ystem Call Interposition: how to implement virtualization

最新推荐文章于 2024-05-15 09:19:28 发布
最新推荐文章于 2024-05-15 09:19:28 发布
阅读量1k 收藏 1
点赞数
分类专栏: linux编程基础 文章标签: linux内核

A System Call Interposition (SCI) support tracks all the system service requests of processes.Each system request can be modified or denied.

It is possible to implement tools to trace, monitor, or virtualize processes.

This posting shows three different ways to implement a System Call Interposition service.The simple virtualization problem to hide the contents of the file /etc/passwd will be implementedby each SCI service, showing pros and cons of each proposal.

This example can also be used as a proof-of-concept test to propose others services for SCI.

Contents

The example

When a process tries to open the file "/etc/passwd" the system call must fail returning errno=ENOENT.

Purelibc 

#define _GNU_SOURCE
#include <stdio.h>
#include <string.h>
#include <stdarg.h>
#include <sys/syscall.h>
#include <unistd.h>
#include <purelibc.h>
#include <errno.h>

static sfun _native_syscall;
static char buf[128];
static long int mysc(long int sysno, ...){
  va_list ap;
  long int a1,a2,a3,a4,a5,a6;
  va_start (ap, sysno);
  a1=va_arg(ap,long int);
  a2=va_arg(ap,long int);
  a3=va_arg(ap,long int);
  a4=va_arg(ap,long int);
  a5=va_arg(ap,long int);
  a6=va_arg(ap,long int);
  va_end(ap);
  if (sysno == __NR_open) {
    char *path=(char *)a1;
    if (a1 && strcmp(path,"/etc/passwd")==0) {
      errno=ENOENT;
      return -1;
    }
  }
  return _native_syscall(sysno,a1,a2,a3,a4,a5,a6);
}
  void
  __attribute ((constructor))
init_test (void)
{
  _native_syscall=_pure_start(mysc,NULL,PUREFLAG_STDALL);
}

Compile this source code (sci_purelibc.c):

 gcc -shared -o sci_purelibc.so sci_purelibc.c

preload purelibc and this shared object:

 export LD_PRELOAD=libpurelibc.so:/tmp/tests/syscall_interposition/sci_purelibc.so

and now /etc/passwd has disappeared

 $cat /etc/passwd
 cat: /etc/passwd: No such file or directory

Requirements: depends on the purelibc library

Pros: very fast.

Cons: unsafe (can be easily cincunvented), it works only for dynamically linked executables.

ptrace 

#include  <sys/ptrace.h>
#include  <sys/types.h>
#include  <sys/wait.h>
#include  <unistd.h>
#include  <stdio.h>
#include  <limits.h>
#include  <errno.h>
#include  <sys/user.h>
#include  <asm/ptrace-abi.h>
#include  <asm/unistd.h>

int main(int argc, char *argv[])
{
  pid_t child;
  long orig_eax;
  child = fork();
  if(child == 0) {
    ptrace(PTRACE_TRACEME, 0, NULL, NULL);
    argv++;
    execvp(argv[0],argv);
  }
  else {
    int status;
    int gotpasswd=0;
    int out=0;
    while(1) {
      waitpid(child,&status,0);
      if(WIFEXITED(status) || WIFSIGNALED(status))
        break;
      orig_eax = ptrace(PTRACE_PEEKUSER, child, 4 * ORIG_EAX, NULL);
      if (gotpasswd == 0) {
        if (orig_eax == __NR_open) {
          if (out==0) {
            char path[PATH_MAX];
            int i;
            long pathaddr=ptrace(PTRACE_PEEKUSER, child, 4 * EBX, NULL);
            errno=0;
            for (i=0; i<PATH_MAX; i++) {
              if ((i&0x3) == 0) {
                long chunk=ptrace(PTRACE_PEEKDATA, child, (char *)(pathaddr+i), 0);
                if (errno != 0)
                  break;
                * ((long *) (&path[i])) = chunk;
              }
              if (path[i] == 0)
                break;
            }
            if (strcmp(path,"/etc/passwd")==0) {
              ptrace(PTRACE_POKEUSER, child, 4 * ORIG_EAX, __NR_getpid);
              gotpasswd=1;
            }
          }
          out = 1-out;
        }
      } else {
        ptrace(PTRACE_POKEUSER, child, 4 * EAX, -ENOENT);
        gotpasswd=out=0;
      }
      ptrace(PTRACE_SYSCALL, child, NULL, NULL);
    }
  }
  return 0;
}

