search

reverie-rs / reverie

trace and intercept linux syscalls.
Other
14 stars 5 forks source link

patching syscall on first call #6

Closed wangbj closed 5 years ago

wangbj commented 5 years ago

Right now systrace patch syscalls after let the first one going through, however, a more ideal way should be patch the syscall first, and then run the patched version.

rrnewton commented 5 years ago

Is the idea that it assumes capturing syscalls is just an "optimization" and is assumes a tracer will be there to catch what it misses?

It would be great for systrace to work "standalone" and guarantee to catch every syscall. RR doesn't set up their library-based interception until partway through the execution (therefore missing ~80 syscalls, limiting their efficiency on short process executions), but I'm not sure why we can't set it up first thing. To quote the ATC17 paper:

In-process system-call interception only starts working in a process 
once the interception library has been loaded, but at least 80 system
calls are performed before that completes, so its effectiveness is limited for short-lived processes
wangbj commented 5 years ago

that is likely because the program has to be loaded by a loader (ld-linux.so), until loader loads our (LD_PRELOAD) library, we couldn't do anything (because our code is not loaded yet). The loader itself also calls syscalls to perform the task.

The current design is when systrace sees a filtered syscall, it still allows the syscall going through, even if the syscall site is patched. we should be able to run the patched syscall as soon as the patch happens, it is more complicated because we needs rewind IP to run the patched instructions.

rrnewton commented 5 years ago

Yeah, but if we could get in there before libc gets loaded, wouldn't we get in there before most or all of those 80 syscalls happen?

wangbj commented 5 years ago

I don't know what exactly the 80 syscalls are, but ld-linux.so does do its own syscalls, before libc.so is loaded.

wangbj commented 5 years ago

There're about 41 syscalls cannot be patched, because they happened before libsystrace.so is loaded; even though libsystrace.so is loaded by LD_PRELOAD. The List can be found here.

This issue should be fixed by commit: d728a8c4c95f41c5ba95e632a0a8435804baf67f

wangbj commented 5 years ago

The exact number may depends on which program is invoked.

rrnewton commented 5 years ago

Thanks for documenting those.