lorenz.stechauner/BSc-Thesis
1
0
Fork 0
Code Activity

thesis: Start Chapter 1

Browse Source
This commit is contained in:
Lorenz Stechauner
2025-08-05 11:10:55 +02:00
parent c68588919d
commit 786d5cac35
8 changed files with 78 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files

43
thesis/src/01.introduction.tex
View File

@@ -3,18 +3,53 @@
Lorem Ipsum. Lorem Ipsum.
\section{TODO: Why intercept?}
\section{Motivation and Goal}\label{sec:motivation-and-goal}
Lorem Ipsum. Lorem Ipsum.
\section{TODO: Why are current solutions not enough?}
\section{Definitions}\label{sec:definitions}
Lorem Ipsum. Lorem Ipsum.
\section{TODO: Linux/C/ELF call structure}
\subsection{System Calls}\label{subsec:system-calls}
Lorem Ipsum. Lorem Ipsum.
\section{TODO: System Calls vs. Function Calls}\label{sec:system-calls-vs-function-calls}
\subsection{Function Calls}\label{subsec:function-calls}
Lorem Ipsum. Lorem Ipsum.
\section{Related Work}\label{sec:related-work}
See also Section~\ref{sec:methods-for-intercepting}.
Lorem Ipsum.
https://dl.acm.org/doi/10.1145/3728874
What other solutions are available?
What are the differences?
What are the characteristics?
\subsection{GDB Checker}\label{subsec:gdb-checker}
Lorem Ipsum.
\subsection{zpoline}\label{subsec:zpoline}
Lorem Ipsum.
\cite{zpoline}
\subsection{DataHook}\label{subsec:datahook}
Lorem Ipsum.
\cite{datahook}

4
thesis/src/02.intercept.tex
View File

@@ -11,7 +11,7 @@ For that see Chapter~\ref{ch:manipulating-function-calls}.
\section{Identified Methods for Intercepting Function and System Calls}\label{sec:methods-for-intercepting} \section{Identified Methods for Intercepting Function and System Calls}\label{sec:methods-for-intercepting}
First, one has to answer the question on \textit{how exactly} to intercept function or system calls. First, one has to answer the question on \textit{how exactly} to intercept function or system calls.
At the beginning of this work it was not yet determined if the interception of function calls, system calls, or both should be used to achieve the overarching goal (see\todo{Goals}). At the beginning of this work it was not yet determined if the interception of function calls, system calls, or both should be used to achieve the overarching goal (see Section~\ref{sec:motivation-and-goal}).
This first section tries to list all possible methods on how to intercept function or system calls but does not claim completeness. This first section tries to list all possible methods on how to intercept function or system calls but does not claim completeness.
The order of the following subsections is roughly based on the thought process on finding the most appropriate method suitable for this work. The order of the following subsections is roughly based on the thought process on finding the most appropriate method suitable for this work.
@@ -217,7 +217,7 @@ Although, one has to be aware that not only function calls inside the targeted b
\subsection{Conclusion}\label{subsec:methods-for-intercepting-conclusion} \subsection{Conclusion}\label{subsec:methods-for-intercepting-conclusion}
During the research on different approaches to intercepting system and function calls, During the research on different approaches to intercepting system and function calls,
it has been found that the most reliable way to achieve the goals of this work (see \todo{Goals}) is to intercept function calls instead of system calls. it has been found that the most reliable way to achieve the goals of this work (see Section~\ref{sec:motivation-and-goal}) is to intercept function calls instead of system calls.
This is because (as long as the programs to test are dynamically linked), intercepting function calls allows one to intercept many more calls and in a more flexible way. This is because (as long as the programs to test are dynamically linked), intercepting function calls allows one to intercept many more calls and in a more flexible way.
Therefore, from now on this work only considers function calls and no system calls directly. Therefore, from now on this work only considers function calls and no system calls directly.