Compile the source code (sci_ptrace.c)

 gcc -o sci_ptrace sci_ptrace.c

Run it:

 ./sci_ptrace cat /etc/passwd
 cat: /etc/passwd: No such file or directory

Requirements: none (the kernel must provide ptrace)

Pros: it works

Cons: Slow, many "addresses" are processor architeture dependent, the interface is not clean (some signals cannot be used, SIGSTOP/SIGCONT, it overrides the natural semantics of the wait system call).

kmview.ko (based on utrace) 

#define _GNU_SOURCE
#include  <sys/types.h>
#include  <sys/wait.h>
#include  <unistd.h>
#include  <stdio.h>
#include  <stdlib.h>
#include  <limits.h>
#include  <errno.h>
#include  <fcntl.h>
#include  <string.h>
#include  <asm/unistd.h>
#include <sys/ioctl.h>
#include <kmview.h>


void dowait(int signal)
{
  int w;
  wait(&w);
}

#ifdef OPT_PATH_HASH
static int hash(char *s)
{
    int rv=0;
      while (*s) {
            rv ^= (rv << 5) + (rv >> 2) + *s;
                s++;
                  }
        return rv;
}
#endif

main(int argc, char *argv[])
{
  int fd;
  struct kmview_event event;
  int flags=0;
#ifdef OPT_OPEN_ONLY
  int bitmap[INT_PER_MAXSYSCALL];
#endif
#ifdef OPT_PATH_HASH
  struct ghosthash64 gh;
#endif
  fd=open("/dev/kmview",O_RDONLY);
  if (fd <0)
    exit(1);
#ifdef OPT_OPEN_ONLY
  scbitmap_fill(bitmap);
  scbitmap_clr(bitmap, __NR_open);
  ioctl(fd, KMVIEW_SYSCALLBITMAP,bitmap);
#endif
#ifdef OPT_PATH_HASH
  flags|=KMVIEW_FLAG_PATH_SYSCALL_SKIP;
  gh.deltalen[0]=strlen("/etc/passwd");
  gh.hash[0] = hash("/etc/passwd");
  gh.deltalen[1]=GH_TERMINATE;
  ioctl(fd,KMVIEW_GHOSTMOUNTS,&gh);
#endif
#ifdef OPT_FDSET
  flags|=KMVIEW_FLAG_FDSET;
#endif
  ioctl(fd, KMVIEW_SET_FLAGS, flags);
  signal(SIGCHLD,dowait);
  if (fork()) {
    while (1) {
      read(fd,&event,sizeof(event));
      switch (event.tag) {
        case KMVIEW_EVENT_NEWTHREAD:
          {
            struct kmview_ioctl_umpid ump;
            ump.kmpid=event.x.newthread.kmpid;
            ump.umpid=event.x.newthread.kmpid;
            ioctl(fd, KMVIEW_UMPID, &ump);
            break;
          }
        case KMVIEW_EVENT_TERMTHREAD:
          if (event.x.termthread.remaining == 0)
            exit (0);
          break;
        case KMVIEW_EVENT_SYSCALL_ENTRY:
          if (event.x.syscall.scno == __NR_open) {
            char path[PATH_MAX];
            struct kmview_ioctl_data data={event.x.syscall.x.umpid,
              event.x.syscall.args[0],PATH_MAX,path};
            ioctl(fd,KMVIEW_READSTRINGDATA, &data);
            if (strcmp(path,"/etc/passwd") == 0) {
              struct kmview_event_ioctl_sysreturn outevent;
              outevent.x.kmpid=event.x.syscall.x.umpid;
              outevent.retval=-1;
              outevent.erno = ENOENT;
              ioctl(fd,KMVIEW_SYSVIRTUALIZED, &outevent);
            } else
              ioctl(fd, KMVIEW_SYSRESUME, event.x.syscall.x.umpid);
          } else
            ioctl(fd, KMVIEW_SYSRESUME, event.x.syscall.x.umpid);
          break;
      }
    }
  } else { /* traced root process*/
    ioctl(fd, KMVIEW_ATTACH);
    close(fd);
    argv++;
    execvp(argv[0],argv);
  }
}

Compile the source code (sci_kmview.c)

 gcc -o sci_kmview sci_kmview.c

Run it:

 ./sci_kmview cat /etc/passwd
 cat: /etc/passwd: No such file or directory

The code include several optimizations:

  • OPT_OPEN_ONLY: the kernel module filters only the "open" system calls
  • OPT_PATH_HASH: when a system calls uses a path, kmview.ko forward only those whose path matches a hash key
  • OPT_FDSET: kmview.ko manages a table of the "virtualized" file descriptors

Optimizations can be added at compile time using a combination of -DOPT_OPEN_ONLY, -DOPT_PATH_HASH and -DOPT_FDSET.

Requirements: the kernel must support utrace and the kmview.ko kernel module must be loaded

Pros: fast, several optimizations can run in kernel space, clean design (event can be read from a device),architecture independent.

Cons: utrace is not a feature of the vanilla Linux kernel

Basic Performance Evaluation

The benchmarking code is the following:

#include <stdio.h>
#include <fcntl.h>
main()
{
        int i;
        int fd;
        for (i=0; i<100000; i++) {
                fd=open("/etc/passwd",O_RDONLY);
                close(fd);
                fd=open("/etc/hosts",O_RDONLY);
                close(fd);
        }
}

The execution times are the following:

* kernel (not virtualized): 0.8sec
* purelibc: 0.48sec
* ptrace: ~37.5sec
* kmview.ko (no opt): ~22sec
* kmview.ko (opt): ~7.1sec

(purelibc virtualization is even faster than the non virtualized case because it generates less system calls)

Please note that this example has been designed to provide almost the worst case for the virtualizing service.The implementation based on kmview creates a minimal overhead when tested in a more common scenario (e.g. a compilation), 

