DOCSLIB.ORG

Introduction to Low-Level Profiling and Tracing

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Introduction to Low-Level Profiling and Tracing Introduction to low-level profiling and tracing EuroPython 2019 / Basel 2019-07-11 Christian Heimes Principal Software Engineer [email protected] / [email protected] @ChristianHeimes Our systems block every 5 minutes. We are loosing money. Fix it! Profiling and Tracing, EuroPython 2019, @ChristianHeimes, CC BY-SA 4.0 Is it me, or the GIL? Christoph Heer EuroPython 2019 Profiling and Tracing, EuroPython 2019, @ChristianHeimes, CC BY-SA 4.0 requests.get('https://www.python.org') Profiling and Tracing, EuroPython 2019, @ChristianHeimes, CC BY-SA 4.0 2 ½ use case for tracing tools Who am I? ● from Hamburg/Germany ● Python and C developer ● Python core contributor since 2008 ● maintainer of ssl and hashlib module ● Python security team Profiling and Tracing, EuroPython 2019, @ChristianHeimes, CC BY-SA 4.0 Professional life ● Principal Software Engineer at Red Hat ● Security Engineering ● FreeIPA Identity Management ● Dogtag PKI Profiling and Tracing, EuroPython 2019, @ChristianHeimes, CC BY-SA 4.0 Agenda & Goals Agenda ● introduction ● ptrace (strace, ltrace) ● kernel & hardware tracing tools ● Summary ● ~ 5 minutes Q&A Profiling and Tracing, EuroPython 2019, @ChristianHeimes, CC BY-SA 4.0 Special thanks ● Brendan Gregg (Netflix) ● Victor Stinner (CPython, Red Hat) https://vstinner.readthedocs.io/benchmark.html ● Dmitry Levin (strace) ”Modern Strace”, DevConf.CZ 2019 ● Michal Sekletár (Red Hat) ”Tracing Tools for Systems Engineers”, DevConf.CZ 2019 Profiling and Tracing, EuroPython 2019, @ChristianHeimes, CC BY-SA 4.0 Introduction Terminology Debugging – The process of identifying and removing bugs. ● active, expensive, intrusive, slow-down ● deploy new version ● attach debugger Tracing – observing and monitoring behavior ● passive, non-intrusive, and fast* Profiling – gathering and analyzing metrics ● byproduct of tracing with counting and timing Profiling and Tracing, EuroPython 2019, @ChristianHeimes, CC BY-SA 4.0 Methodology Application level tracing ● debug builds ● performance logs (MySQL Slow Query Log, PHP xdebug) ● trace hooks (Python: sys.settrace()) User space tracing ● LD_PRELOAD, ptrace Kernel space tracing ● ftrace, eBPF, systemtap, LTTng, ... Hardware tracing ● hardware performance counter, PMU, ... Profiling and Tracing, EuroPython 2019, @ChristianHeimes, CC BY-SA 4.0 Prerequisites ● installation of extra packages ● permissions ● root or special group ● CAP_SYS_PTRACE, CAP_SYS_ADMIN, CAP_SYS_MODULE ● recent Kernel (BCC, eBPF) ● debug symbols dnf debuginfo-install package, apt install package-dbg ● compiler/linker flags (-g, -fno-omit-framepointer, BIND_LAZY) ● disable secure boot (stap) Kernel Live Patching or dynamic modules Profiling and Tracing, EuroPython 2019, @ChristianHeimes, CC BY-SA 4.0 “Lies, damned lies, and statistics” ”Wer misst, misst Mist.” Profiling and Tracing, EuroPython 2019, @ChristianHeimes, CC BY-SA 4.0 benchmarks / statistics ● average, median, standard deviation, percentile ● observational error ● systematic error ● random error ● systemic bias, cognitive bias (human factor) ● misleading presentation (Vatican City has 2.27 popes / km²) ● sampling profiler: quantization error, Nyquist–Shannon theorem “Producing Wrong Data Without Doing Anything Obviously Wrong!” (Mytkowicz, Diwan, Hauswirth, Sweeney) Profiling and Tracing, EuroPython 2019, @ChristianHeimes, CC BY-SA 4.0 Computers are noisy ● CPU power states (P-states, C-states, TurboBoost, thermal throttling) ● caches (L1 CPU, file system, JIT warm-up, DNS/HTTP) ● hardware IRQs, Address Space Layout Randomization (ASLR) https://vstinner.readthedocs.io/benchmark.html Profiling and Tracing, EuroPython 2019, @ChristianHeimes, CC BY-SA 4.0 env vars, path length, hostname, username BenchmarkBenchmark withoutwithout PythonPython virtualvirtual environmentenvironment %% timetime secondsseconds usecs/callusecs/call callscalls errorserrors syscallsyscall ------------ ---------------------- ---------------------- ------------------ ------------------ -------------------------------- 28.7828.78 0.0004380.000438 00 14401440 readread 27.3327.33 0.0004160.000416 11 440440 2525 statstat 9.729.72 0.0001480.000148 11 144144 mmapmmap ...... 0.790.79 0.0000120.000012 11 1111 munmapmunmap BenchmarkBenchmark insideinside aa virtualvirtual environmentenvironment %% timetime secondsseconds usecs/callusecs/call callscalls errorserrors syscallsyscall ------------ ---------------------- ---------------------- ------------------ ------------------ -------------------------------- 57.1257.12 0.0990230.099023 22 6147161471 munmapmunmap 41.8741.87 0.0725800.072580 11 6161861618 mmapmmap 0.230.23 0.0003950.000395 11 465465 2727 statstat ● https://mail.python.org/pipermail/python-dev/2019-February/156522.html ● https://homes.cs.washington.edu/~bornholt/post/performance-evaluation.html Profiling and Tracing, EuroPython 2019, @ChristianHeimes, CC BY-SA 4.0 Let's profile importimport timetime startstart == time.time()time.time() withwith open('/etc/os-release')open('/etc/os-release') asas f:f: lineslines == f.readlines()f.readlines() print(time.time()print(time.time() -- start)start) Profiling and Tracing, EuroPython 2019, @ChristianHeimes, CC BY-SA 4.0 Examples ● shell ● cat ● Python ● open + read file ● HTTPS request with requests Profiling and Tracing, EuroPython 2019, @ChristianHeimes, CC BY-SA 4.0 ptrace ptrace ● process trace syscall ● introduced in Unix Version 6 (~1985) ● user-space tracing ● used by debuggers and code analysis tools ● gdb ● strace ● ltrace ● code coverage ● ... Profiling and Tracing, EuroPython 2019, @ChristianHeimes, CC BY-SA 4.0 ltrace – A library call tracer $$ ltraceltrace -e-e ''SSL_CTX*@*SSL_CTX*@*'' \\ python3python3 -c-c ''importimport requests;requests; requests.get("https://www.python.org")requests.get("https://www.python.org")'' _ssl.cpython-37m-x86_64-linux-gnu.so->_ssl.cpython-37m-x86_64-linux-gnu.so->SSL_CTX_newSSL_CTX_new(0x7fa4a1a77120,(0x7fa4a1a77120, 0,0, 0,0, 0)0) == 0x55636123a1000x55636123a100 _ssl.cpython-37m-x86_64-linux-gnu.so->_ssl.cpython-37m-x86_64-linux-gnu.so->SSL_CTX_get_verify_callbackSSL_CTX_get_verify_callback(0x55636123a100,(0x55636123a100, -2,-2, 0x7fa4a1acd5e0,0x7fa4a1acd5e0, 0x7fa4a1acd5f8)0x7fa4a1acd5f8) == 00 _ssl.cpython-37m-x86_64-linux-gnu.so->_ssl.cpython-37m-x86_64-linux-gnu.so->SSL_CTX_set_verifySSL_CTX_set_verify(0x55636123a100,(0x55636123a100, 0,0, 0,0, 0x7fa4a1acd5f8)0x7fa4a1acd5f8) == 00 _ssl.cpython-37m-x86_64-linux-gnu.so->_ssl.cpython-37m-x86_64-linux-gnu.so->SSL_CTX_set_optionsSSL_CTX_set_options(0x55636123a100,(0x55636123a100, 0x82420054,0x82420054, 0,0, 0x7fa4a1acd5f8)0x7fa4a1acd5f8) == 0x825200540x82520054 _ssl.cpython-37m-x86_64-linux-gnu.so->_ssl.cpython-37m-x86_64-linux-gnu.so->SSL_CTX_ctrlSSL_CTX_ctrl(0x55636123a100,(0x55636123a100, 33,33, 16,16, 0)0) == 2020 _ssl.cpython-37m-x86_64-linux-gnu.so->_ssl.cpython-37m-x86_64-linux-gnu.so->SSL_CTX_set_session_id_contextSSL_CTX_set_session_id_context(0x55636123a100,(0x55636123a100, 0x7fa4af500494,0x7fa4af500494, 7,7, 0)0) == 11 ...... _ssl.cpython-37m-x86_64-linux-gnu.so->_ssl.cpython-37m-x86_64-linux-gnu.so->SSL_CTX_freeSSL_CTX_free(0x55636123a100,(0x55636123a100, 0x7fa4af4b1e10,0x7fa4af4b1e10, -3,-3, 0x7fa4a12734c8)0x7fa4a12734c8) == 00 Profiling and Tracing, EuroPython 2019, @ChristianHeimes, CC BY-SA 4.0 ltrace – count memory allocations >>>>>> importimport os,os, time,time, requestsrequests >>>>>> os.getpid()os.getpid() 65046504 ## attachattach ltraceltrace >>>>>> startstart == time.time();time.time(); rr == requests.get("https://www.python.org");requests.get("https://www.python.org"); print(time.time()print(time.time() -- start)start) ## withoutwithout ltrace:ltrace: 0.5660.566 secsec ## withwith ltrace:ltrace: 3.3963.396 secsec $$ ltraceltrace -e-e ''malloc+free+realloc@*malloc+free+realloc@*'' -c-c -p-p 65046504 %% timetime secondsseconds usecs/callusecs/call callscalls functionfunction ------------ ---------------------- ---------------------- ------------------ ---------------------------------------- 53.4953.49 1.1048041.104804 3737 2979629796 freefree 45.7845.78 0.9455650.945565 3737 2552325523 mallocmalloc 0.730.73 0.0150690.015069 4848 309309 reallocrealloc ------------ ---------------------- ---------------------- ------------------ ---------------------------------------- 100.00100.00 2.0654382.065438 5562855628 totaltotal Profiling and Tracing, EuroPython 2019, @ChristianHeimes, CC BY-SA 4.0 strace – trace system calls and signals ● Paul Kranenburg in 1991 ● Dmitry Levin (current maintainer) Ring 3 Ring 2 Least privileged Ring 1 Ring 0 syscall Kernel Most privileged Device drivers Device drivers Applications Hertzsprung at English Wikipedia [CC BY-SA 3.0] Profiling and Tracing, EuroPython 2019, @ChristianHeimes, CC BY-SA 4.0 strace “open” syscall $$ stracestrace -e-e openopen catcat /etc/os-release/etc/os-release >/dev/null>/dev/null ++++++ exitedexited withwith 00 ++++++ $$ manman 22 openopen ...... TheThe open()open() systemsystem callcall opensopens thethe filefile specifiedspecified byby pathname.pathname. $$ stracestrace -c-c catcat /etc/os-release/etc/os-release >/dev/null>/dev/null %% timetime secondsseconds usecs/callusecs/call callscalls errorserrors syscallsyscall ------------ ---------------------- ---------------------- ------------------ ------------------ -------------------------------- 31,4031,40 0,0005910,000591 590590 11 execveexecve 13,5113,51 0,0002540,000254 2828 99 mmapmmap 8,678,67 0,0001630,000163 4040 44 mprotectmprotect 7,207,20 0,0001350,000135 2222 66 readread 6,956,95 0,0001310,000131 3232 44
Load more

Recommended publications
  • Security Assurance Requirements for Linux Application Container Deployments
