thesis: Complete first section
This commit is contained in:
@@ -1,11 +1,19 @@
|
||||
|
||||
\chapter{Intercepting Function Calls}\label{ch:intercepting-function-calls}
|
||||
|
||||
Lorem Ipsum.
|
||||
In this chapter all steps on how to intercept function calls in this work are discussed.
|
||||
An example of what the resulting interception looks like may be found in section \ref{sec:intercepting-example}.
|
||||
Furthermore, an overview on how to test given programs is presented in section \ref{sec:automated-testing-on-intercepted-function-calls}.
|
||||
This chapter does not discuss how these function calls may be manipulated in any way.
|
||||
For that see chapter \ref{ch:manipulating-function-calls}.
|
||||
|
||||
|
||||
\section{Identified Methods for Intercepting Function and System Calls}\label{sec:methods-for-intercepting}
|
||||
|
||||
Lorem Ipsum.
|
||||
First, one has to answer the question on \textit{how exactly} to intercept function or system calls.
|
||||
At the beginning of this work it was not yet determined if the interception of function calls, system calls, or both should be used to achieve the overarching goal (see\todo{Goal}).
|
||||
This first section tries to list all possible methods on how to intercept function or system calls but does not claim completeness.
|
||||
The order of the following subsections is roughly based on the thought process on finding the most appropriate method suitable for this work.
|
||||
|
||||
|
||||
\subsection{\texttt{ptrace} System Call}\label{subsec:ptrace}
|
||||
@@ -27,8 +35,8 @@ Each system call is recorded as a line and either written to the standard error
|
||||
|
||||
Listings \ref{lst:main.c} and \ref{lst:strace} give a simple example of what this output looks like.
|
||||
It is clearly visible that only (``pure'') system calls are recorded, and calls to library functions (like \texttt{malloc} or \texttt{free}) do not appear.
|
||||
Also note that, arguments to the calls are displayed in a ``pretty'' way.
|
||||
For example, strings arguments would be simple pointers, but \texttt{strace} displays them as C-like strings.
|
||||
Also note that arguments to the calls are displayed in a ``pretty'' way.
|
||||
For example, string arguments would be simple pointers, but \texttt{strace} displays them as C-like strings.
|
||||
|
||||
\begin{listing}[htbp]
|
||||
\begin{minted}[linenos]{c}
|
||||
@@ -90,10 +98,16 @@ free(0x55624164b2a0) = <void>
|
||||
This method fits the requirements for this work a lot better than \texttt{strace} (see~\ref{subsec:strace}),
|
||||
but it is not very flexible and offers no means to modify the intercepted function calls.
|
||||
|
||||
\subsection{Kernel Module}\label{subsec:kernel-module}
|
||||
|
||||
Another possibility to intercept system calls is to intercept them directly in the kernel via a kernel module.
|
||||
However, this work did not explore this approach further due to time constraints and other, better-fitting alternatives.
|
||||
See \cite[Section~7.2]{netsectools2005} for more details on how to intercept system calls using kernel modules.
|
||||
|
||||
|
||||
\subsection{Wrapper Functions in gcc}\label{subsec:wrapper-functions}
|
||||
|
||||
A different approach to intercepting function calls is to tell the compiler directly, which functions should be intercepted.
|
||||
A different approach to intercepting function calls is to tell the compiler directly which functions should be intercepted.
|
||||
The compiler, and the linker respectively, then directly link calls to the specified functions to wrapper functions.
|
||||
(See \ref{subsec:preloading} for more details.)
|
||||
|
||||
@@ -114,7 +128,7 @@ See the OPTIONS section in the ld(1) Linux manual page~\cite{ld.1}:
|
||||
\end{description}
|
||||
\end{quote}
|
||||
|
||||
The gcc compiler also supports this, by allowing to pass options to the linker.
|
||||
The gcc compiler also supports this by allowing passing options to the linker.
|
||||
See the OPTIONS section in the gcc(1) Linux manual page~\cite{gcc.1}:
|
||||
|
||||
\begin{quote}
|
||||
@@ -180,7 +194,7 @@ They find and load the shared objects (shared libraries) needed by a program, pr
|
||||
|
||||
As the overwhelming majority of programs are dynamically linked,
|
||||
most function calls to other libraries (like to the C standard library) reference a shared object, which has to be loaded by the linker at runtime.
|
||||
Therefore, it would be possible to ``hijack'' (or intercept) these function calls,
|
||||
Therefore, it would be possible to ``hijack'' (or intercept) these function calls
|
||||
when the linker would allow loading other functions instead of the proper ones.
|
||||
|
||||
Luckily, \texttt{ld.so} allows this so-called ``preloading''.
|
||||
@@ -238,9 +252,17 @@ By using this method, it is possible to override, and therefore wrap, any functi
|
||||
Although, one has to be aware that not only function calls inside the targeted binary, but also calls inside other libraries (e.g., to \texttt{malloc}) are redirected to the overriding function.
|
||||
|
||||
|
||||
\subsection{Conclusion}\label{subsec:conclusion}
|
||||
\subsection{Conclusion}\label{subsec:methods-for-intercepting-conclusion}
|
||||
|
||||
During the research on different approaches to intercepting system and function calls,
|
||||
it has been found that the most reliable way to achieve the goals of this work (see \todo{goals}) is to intercept function calls instead of system calls.
|
||||
This is because (as long as the programs to test are dynamically linked), intercepting function calls allows one to intercept many more calls and in a more flexible way.
|
||||
Therefore, from now on this work only considers function calls and no system calls directly.
|
||||
|
||||
In this work preloading (see \ref{subsec:preloading}) was chosen to be used
|
||||
because it is simple to use (``clean'' source code, easy to compile and run programs with it) and offers the means to arbitrarily execute code when the intercepted function call is redirected.
|
||||
The following sections concern the next steps in what else is needed to create a powerful ``interceptor''.
|
||||
|
||||
Lorem Ipsum.
|
||||
|
||||
\section{Combining Preloading and Wrapper Functions}\label{sec:combining-preloading-and-wrapper-functions}
|
||||
|
||||
|
||||
@@ -22,3 +22,12 @@
|
||||
@manual{ltrace.conf.5,
|
||||
title = {ltrace.conf(5) -- ltrace configuration file -- Linux manual pages},
|
||||
}
|
||||
@book{netsectools2005,
|
||||
author = {Dhanjani, Nitesh and Clarke, Justin},
|
||||
title = {Network Security Tools},
|
||||
subtitle = {Writing, Hacking, and Modifying Security Tools},
|
||||
date = {April 2005},
|
||||
isbn = {0-596-00794-9},
|
||||
publisher = {O'Reilly},
|
||||
url = {https://litux.nl/mirror/networksecuritytools/0596007949/toc.html},
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user