$ time gcc -o test test.c
real    0m0.147s
user    0m0.084s
sys     0m0.044s
$ time ./sci_kmview gcc -o test test.c
real    0m0.146s
user    0m0.088s
sys     0m0.048s
sdulibh
关注
  • 0
    点赞
  • 1
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
Effect_of_shifting_​pole_of_2nd_order_s​ystem:Effect_of_shifting_pole_of_2nd_order_system-matlab开发
05-30
在MATLAB环境中,"Effect_of_shifting_pole_of_2nd_order_system"的主题涉及的是控制系统理论中的二阶系统特性分析,特别是极点位置对系统动态性能的影响。在控制工程领域,系统的动态行为由其传递函数或者状态空间...
KTV-System:KTV系统
05-02
KTV综合系统 项目组成员: 15331170李忻恒 15331148李晗 15331162李善健 15331143黎皓斌 15331153李近朱 15331156李可江 项目简介: 一个基于SSM框架的简单KTV后台管理系统
c# 运行 .exe项目突然运行不起来提示:Unable to configure HTTPS endpoint.
m0_56098159的博客
05-15 893
dotnet dev-certs https --trust // 然后生成并信任新的开发者证书。dotnet dev-certs https --clean // 首先清理现有的开发者证书。
ystem.TimeoutException: The operation requested on PersistentChannel timed out.
刘联其的个人分享
04-25 1531
Error:System.TimeoutException: The operation requested on PersistentChannel timed out.   在 EasyNetQ.Producer.ClientCommandDispatcherSingleton.Invoke[T](Func`2 channelAction)   在 EasyNetQ.Producer.Clie...
unity package manager无法导入包Failed to call Unity ID to get auth code.
qq_38876313的博客
08-10 9558
「unity」package manager无法导入包[Error System.InvalidOperationException: Failed to call Unity ID to get auth code.] 解决方法: 系统 -> 网络 ->高级设置 -> 代理 -> 打开自动发现代理 OK! ! 解决
Connection to libvirt failed: unable to connect to server at : Connection refused: libvirtError: una
qq_38359135的博客
10-26 674
参考该文章: Failed to acquire pid file ‘/var/run/libvirtd.pid’: Resource temporarily unavailable
windows docker启动报错System.InvalidOperationException:Failed to set version to docker-desktop: exit cod
生而为人我很抱歉
07-20 4139
这种方法会导致代理软件(proxifier)无法使用,请谨慎操作。以管理员模式进入powershell。重置winsock运行。
[system]RangeError: Maximum call stack size exceeded
我心坚持
12-05 1060
[system]RangeError:超过最大调用堆栈大小 这个是vuex中的函数与普通函数名重名导致的,修改即可。 以上是Maximum call stack size exceeded错误的一种情况,也有一些无限循环或监听赋值等原因
ExecutionEngineException: Attempting to JIT compile method 'System.Reflection.MonoProperty:GetterAda...
weixin_30445169的博客
10-07 424
最近在做JsonFx移植到Unity3d的工作,StandAlone版已测可用,但是在iOS上使用JsonWriter.Serialization时出现如下错误:ExecutionEngineException: Attempting to JIT compile method 'System.Reflection.MonoProperty:GetterAdapterFrame<UniSoc...
System.InvalidOperationException: Failed to deploy distro docker-desktop......
汽车电子软件领域知识分享
10-16 8989
文章目录问题解决方案1.尝试卸载重装,无效2.参考 问题 我是win10的系统,安装了docker desktop版本,某天在我卸载了联想管家后,就docker就不能正常启动了,报错如下: 报错详细信息: System.InvalidOperationException: Failed to deploy distro docker-desktop to C:\Users\user\AppData\Local\Docker\wsl\distro: exit code: -1 stdout: �~
Fatal Python error: init_fs_encoding: failed to get the Python codec of the filesystem encoding
vxwxv的博客
08-02 5576