    NISTIR 8176 Security Assurance Requirements for Linux Application Container Deployments Ramaswamy Chandramouli This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8176 NISTIR 8176 Security Assurance Requirements for Linux Application Container Deployments Ramaswamy Chandramouli Computer Security Division Information Technology Laboratory This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8176 October 2017 U.S. Department of Commerce Wilbur L. Ross, Jr., Secretary National Institute of Standards and Technology Walter Copan, NIST Director and Under Secretary of Commerce for Standards and Technology NISTIR 8176 SECURITY ASSURANCE FOR LINUX CONTAINERS National Institute of Standards and Technology Internal Report 8176 37 pages (October 2017) This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8176 Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by NIST, nor is it intended to imply that the entities, materials, or equipment are necessarily the best available for the purpose. This p There may be references in this publication to other publications currently under development by NIST in accordance with its assigned statutory responsibilities. The information in this publication, including concepts and methodologies, may be used by federal agencies even before the completion of such companion publications. Thus, until each ublication is available free of charge from: http publication is completed, current requirements, guidelines, and procedures, where they exist, remain operative. For planning and transition purposes, federal agencies may wish to closely follow the development of these new publications by NIST.
    [Show full text]
  • Drilling Network Stacks with Packetdrill
    Drilling Network Stacks with packetdrill NEAL CARDWELL AND BARATH RAGHAVAN Neal Cardwell received an M.S. esting and troubleshooting network protocols and stacks can be in Computer Science from the painstaking. To ease this process, our team built packetdrill, a tool University of Washington, with that lets you write precise scripts to test entire network stacks, from research focused on TCP and T the system call layer down to the NIC hardware. packetdrill scripts use a Web performance. He joined familiar syntax and run in seconds, making them easy to use during develop- Google in 2002. Since then he has worked on networking software for google.com, the ment, debugging, and regression testing, and for learning and investigation. Googlebot web crawler, the network stack in Have you ever had the experience of staring at a long network trace, trying to figure out what the Linux kernel, and TCP performance and on earth went wrong? When a network protocol is not working right, how might you find the testing. [email protected] problem and fix it? Although tools like tcpdump allow us to peek under the hood, and tools like netperf help measure networks end-to-end, reproducing behavior is still hard, and know- Barath Raghavan received a ing when an issue has been fixed is even harder. Ph.D. in Computer Science from UC San Diego and a B.S. from These are the exact problems that our team used to encounter on a regular basis during UC Berkeley. He joined Google kernel network stack development. Here we describe packetdrill, which we built to enable in 2012 and was previously a scriptable network stack testing.
