /dev/random and /dev/urandom are special files that serve as cryptographically secure pseudorandom number generators. They allow access to a cryptographically secure pseudorandom number generator that is seeded with entropy from environmental noise, collected from device drivers and other sources. /dev/random typically blocks if there was less entropy available than requested; more recently. It usually blocks at startup until sufficient entropy has been gathered, then unblocks permanently. The /dev/urandom device typically was never a blocking device, even if the pseudorandom number generator seed was not fully initialized with entropy since boot. Not all operating systems implement the same methods for /dev/random and /dev/urandom.

<span class="mw-page-title-main">DTrace</span> Dynamic tracing framework for kernel and applications

DTrace is a comprehensive dynamic tracing framework originally created by Sun Microsystems for troubleshooting kernel and application problems on production systems in real time. Originally developed for Solaris, it has since been released under the free Common Development and Distribution License (CDDL) in OpenSolaris and its descendant illumos, and has been ported to several other Unix-like systems.

The proc filesystem (procfs) is a special filesystem in Unix-like operating systems that presents information about processes and other system information in a hierarchical file-like structure, providing a more convenient and standardized method for dynamically accessing process data held in the kernel than traditional tracing methods or direct access to kernel memory. Typically, it is mapped to a mount point named /proc at boot time. The proc file system acts as an interface to internal data structures about running processes in the kernel. In Linux, it can also be used to obtain information about the kernel and to change certain kernel parameters at runtime (sysctl).

In computing, ioctl is a system call for device-specific input/output operations and other operations which cannot be expressed by regular file semantics. It takes a parameter specifying a request code; the effect of a call depends completely on the request code. Request codes are often device-specific. For instance, a CD-ROM device driver which can instruct a physical device to eject a disc would provide an ioctl request code to do so. Device-independent request codes are sometimes used to give userspace access to kernel functions which are only used by core system software or still under development.

In computing, a dynamic linker is the part of an operating system that loads and links the shared libraries needed by an executable when it is executed, by copying the content of libraries from persistent storage to RAM, filling jump tables and relocating pointers. The specific operating system and executable format determine how the dynamic linker functions and how it is implemented.

strace Diagnostic, debugging and instructional userspace utility for Linux

strace is a diagnostic, debugging and instructional userspace utility for Linux. It is used to monitor and tamper with interactions between processes and the Linux kernel, which include system calls, signal deliveries, and changes of process state. The operation of strace is made possible by the kernel feature known as ptrace.

KGDB is a debugger for the Linux kernel and the kernels of NetBSD and FreeBSD. It requires two machines that are connected via a serial connection. The serial connection may either be an RS-232 interface using a null modem cable, or via the UDP/IP networking protocol. The target machine runs the patched kernel and the other (host) machine runs gdb. The GDB remote protocol is used between the two machines.

chattr is the command in Linux that allows a user to set certain attributes of a file. lsattr is the command that displays the attributes of a file.

A kernel debugger is a debugger present in some operating system kernels to ease debugging and kernel development by the kernel developers. A kernel debugger might be a stub implementing low-level operations, with a full-blown debugger such as GNU Debugger (gdb), running on another machine, sending commands to the stub over a serial line or a network connection, or it might provide a command line that can be used directly on the machine being debugged.

<span class="mw-page-title-main">Unix</span> Family of computer operating systems

Unix is a family of multitasking, multi-user computer operating systems that derive from the original AT&T Unix, whose development started in 1969 at the Bell Labs research center by Ken Thompson, Dennis Ritchie, and others.

<span class="mw-page-title-main">OpenZFS</span> Open-source implementation of the ZFS file system

OpenZFS is an open-source implementation of the ZFS file system and volume manager initially developed by Sun Microsystems for the Solaris operating system and now maintained by the OpenZFS Project. It supports features like data compression, data deduplication, copy-on-write clones, snapshots, and RAID-Z. It also supports the creation of virtual devices, which allows for the creation of file systems that span multiple disks.

ftrace is a tracing framework for the Linux kernel. Although its original name, Function Tracer, came from ftrace's ability to record information related to various function calls performed while the kernel is running, ftrace's tracing capabilities cover a much broader range of kernel's internal operations.

References

  1. sydbox
  2. 1 2 PRoot
  3. "Fakeroot NG" . Retrieved 2020-05-12.
  4. For example retty uses ptrace to alter another process' file descriptors, and to inject executable code into the target's text segment
  5. 1 2 3 "ptrace(2) manpage", Linux manual section 2
  6. "Yama – The Linux Kernel documentation". www.kernel.org. Retrieved 2023-03-15.
  7. 1 2 The Design and Implementation of the 4.4 BSD Operating System, Marshall Kirk McKusick, Keith Bostic, Michael J. Karels, John Quarterman, Addison-Wesley, April 1996, ISBN   0-201-54979-4
  8. 1 2 3 "ptrace() Request Values", Solaris Transition Guide, Sun Microsystems, 2000
  9. "Ptrace page from Section 2 of the unix-6th manual".
  10. "ptrace(2)", IRIX 6.5 manual, section 2, SGI techpubs library
  11. "ptrace,ptracex,ptrace64 subroutine", IBM AIX Technical Reference: Base Operating System and Extensions, Volume 1
  12. ptrace(2), netbsd manual, section 2
  13. , FreeBSD manual, section 2
  14. "ptrace(2)", OpenBSD manual, section 2
  15. ptrace(2), SCO UnixWare 7 manual, section 2
  16. "System call compatibility notes" Archived 2011-07-16 at the Wayback Machine , UnixWare 7 Documentation
  17. "ptrace() System Call (Obsolete)", HP-UX 11i Version 3 Release Notes: HP 9000 and HP Integrity Servers, Hewlett Packard, February 2007
  18. "ptrace(2) manual page", Apple Darwin/OS-X manual
  19. "Owning the Fanboys : Hacking Mac OS X", Charlie Miller, Black Hat Briefings conference 2008
  20. "Apple 'breaks' Sun developer app", Matthew Broersma, Computerworld UK , 24 January 2008
  21. Chapter 9, Mac OS X internals: a systems approach, Amit Singh, ISBN   978-0-321-27854-8, Addison Wesley, 2006
  22. "ptrace(2)", BSD System Calls Manual, Apple iPhone OS Reference Library
  23. 1 2 3 4 "KernelHardening", Ubuntu security team roadmap
  24. "prctl(2)", Linux programmer's manual, section 2
  25. "PATCH ptrace: allow restriction of ptrace scope" posting by Canonical Ltd. engineer Kees Cook, Linux Kernel mailing list, June 16, 2010
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.