Fatal Python error: init_fs_encoding: failed to get the Python codec of the filesystem encoding Python runtime state: core initialized ImportError: bad magic number in 'encodings': b'U\r\r\n' Current thread 0x0000498c (most recent call first):
未将对象引用设置到对象的实例 (System.NullReferenceException)
01-01
下面基础的解释一下这错误: 1:本质上的错误: 代码如下: object a;//a是Null对象 protected void Page_Load(object sender, EventArgs e) { a.ToString();//调用一个Null对象的方法 } 当然啦!...
Simulink_Link_Quart​er_Car_Suspension_S​ystem:嗨,这个 Vigneshwar Pesaru。我正在提交这个用于 Quarter 汽车悬架系统的 Simulink 模型。-matlab开发
05-29
嗨,这个 Vigneshwar Pesaru。我正在提交这个用于 Quarter 汽车悬架系统的 Simulink 模型。 默认情况下,输入函数为阶跃函数。可以给出任何函数,如 Sin、cos 或单位斜坡函数。 基于此,输出屏幕为您提供输出响应...
How_To_Use_GCS_and_Google_Earth_in_MicroStation_v8i.pdf
01-12
With MicroStation v8i, we are now able to set project using the G)eographic C)oordinate S)ystem command to reference our MicroStation files into Google Earth. The Process takes a few clicks of the ...
后端性能优化:高并发处理.zip
08-18
后端技术系列教程,包括: API开发全套教程 后端安全全套教程 后端微服务架构全套教程 后端性能优化全套教程 后端框架全套教程 后端缓存技术全套教程 后端编程语言全套教程 数据库技术全套教程
实时计算:Apache Flink.zip
08-18
史上最全大数据技术全套教程,包括: 分布式存储系统 大数据基础 大数据处理框架 大数据管理与监控 实时计算 数据仓库 数据分析工具 数据湖 数据集成工具 消息队列 等流行技术的系列教程
River Valley - Level v1.0.3.unitypackage
最新发布
08-18
River Valley - Level v1.0.3
网络安全渗透测试辅助浏览器插件(Google Chrome 版) - Chrome - HackBar-v2.3.1
08-18
HackBar是一款专为网络渗透测试和安全评估设计的浏览器插件,功能丰富且易于使用。它允许用户自定义并直接发送HTTP请求,支持手动构造GET和POST请求,并可添加自定义的HTTP头部和参数。插件内置了编码/解码工具,如URL编码、Base64编码和MD5加密,便于在测试中处理数据。此外,HackBar还提供了常见漏洞的测试Payload,如SQL注入、XSS和XXE,助力用户快速检测网站漏洞。同时,它还具备Cookie管理功能,方便用户进行身份验证和绕过登录限制等测试
ystem.nvalidOperationException:“线程间操作无效:从不是创建控件”windows”的线程访问它。
08-19
### 回答1: 这个错误通常出现在多线程应用程序中,意味着您正在尝试在非 UI 线程上更新 UI 元素。在 .NET 中,UI 元素只能在创建它们的线程上访问和更新。为了解决这个问题,您可以使用 Invoke 或 BeginInvoke 方法将 UI 更新操作发送到 UI 线程上执行。例如,如果您在后台线程中更新了一个 Label 控件的文本,您可以使用以下代码将更新操作发送到 UI 线程: ``` private void UpdateLabel(string text) { if (label1.InvokeRequired) { label1.Invoke(new Action<string>(UpdateLabel), text); } else { label1.Text = text; } } ``` 在这个例子中,如果当前线程不是创建 label1 控件的线程,那么就使用 Invoke 方法将更新操作发送到 UI 线程上执行。否则,直接在当前线程上更新 Label 的文本。 ### 回答2: System.InvalidOperationException是一种异常类型,表示在应用程序中发生了一个无效操作。在这个特定的异常中,错误消息指出了一个线程间操作无效的问题,具体是由于来自非创建控件的线程试图访问该控件。 这种异常通常发生在在多线程应用程序中使用UI控件时。在Windows应用程序中,UI控件只能由UI线程访问和操作。这是因为UI控件通常与Windows消息循环紧密相关,而每个窗口都有一个独立的UI线程负责处理与之关联的消息和事件。当一个非UI线程试图访问或操作UI控件时,就会抛出System.InvalidOperationException异常。 为了解决这个问题,开发人员需要确保在进行UI控件访问和操作时,使用UI线程。这可以通过使用Invoke或BeginInvoke方法来实现。这些方法允许开发人员将操作委托给UI线程去处理,从而避免在非UI线程中直接访问UI控件。 以下是一个使用Invoke方法解决System.InvalidOperationException异常的示例代码: ```csharp private void UpdateUIControls() { if (InvokeRequired) { Invoke((MethodInvoker)UpdateUIControls); return; } // 在此处访问和操作UI控件 } ``` 在上述示例中,UpdateUIControls方法检查当前线程是否为UI线程。如果不是,则通过Invoke方法将操作委托给UI线程。当InvokeRequired为false时,即为UI线程,就可以安全地访问和操作UI控件。 通过遵循这种模式,开发人员可以正确地处理线程间操作无效的异常,并确保在多线程应用程序中正确地使用UI控件。
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值