benefits and drawbacks of syscall hooks/netdev0x18-zpoline

Transcript

1. benefits and drawbacks of syscall benefits and drawbacks of syscall

   hooks hooks  1

2. introduction introduction 2

3. what is syscall and why syscall hook ? what is

   syscall and why syscall hook ? 3

4. recap: how syscall works ? recap: how syscall works ?

   4

5. change the behavior of syscall ? change the behavior of

   syscall ? 5

6. change the behavior of syscall ? change the behavior of

   syscall ? 5

7. variants variants 6

8. ptrace ptrace 7

9. SUD (syscall user dispatch) SUD (syscall user dispatch) 8

10. LD_PRELOAD LD_PRELOAD 9

11. binary rewriting binary rewriting syscall/sysenter 10

12. binary rewriting (cont'd) binary rewriting (cont'd) syscall jmp 0xdeadbeef syscall

    0f 05 jmp 0xdeafbeef e9 de ad be af mov sysno %rax; syscall callq ${addr of handler} 11

13. summary of existing syscall hooks summary of existing syscall hooks

    12

14. %rax zpoline zpoline syscall callq *%rax 13

15. zpoline: how it works zpoline: how it works callq *%rax

    syscall nop nop callq *%rax %rax $ echo 0 > "/proc/sys/vm/mmap_min_addr" 14

16. zpoline: how it behaves zpoline: how it behaves 15

17. zpoline how it behaves (cont'd) zpoline how it behaves (cont'd)

    16

18. zpoline: benefits zpoline: benefits 17

19. There ain't no such things as a free lunch There

    ain't no such things as a free lunch. . 18

20. pitfalls of syscall hooks pitfalls of syscall hooks 19

21. handling two universes in partial hooks handling two universes in

    partial hooks int hooked_select(pollfds[], nfds_t, int) { int host_fd = host_poll(); int user_fd = user_poll(); return (merge {host,user}_fd) } 20

22. Summary Summary 21

23. Backups Backups 22

24. How zpoline is started ? How zpoline is started ?

    syscall callq *%rax main() 23

25. libc replacement libc replacement 24

26. platform support platform support 25

27. null access termination null access termination mprotect(2) 26

28. References References 27