| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 19 Sep 2006 09:04:43 -0700 From: Martin Bligh <mbligh@...gle.com> To: "Frank Ch. Eigler" <fche@...hat.com> CC: Ingo Molnar <mingo@...e.hu>, Mathieu Desnoyers <mathieu.desnoyers@...ymtl.ca>, Paul Mundt <lethal@...ux-sh.org>, linux-kernel <linux-kernel@...r.kernel.org>, Jes Sorensen <jes@....com>, Andrew Morton <akpm@...l.org>, Tom Zanussi <zanussi@...ibm.com>, Richard J Moore <richardj_moore@...ibm.com>, Michel Dagenais <michel.dagenais@...ymtl.ca>, Christoph Hellwig <hch@...radead.org>, Greg Kroah-Hartman <gregkh@...e.de>, Thomas Gleixner <tglx@...utronix.de>, William Cohen <wcohen@...hat.com>, ltt-dev@...fik.org, systemtap@...rces.redhat.com, Alan Cox <alan@...rguk.ukuu.org.uk> Subject: Re: [PATCH] Linux Kernel Markers Frank Ch. Eigler wrote: > Hi - > > On Tue, Sep 19, 2006 at 08:11:40AM -0700, Martin J. Bligh wrote: > > >>[...] Why don't we just copy the whole damned function somewhere >>else, and make an instrumented copy (as a kernel module)? Then >>reroute all the function calls through it [...] > > > Interesting idea. Are you imagining this instrumented copy being > built at kernel compile time (something like building a "-g -O0" > parallel)? Or compiled anew from original sources after deployment? > Or on-the-fly binary-level rewriting a la SPIN? "compiled anew from original sources after deployment" seems the most practical to do to me. From second hand info on using systemtap, you seem to need the same compiler and source tree to work from anyway, so this doesn't seem much of a burden. >>OK, it's not completely trivial to do, but simpler than kprobes [...] > > None of the three above are that easy. Do you have an implementation > idea? not in detail, but given the problems that the other probe technologies solved, it seems easy in comparison. It seems like all we'd need to do is "list all references to function, freeze kernel, update all references, continue", but perhaps I'm oversimplifying it ... if it's all just straight calls, it'd seem easy. The freeze would be very short, it's just poking a few addresses. Having multiple hooks inside the same function pieced in at different times, etc gets tricky, but you can always fall back on one of the other methods if you get something complicated (or enforce some self-dicipline in userspace on how to compound them together). Ingo Molnar wrote: > yeah, this would be nice - if it werent it for function pointers, > and if all kernel functions were relocatable. But if you can think of > a method to do this, it would be nice. Well, it doesn't have to work for everything. But would be much nicer for when it does work, it seems to me. Which functions are not relocatable? Function pointers are indeed a problem, for the functions they're used on, but they're not common. Some simple markup for these types of functions would fix it easily enough, I'd think. A more common problem would seem to me to be instrumenting a inlined function that was pulled into multiple places, but even that doesn't seem particularly difficult. M. - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists