Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Welcome to the Matrix

6648bd4390fba79c9baa6045e58fa337?s=47 Benoit Jacquemont
March 29, 2018
490

Welcome to the Matrix

Better understanding a process behaviour by sniffing its interactions with the kernel and other libraries.

6648bd4390fba79c9baa6045e58fa337?s=128

Benoit Jacquemont

March 29, 2018
Tweet

Transcript

  1. Benoit Jacquemont @bjacquemont

  2. Our nice little program Our nice little program

  3. None
  4. None
  5. None
  6. None
  7. None
  8. None
  9. None
  10. None
  11. None
  12. None
  13. None
  14. None
  15. None
  16. Not convinced? Not convinced? echo file_get_contents('/dev/zero');

  17. None
  18. None
  19. None
  20. Your programs Your programs never never have have direct access

    to the "real direct access to the "real world". world".
  21. None
  22. None
  23. strace strace The syscalls sni er The syscalls sni er

    Attaching to an already running process Running directly a program $ strace -p <process_id> $ strace <my_program>
  24. Stracing "Hello World" Stracing "Hello World" hello_world.php echo "Hello World\n";

    $ strace php hello_world.php
  25. About le descriptors About le descriptors File handle identi er

    0: Standard Input 1: Standard Output 2: Error Output >= 3: Any other le/stream
  26. Filtering strace output Filtering strace output Unix style Built-in lters

    Mix Dump to le for latter analysis $ strace <prog> 2>&1 | grep -e "read\|open" | cut ... $ strace -e "read,open" <prog> $ strace -e "read,open" <prog> 2>&1 | cut ... $ strace -e "read,open" -o strace.out <xxxx>
  27. Let's get real! Let's get real!

  28. Where are the #!?$ PHP con g les? Where are

    the #!?$ PHP con g les? $ strace -e open php -i > /dev/null
  29. Why my homepage is so slow? Why my homepage is

    so slow?
  30. File descriptors (again) File descriptors (again) list open les(lsof) is

    your friend! $ lsof -p <pid>
  31. What my process is doing? What my process is doing?

  32. Why this le is not processed? Why this le is

    not processed?
  33. I'm processing a huge le, where my I'm processing a

    huge le, where my process is at? process is at?
  34. Sni ng syscalls gives us a Sni ng syscalls gives

    us a better better understanding of a understanding of a process behaviour process behaviour
  35. None
  36. None
  37. None
  38. ltrace ltrace The library calls sni er The library calls

    sni er Attaching to an already running process Running directly a process $ ltrace -p <process_id> $ ltrace <my_command>
  39. My webservice call seems to get My webservice call seems

    to get strange response... strange response...
  40. Does my program uses the right DB Does my program

    uses the right DB parameters? parameters?
  41. strace and ltrace strace and ltrace shortcomings shortcomings performance impact

    some binaries not "ltraceable" due to a binutils bug in some distribs
  42. Tips and Tricks Tips and Tricks dump full trace into

    a le and lter/analyze later use -s to show longer parts of string use -f to attach to child processes use -c to display a summary of call count and time use -y to display the path associated to the le descriptor use -T to display the time spent on each call
  43. What about other OS? What about other OS? FreeBSD: truss

    MacOS X: dtruss Windows: NtTrace
  44. Going further... Going further... perf-trace: strace on steroids gdb: the

    universal debugger perf: lightweight performance pro ling
  45. Take aways about Take aways about strace/ltrace strace/ltrace strace and

    ltrace give great insights on the program behavior Often allow a rst and fast diagnostic They are complementary tools to your existing toolbox
  46. Thank you! Thank you! Questions? Questions? @bjacquemont github.com/BitOne