    [Show full text]
  • ARM Assembly Shellcode from Zero to ARM Assembly Bind Shellcode
    Lab: ARM Assembly Shellcode From Zero to ARM Assembly Bind Shellcode HITBSecConf2018 - Amsterdam 1 Learning Objectives • ARM assembly basics • Writing ARM Shellcode • Registers • System functions • Most common instructions • Mapping out parameters • ARM vs. Thumb • Translating to Assembly • Load and Store • De-Nullification • Literal Pool • Execve() shell • PC-relative Addressing • Reverse Shell • Branches • Bind Shell HITBSecConf2018 - Amsterdam 2 Outline – 120 minutes • ARM assembly basics • Reverse Shell • 15 – 20 minutes • 3 functions • Shellcoding steps: execve • For each: • 10 minutes • 10 minutes exercise • Getting ready for practical part • 5 minutes solution • 5 minutes • Buffer[10] • Bind Shell • 3 functions • 25 minutes exercise HITBSecConf2018 - Amsterdam 3 Mobile and Iot bla bla HITBSecConf2018 - Amsterdam 4 It‘s getting interesting… HITBSecConf2018 - Amsterdam 5 Benefits of Learning ARM Assembly • Reverse Engineering binaries on… • Phones? • Routers? • Cars? • Intel x86 is nice but.. • Internet of Things? • Knowing ARM assembly allows you to • MACBOOKS?? dig into and have fun with various • SERVERS?? different device types HITBSecConf2018 - Amsterdam 6 Benefits of writing ARM Shellcode • Writing your own assembly helps you to understand assembly • How functions work • How function parameters are handled • How to translate functions to assembly for any purpose • Learn it once and know how to write your own variations • For exploit development and vulnerability research • You can brag that you can write your own shellcode instead
    [Show full text]
  • Writing Kernel Exploits
    Writing kernel exploits Keegan McAllister January 27, 2012 Keegan McAllister Writing kernel exploits Why attack the kernel? Total control of the system Huge attack surface Subtle code with potential for fun bugs Keegan McAllister Writing kernel exploits Kernel security Kernel and user code coexist in memory Kernel integrity depends on a few processor features: Separate CPU modes for kernel and user code Well-defined transitions between these modes Kernel-only instructions and memory Keegan McAllister Writing kernel exploits User vs. kernel exploits Typical userspace exploit: Manipulate someone's buggy program, locally or remotely Payload runs in the context of that user Typical kernel exploit: Manipulate the local kernel using system calls Payload runs in kernel mode Goal: get root! Remote kernel exploits exist, but are much harder to write Keegan McAllister Writing kernel exploits Scope We'll focus on the Linux kernel and 32-bit x86 hardware. Most ideas will generalize. References are on the last slides. Keegan McAllister Writing kernel exploits Let's see some exploits! We'll look at Two toy examples Two real exploits in detail Some others in brief How to harden your kernel Keegan McAllister Writing kernel exploits NULL dereference Keegan McAllister Writing kernel exploits A simple kernel module Consider a simple Linux kernel module. It creates a file /proc/bug1. It defines what happens when someone writes to that file. Keegan McAllister Writing kernel exploits bug1.c void (*my_funptr)(void); int bug1_write(struct file *file, const char *buf, unsigned long len) { my_funptr(); return len; } int init_module(void){ create_proc_entry("bug1", 0666, 0) ->write_proc = bug1_write; return 0; } Keegan McAllister Writing kernel exploits The bug $ echo foo > /proc/bug1 BUG: unable to handle kernel NULL pointer dereference Oops: 0000 [#1] SMP Pid: 1316, comm: bash EIP is at 0x0 Call Trace : [<f81ad009>] ? bug1_write+0x9/0x10 [bug1] [<c10e90e5>] ? proc_file_write+0x50/0x62 ..
    [Show full text]
  • Hardware-Driven Evolution in Storage Software by Zev Weiss A
    Hardware-Driven Evolution in Storage Software by Zev Weiss A dissertation submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy (Computer Sciences) at the UNIVERSITY OF WISCONSIN–MADISON 2018 Date of final oral examination: June 8, 2018 ii The dissertation is approved by the following members of the Final Oral Committee: Andrea C. Arpaci-Dusseau, Professor, Computer Sciences Remzi H. Arpaci-Dusseau, Professor, Computer Sciences Michael M. Swift, Professor, Computer Sciences Karthikeyan Sankaralingam, Professor, Computer Sciences Johannes Wallmann, Associate Professor, Mead Witter School of Music i © Copyright by Zev Weiss 2018 All Rights Reserved ii To my parents, for their endless support, and my cousin Charlie, one of the kindest people I’ve ever known. iii Acknowledgments I have taken what might be politely called a “scenic route” of sorts through grad school. While Ph.D. students more focused on a rapid graduation turnaround time might find this regrettable, I am glad to have done so, in part because it has afforded me the opportunities to meet and work with so many excellent people along the way. I owe debts of gratitude to a large cast of characters: To my advisors, Andrea and Remzi Arpaci-Dusseau. It is one of the most common pieces of wisdom imparted on incoming grad students that one’s relationship with one’s advisor (or advisors) is perhaps the single most important factor in whether these years of your life will be pleasant or unpleasant, and I feel exceptionally fortunate to have ended up iv with the advisors that I’ve had.
    [Show full text]
  • Proceedings of the Linux Symposium
    Proceedings of the Linux Symposium Volume One June 27th–30th, 2007 Ottawa, Ontario Canada Contents The Price of Safety: Evaluating IOMMU Performance 9 Ben-Yehuda, Xenidis, Mostrows, Rister, Bruemmer, Van Doorn Linux on Cell Broadband Engine status update 21 Arnd Bergmann Linux Kernel Debugging on Google-sized clusters 29 M. Bligh, M. Desnoyers, & R. Schultz Ltrace Internals 41 Rodrigo Rubira Branco Evaluating effects of cache memory compression on embedded systems 53 Anderson Briglia, Allan Bezerra, Leonid Moiseichuk, & Nitin Gupta ACPI in Linux – Myths vs. Reality 65 Len Brown Cool Hand Linux – Handheld Thermal Extensions 75 Len Brown Asynchronous System Calls 81 Zach Brown Frysk 1, Kernel 0? 87 Andrew Cagney Keeping Kernel Performance from Regressions 93 T. Chen, L. Ananiev, and A. Tikhonov Breaking the Chains—Using LinuxBIOS to Liberate Embedded x86 Processors 103 J. Crouse, M. Jones, & R. Minnich GANESHA, a multi-usage with large cache NFSv4 server 113 P. Deniel, T. Leibovici, & J.-C. Lafoucrière Why Virtualization Fragmentation Sucks 125 Justin M. Forbes A New Network File System is Born: Comparison of SMB2, CIFS, and NFS 131 Steven French Supporting the Allocation of Large Contiguous Regions of Memory 141 Mel Gorman Kernel Scalability—Expanding the Horizon Beyond Fine Grain Locks 153 Corey Gough, Suresh Siddha, & Ken Chen Kdump: Smarter, Easier, Trustier 167 Vivek Goyal Using KVM to run Xen guests without Xen 179 R.A. Harper, A.N. Aliguori & M.D. Day Djprobe—Kernel probing with the smallest overhead 189 M. Hiramatsu and S. Oshima Desktop integration of Bluetooth 201 Marcel Holtmann How virtualization makes power management different 205 Yu Ke Ptrace, Utrace, Uprobes: Lightweight, Dynamic Tracing of User Apps 215 J.
    [Show full text]
  • “Out-Of-VM” Approach for Fine-Grained Process Execution Monitoring
    Workshop for Frontiers of Cloud Computing, Dec 1, 2011, IBM T.J. Watson Research Center, NY Process Out-Grafting: An Efficient “Out-of-VM” Approach for Fine-Grained Process Execution Monitoring Deepa Srinivasan, Zhi Wang, Xuxian Jiang, Dongyan Xu * North Carolina State University, Purdue University* Malware Infection Trend New malware samples collected by McAfee Labs, by month* *Figure source: McAfee Threats Report: Second Quarter 2011, McAfee Labs 2 Anti-Malware Isolation Traditional anti-malware tools are not well-isolated Virtual Machine (VM) introspection Isolate tool by placing it outside a VM Analyze states and events externally User-mode Applications Monitor Virtual Machine … OS Kernel Hypervisor 3 Anti-Malware Isolation Traditional anti-malware tools are not well-isolated Virtual Machine (VM) introspection Isolate tool by placing it outside a VM Analyze states and events externally User-mode Applications Monitor VM Virtual Introspection Machine … OS Kernel Hypervisor 4 Out-of-VM Solutions Livewire (Garfinkel et al. , NDSS ‘03) XenAccess (Payne et al. , ACSAC ‘07) VMScope (Jiang et al. , RAID ‘07) Lares (Payne et al. , Oakland ‘08) … 5 Semantic Gap in Introspection What we want to observe High-level states and events (e.g. system calls, processes) What we can observe Low-level states and events (e.g. raw memory, interrupts) Internal User-mode Applications Monitor … External Monitor Semantic Virtual Machine Gap OS Kernel Hypervisor 6 Addressing the Semantic Gap Guest view casting VMWatcher (Jiang et al. , CCS
    [Show full text]
  • Postmodern Strace Dmitry Levin
    Postmodern strace Dmitry Levin Brussels, 2020 Traditional strace [1/30] Printing instruction pointer and timestamps print instruction pointer: -i option print timestamps: -r, -t, -tt, -ttt, and -T options Size and format of strings string size: -s option string format: -x and -xx options Verbosity of syscall decoding abbreviate output: -e abbrev=set, -v option dereference structures: -e verbose=set print raw undecoded syscalls: -e raw=set Traditional strace [2/30] Printing signals print signals: -e signal=set Dumping dump the data read from the specified descriptors: -e read=set dump the data written to the specified descriptors: -e write=set Redirecting output to files or pipelines write the trace to a file or pipeline: -o filename option write traces of processes to separate files: -ff -o filename Traditional strace [3/30] System call filtering trace only the specified set of system calls: -e trace=set System call statistics count time, calls, and errors for each system call: -c option sort the histogram printed by the -c option: -S sortby option Tracing control attach to existing processes: -p pid option trace child processes: -f option Modern strace [4/30] Tracing output format pathnames accessed by name or descriptor: -y option network protocol associated with descriptors: -yy option stack of function calls: -k option System call filtering pathnames accessed by name or descriptor: -P option regular expressions: -e trace=/regexp optional specifications: -e trace=?spec new syscall classes: %stat, %lstat, %fstat, %statfs, %fstatfs, %%stat, %%statfs
    [Show full text]
  • New Security Enhancements in Red Hat Enterprise Linux V.3, Update 3
    New Security Enhancements in Red Hat Enterprise Linux v.3, update 3 By Arjan van de Ven Abstract This whitepaper describes the new security features that have been added to update 3 of Red Hat Enterprise Linux v.3: ExecShield and support for NX technology. August 2004 Table of Contents Introduction 2 Types of Security Holes 2 Buffer Overflows 3 Countering Buffer Overflows 4 Randomization 6 Remaining Randomization: PIE Binaries 7 Compatibility 8 How Well Does it Work? 9 Future Work 10 ¢¡¤£¦¥¨§ © ¤ ¦ ¨¢ ¨ ! ¨! "¨ $#!© ¨%¦&¨¦ ¨! ¤' ¨¡(*)+¤-, ¡ ¡¤.!+ !£§ ¡¤%/ 01, © 02 ".§ + § ¨.)+.§ 3¦01¡.§4§ .© 02 .§ + § ¨.)+.§ 3¦01¡54¢! . !! !© 6¢'7.!"¡ .§.8¡.%¨¦ § © ¨0 #© %8&9© 0:§ ¨ ¨© 02 .§ ¨+ § ¨.)+¤§ 3;¡!54#!© %!0;<=¡.§ >!¨, ¨0 ¦?@BA$¨C.6B'ED8F ! Introduction The world of computer security has changed dramatically in the last few years. Network security used to be about one dedicated hacker trying to get into one government computer, but now it is often about automated mass attacks. The SQL Slammer and Code Red worms were the first wide-scale computer security incidents to get mainstream press coverage. Linux has had similar, less-invasive worms in the past, such as the Slapper worm of 2002. Another relatively new phenomenon is that compromised computers are primarily being used for other purposes, including sending spam or participating in Distributed Denial of Service (DDOS) attacks. A contributing factor to the mass-compromise problem is that a large portion1 of users and system administrators generally do not apply the security fixes that are provided by the operating system vendor. This leaves a significant number of vulnerable machines connected to the Internet at all times. Providing security updates after the fact, however, is not sufficient.
    [Show full text]
  • Comparing Solaris to Redhat Enterprise And
    THESE ARE TRYING TIMES IN SOLARIS- land. The Oracle purchase of Sun has caused PETER BAER GALVIN many changes both within and outside of Sun. These changes have caused some soul- Pete’s all things Sun: searching among the Solaris faithful. Should comparing Solaris to a system administrator with strong Solaris skills stay the course, or are there other RedHat Enterprise and operating systems worth learning? The AIX decision criteria and results will be different for each system administrator, but in this Peter Baer Galvin is the chief technologist for Corporate Technologies, a premier systems column I hope to provide a little input to integrator and VAR (www.cptech.com). Before that, Peter was the systems manager help those going down that path. for Brown University’s Computer Science Department. He has written articles and columns for many publications and is co- Based on a subjective view of the industry, I opine author of the Operating Systems Concepts that, apart from Solaris, there are only three and Applied Operating Systems Concepts worthy contenders: Red Hat Enterprise Linux (and textbooks. As a consultant and trainer, Peter teaches tutorials and gives talks on security its identical twins, such as Oracle Unbreakable and system administration worldwide. Peter Linux), AIX, and Windows Server. In this column blogs at http://www.galvin.info and twitters I discuss why those are the only choices, and as “PeterGalvin.” start comparing the UNIX variants. The next [email protected] column will contain a detailed comparison of the virtualization features of the contenders, as that is a full topic unto itself.
    [Show full text]
  • Advanced Debugging in the Linux Environment
    Advanced Debugging in the Linux Environment Stephen Rago NEC Laboratories America Tracing is an important debugging technique, especially with nontrivial applications, because it often isn’t clear how our programs interact with the operating system environment. For example, when you’re developing a C program, it is common to add printf statements to your program to trace its execution. This approach is the most basic of debugging techniques, but it has several drawbacks: you need to mod- ify and recompile your program, you might need to do so repeatedly as you gain moreinformation about what your program is doing, and you can’t put printf statements in functions belonging to libraries for which you don’t have source code. The Linux operating system provides morepowerful tools that make debugging easier and can overcome these limitations. This article provides a survey of these tools. We’ll start with a simple C program and see how some of these tools can help find bugs in the pro- gram. The program shown in Figure1includes three bugs, all marked by comments. #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <string.h> #define BSZ 128 /* input buffer size */ #define MAXLINE 100000 /* lines stored */ char *lines[MAXLINE]; char buf[32]; /* BUG FIX #2: change 32 to BSZ */ int nlines; char * append(const char *str1, const char *str2) { int n = strlen(str1) + strlen(str2) + 1; char *p = malloc(n); if (p != NULL) { strcpy(p, str1); strcat(p, str2); } return(p); } void printrandom() { long idx = random() % nlines; fputs(lines[idx],
    [Show full text]
  • Integrity Checking for Process Hardening
    Integrity Checking For Process Hardening by Kyung-suk Lhee B.A. Korea University, 1991 Graduate Diploma, Griffith University, 1993 M.A. Boston University, 1995 DISSERTATION Submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy in Computer and Information Science in the Graduate School of Syracuse University May 2005 Advisor: Professor Steve J. Chapin Abstract Computer intrusions can occur in various ways. Many of them occur by exploiting program flaws and system configuration errors. Existing solutions that detects specific kinds of flaws are substantially different from each other, so aggregate use of them may be incompatible and require substantial changes in the current system and computing practice. Intrusion detection systems may not be the answer either, because they are inherently inaccurate and susceptible to false positives/negatives. This dissertation presents a taxonomy of security flaws that classifies program vulnerabilities into finite number of error categories, and presents a security mechanism that can produce accurate solutions for many of these error categories in a modular fashion. To be accurate, a solution should closely match the characteristic of the target error category. To ensure this, we focus only on error categories whose characteristics can be defined in terms of a violation of process integrity. The thesis of this work is that the proposed approach produces accurate solutions for many error categories. To prove the accuracy of produced solutions, we define the process integrity checking approach and analyze its properties. To prove that this approach can cover many error categories, we develop a classification of program security flaws and find error characteristics (in terms of a process integrity) from many of these categories.
    [Show full text]