search

namecoin / sockstrace

Go port of Heteronculous (ptrace-based proxy leak detector). Outreachy project.
https://www.namecoin.org/
GNU General Public License v3.0
7 stars 3 forks source link

Look into `SECCOMP_RET_TRAP` #84

Open JeremyRand opened 3 weeks ago

JeremyRand commented 3 weeks ago

From (lightly edited) chatlogs, h/t @handpickencounter:

Are you referring to gvisor's systrap? They use SECCOMP_RET_TRAP and probably the only documentation of how to use it to replace ptrace well is in their source. It might be worth checking out, they replaced their ptrace with SECCOMP_RET_TRAP as the default. and claim much better performance. https://github.com/google/gvisor/tree/master/pkg/sentry/platform/systrap reading about strace's use of seccomp its probably another good option. selective ptrace will have a trivial performance impact. gvisor intercepts every single syscall after all.

There's also a maybe-related paper from our friends at NRL/Tor: https://www.usenix.org/conference/atc22/presentation/jansen

JeremyRand commented 3 weeks ago

SECCOMP_RET_TRAP would probably be a lot less portable than ptrace though.