| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAL26m8Jfb8bgfDLKZtn2LkYHD6uCccD3UcsSMbHtpnUKR5_mxw@mail.gmail.com> Date: Wed, 28 Mar 2012 11:23:46 -0700 From: Vaibhav Nagarnaik <vnagarnaik@...gle.com> To: "H. Peter Anvin" <hpa@...or.com> Cc: Steven Rostedt <rostedt@...dmis.org>, Frederic Weisbecker <fweisbec@...il.com>, Thomas Gleixner <tglx@...utronix.de>, Ingo Molnar <mingo@...hat.com>, David Sharp <dhsharp@...gle.com>, Justin Teravest <teravest@...gle.com>, Laurent Chavey <chavey@...gle.com>, x86@...nel.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH 4/6] trace: trace syscall in its handler not from ptrace handler On Mon, Mar 26, 2012 at 10:00 PM, H. Peter Anvin <hpa@...or.com> wrote: > On 03/26/2012 11:39 AM, Vaibhav Nagarnaik wrote: >> The syscalls are a tricky bunch to trace, because of their multitude and >> dynamic nature of the list. In order to solve this, a macro handled the >> sycalls handler definition and it was expanded into setting up the >> metadata for the syscall event. A handler hooked into the ptrace syscall >> tracer to check whether an invoked syscall was supposed to be traced. >> >> This added latency to all the invoked syscalls, since they had to be >> checked for tracing and also affected the latency of syscall that was >> actually getting traced. For e.g., using a simple program which invokes >> getuid() in a repeated loop and calculates the average time per syscall >> invocation found a latency of 570 - 117 = 453 ns added to every traced >> syscall. >> >> This patch changes the syscall macro expansion, to create a function >> that adds the entry and exit tracepoints for the given syscall so that >> the latency can be avoided. This was suggested by Mathieu Desnoyers in >> https://lkml.org/lkml/2010/10/13/337 >> >> After this patch, the latency added is 370 - 117 = 253 ns per invocation >> of a traced syscall. This is on par with a simple tracepoint added to >> any kernel code path. >> >> This patch also makes syscall tracing architecture independent as there >> is no need to have a hook into the architecture specific syscall tracer >> functions. >> > > I am officially confused here. You have a single, common, dispatch > point for all system calls -- why don't you use it? That is of course > the system call table. If you want to trace a system call, override the > entry point in the syscall table to point to a hook function which can > provide entry and exit hooks. It's not even code, it's data, so you > don't even have to play the code patching song and dance routine > (although you may have to map it read/write which is normally not the > case for security reasons.) I am sorry I don't see how that would be possible without having some sort of architecture dependent changes. Also as you mentioned, it will have some security considerations. If you can suggest a better way without going through this macro magic, I will be glad to implement it. The 2 main reasons I made this patch was to remove the added latency in syscall tracing and to remove penalty for syscalls that are not traced. Thanks Vaibhav Nagarnaik -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists