= Retrace
image:https://github.com/riboseinc/retrace/actions/workflows/ubuntu.yml/badge.svg[Ubuntu, link=https://github.com/riboseinc/retrace/actions/workflows/ubuntu.yml] image:https://github.com/riboseinc/retrace/actions/workflows/macos.yml/badge.svg[macOS, link=https://github.com/riboseinc/retrace/actions/workflows/macos.yml] image:https://github.com/riboseinc/retrace/actions/workflows/windows.yml/badge.svg[Windows, link=https://github.com/riboseinc/retrace/actions/workflows/windows.yml] image:https://img.shields.io/cirrus/github/riboseinc/retrace?label=freebsd&logo=cirrus%20ci["FreeBSD", link="https://cirrus-ci.com/github/riboseinc/retrace"] image:https://github.com/riboseinc/retrace/actions/workflows/nix.yml/badge.svg[nix, link=https://github.com/riboseinc/retrace/actions/workflows/nix.yml] image:https://github.com/riboseinc/retrace/actions/workflows/checkpatch.yml/badge.svg[checkpatch, link=https://github.com/riboseinc/retrace/actions/workflows/checkpatch.yml] image:https://img.shields.io/coverity/scan/12840.svg[Coverity Scan, link=https://scan.coverity.com/projects/riboseinc-retrace]
retrace
is a versatile security vulnerability / bug discovery tool
through monitoring and modifying the behavior of compiled binaries on
Linux, OpenBSD/FreeBSD/NetBSD (shared object) and macOS (dynamic library).
retrace
can be used to assist reverse engineering / debugging
dynamically-linked ELF (Linux/OpenBSD/FreeBSD/NetBSD) and
Mach-O (macOS) binary executables.
== Retrace v2
Work in a new version of retrace
is ongoing, all the documentation is only about retrace
v1, early documentation for
retrace
v2 is link:READMEv2.adoc[here].
If you want to give it a go despiste the lack of documentation you can enable it in the build using ./configure --enable-v2
.
== Who is Ribose?
We are https://www.ribose.com[Ribose], the secure sharing company. We believe privacy and security form the foundation of liberty.
Our goal is to empower individuals and organizations alike to freely communicate and achieve productivity for the greater good, through our deep security and technology expertise, creating highly-secure products validated to the world’s most stringent requirements and regulations.
We created retrace
to aid developers and security researchers to develop better code that leads the world to a better place.
== Contacting The Organizer
The Ribose retrace
team can be reached at retrace@ribose.com. We will answer questions to the best of our efforts.
= Building retrace
For platforms with Autotools, the generic way to build and install
retrace
is:
You need Autotools installed in your system (autoconf
, automake
,
libtool
, make
, gcc
packages).
OpenSSL library and headers are automatically detected, you can specify
an optional flag --with-openssl=[PATH]
(to use a non-standard OpenSSL
installation root).
In order to build tests: run configure script with --enable-tests
flag. To build cmocka tests you can specify an optional flag
--with-cmocka=[PATH]
(to use a non-standard cmocka installation root).
By the default retrace
is installed in /usr/bin
directory.
= Running retrace
Configuration file path can be set either in RETRACE_CONFIG
environment variable or by specifying -f [path]
command line argument.
= Interactive user interface
Interactive control over retrace can be exercised using cli control feature
over pseudo terminal (currently available on Linux platforms only).
In order to enable the feature, export RETRACE_CLI=1
environment variable.
When enabled, the name of the pseudo device will be printed with a 3 seconds delay during the start up:
After that, a terminal emulator can be connected to that device:
Hit the main Enter key, and the command menu with prompt will appear:
Welcome to minicom 2.7.1
OPTIONS: I18n Compiled on Aug 13 2017, 15:25:34. Port /dev/tty8, 13:10:04
Press CTRL-A Z for help on special keys
The following are the characteristics of the terminal:
== Note to developers In order to expose interactive commands from your module, use API defined in retrace_cli.h. To register commads use cli_register_command_blk(). To interact with the user use cli_printf() and cli_scanf(). Refer to retrace_main.c for reference.
= Examples
== Trace usage example
In its most basic form retrace
will just print all calls that are made
(and that are supported by retrace):
== Redirect usage example
The power of retrace
lies in its ability to modify the behavior of
the standard system calls in a number of different ways.
This is done using a config file.
An easy example is redirecting the output of the getuid()
call:
$ cat retrace.conf getuid,0 geteuid,0 getegid,0 getgid,0
= Config Options
Other useful config file options are listed below.
== Connect
Will redirect a connect()
call from 127.0.0.1:8080
to
192.168.1.110:9090
.
== File-related
Will redirect a fopen()
call from /etc/passwd
to /tmp/passwd
.
== Logging
Will send the log file to a file rather than stderr
. You can configure
log output to write to /dev/null
disable logging completely.
== OpenSSL
Will cause the OpenSSL function SSL_get_verify_result
to return any
desired value.
== Memory Fuzzing
This option will cause a percentage of malloc()
, realloc()
and
calloc()
calls to fail.
The percentage is specified in a number (float
) from 0
(no fail) to
1
(all fail). This is useful to discover places in your code where you
are not checking the return value of allocators.
The seed of the random generator can be controlled with the
fuzzingseed,1498729252
option, so that the results are repeatable.
== Incomplete I/O
This option will cause the read()
/ write()
calls to randomly
write/read less bytes than was asked. A common scenario that people
forget to check.
== Time tracking
These two options will cause a timestamp (since the beginning of the tracing) to be shown and the time a call took if it's larger than the specified time in float seconds.
== Logging
These options will enable or disable logging options by group or level.
The each group, level or function may be combined by |
character.
logging-global,[logging group],[logging level] groups: LOG_GROUP_ALL,LOG_GROUP_MEM,LOG_GROUP_FILE,LOG_GROUP_NET,LOG_GROUP_SYS, LOG_GROUP_STR,LOG_GROUP_SSL,LOG_GROUP_PROC levels: LOG_LEVEL_ALL,LOG_LEVEL_NOR,LOG_LEVEL_ERR,LOG_LEVEL_FUZZ,LOG_LEVEL_REDIRECT
= Notes
== macOS System Integrity Protection
We use the DYLD_INSERT_LIBRARIES environment variable to insert retrace
into binaries.
Starting on Mac OS X El Capitan Apple removes the DYLD_INSERT_LIBRARIES variable for
the environment for binaries in system directories. This means you can't trace system binaries
using retrace
by default.
You can disable this behaviour by running csrutil disable
and rebooting.
= Feedback
retrace
is under heavy development and we are always looking to implement new
and useful features that allows debugging and reverse engineering programs in
new and interesting ways.
Please send feedback and improvement suggestions either as GitHub issues or to retrace@ribose.com.