Security Consulting
  Fun     PGP     HOAX     Java     SPAM     Books     Linux     Windows     Privacy     Switches     Back    

Debugging

The systemcall ptrace(2)

The parent can control the child's execution by changing the user / kernel mode execution state.

How debbuging works

  • 1. fork() a child
  • 2. set P_TRACED flag for child by calling ptrace()
  • 3. child calls execve() to load image of debugged program
  • 4. first instruction will cause a hardware trap (SIGTRAP-signal) which informs the parent.

    How the parent accesses the child

  • 1. places parameters in the "ipc" datastructure.
  • 2. calls ptrace()
  • 3. child gets "ipc" parameters.
  • 4. child puts result in "ipc", calls wakeup on ipc --> wakes up the parent
    This makes it possible that the parent does not have to write anything into the child's memory which would conflict with the standard UNIX-permissions.

    Inefficiencies

  • Context switches
  • 32 bit read/write at a time, \ldots

    /proc filesystem approach

    Here it is possible to
  • read/write other processes memory.
  • pages can be copied into kernel memory.
  • pages copied from kernel to parent space


    CopyLeft (l) 2003 by Raffael Marty