6
thesis/src/03.manipulate.tex
View File

@@ -106,7 +106,7 @@ This may be the case when the following function calls differ from those which w
\subsection{Testing Return Value Checks}\label{subsec:testing-return-value-checks} \subsection{Testing Return Value Checks}\label{subsec:testing-return-value-checks}
Figure~\ref{fig:call-sequence} shows the simplified and collapsed call sequence graph of prior example in Section~\ref{sec:intercepting-example}. Figure~\ref{fig:call-sequence} shows the simplified and collapsed call sequence graph of the prior example in Section~\ref{sec:intercepting-example}.
Each edge between two nodes without any label indicates the next function call on a normal run of the program. Each edge between two nodes without any label indicates the next function call on a normal run of the program.
Edges labeled with ``fail'' indicate the next function call after a mocked failed call. Edges labeled with ``fail'' indicate the next function call after a mocked failed call.
In reality, there are multiple failing paths, each for every possible error return value, but in this example they all yield the same resulting path, therefore, they have been collapsed. In reality, there are multiple failing paths, each for every possible error return value, but in this example they all yield the same resulting path, therefore, they have been collapsed.
@@ -116,8 +116,8 @@ This test seems trivial at first.
The simplest approach is to verify that after a failing function call only ``cleanup'' function calls (\texttt{free}, \texttt{close}, \texttt{exit}, \dots) follow. The simplest approach is to verify that after a failing function call only ``cleanup'' function calls (\texttt{free}, \texttt{close}, \texttt{exit}, \dots) follow.
For simple programs, this assumption may hold, but there are many exceptions. For simple programs, this assumption may hold, but there are many exceptions.
For example, what if the program recognizes the failed call correctly as failed but recovers and continues to operate normally? For example, what if the program recognizes the failed call correctly as failed but recovers and continues to operate normally?
Or what if the ``cleanup'' path is very complex and includes function calls not prior marked as valid cleanup functions? Or what if the ``cleanup'' path is very complex and includes function calls not priorly marked as valid cleanup functions?
However, for simple programs (like those mentioned in\todo{Goals}) the simplest approach from above suffices. However, for simple programs (like those mentioned in Section~\ref{sec:motivation-and-goal}), the simplest approach from above suffices.
\begin{figure} \begin{figure}
\begin{tikzpicture}[node distance=15mm, thick, main/.style = {draw, circle}, text centered] \begin{tikzpicture}[node distance=15mm, thick, main/.style = {draw, circle}, text centered]

0
thesis/src/05.conclusion.tex → thesis/src/04.conclusion.tex
View File

18
thesis/src/04.related-work.tex
View File

@@ -1,18 +0,0 @@
\chapter{Related Work}\label{ch:related-work}
Lorem Ipsum.
What other solutions are available?
What are the differences?
What are the characteristics?
\section{GDB Checker}\label{sec:gdb-checker}
Lorem Ipsum.
\section{zpoline}\label{sec:zpoline}
Lorem Ipsum.

29
thesis/src/99.intercept.bib
View File

@@ -50,3 +50,32 @@
title = {Using the GNU Compiler Collection (GCC)}, title = {Using the GNU Compiler Collection (GCC)},
url = {https://gcc.gnu.org/onlinedocs/gcc/index.html}, url = {https://gcc.gnu.org/onlinedocs/gcc/index.html},
} }
@inproceedings{zpoline,
author = {Kenichi Yasukata and Hajime Tazaki and Pierre-Louis Aublin and Kenta Ishiguro},
title = {zpoline: a system call hook mechanism based on binary rewriting},
booktitle = {2023 USENIX Annual Technical Conference (USENIX ATC '23)},
year = {2023},
isbn = {978-1-939133-35-9},
address = {Boston, MA},
pages = {293--300},
url = {https://www.usenix.org/conference/atc23/presentation/yasukata},
publisher = {USENIX Association},
month = jul,
}
@article{datahook,
author = {Hong, Quan and Li, Jiaqi and Zhang, Wen and Zhai, Lidong},
title = {DataHook: An Efficient and Lightweight System Call Hooking Technique without Instruction Modification},
year = {2025},
issue_date = {July 2025},
publisher = {Association for Computing Machinery},
address = {New York, NY, USA},
volume = {2},
number = {ISSTA},
url = {https://doi.org/10.1145/3728874},
doi = {10.1145/3728874},
journal = {Proc. ACM Softw. Eng.},
month = jun,
articleno = {ISSTA005},
numpages = {21},
keywords = {DataHook, Hooking technique, Software analysis, Software debugging, System call}
}

BIN
thesis/src/listings/main Executable file
View File

Binary file not shown.

11
thesis/thesis.tex
View File

@@ -91,7 +91,7 @@
% Required data. % Required data.
\setregnumber{12119052} \setregnumber{12119052}
\setdate{01}{06}{2025} % Set date with 3 arguments: {day}{month}{year}. \setdate{01}{08}{2025} % Set date with 3 arguments: {day}{month}{year}.
\settitle{\thesistitle}{Abfangen und Manipulieren von\\System-/Funktionsaufrufen in\\Linux-Systemen} % Sets English and German version of the title (both can be English or German). If your title contains commas, enclose it with additional curvy brackets (i.e., {{your title}}) or define it as a macro as done with \thesistitle. \settitle{\thesistitle}{Abfangen und Manipulieren von\\System-/Funktionsaufrufen in\\Linux-Systemen} % Sets English and German version of the title (both can be English or German). If your title contains commas, enclose it with additional curvy brackets (i.e., {{your title}}) or define it as a macro as done with \thesistitle.
%\setsubtitle{Optional Subtitle of the Thesis}{Optionaler Untertitel der Arbeit} % Sets English and German version of the subtitle (both can be English or German). %\setsubtitle{Optional Subtitle of the Thesis}{Optionaler Untertitel der Arbeit} % Sets English and German version of the subtitle (both can be English or German).
@@ -152,14 +152,13 @@
\input{src/01.introduction} \input{src/01.introduction}
\input{src/02.intercept} \input{src/02.intercept}
\input{src/03.manipulate} \input{src/03.manipulate}
\input{src/04.related-work} \input{src/04.conclusion}
\input{src/05.conclusion}
\backmatter \backmatter
% Declare the use of AI tools as mentioned in the statement of originality. % Declare the use of AI tools as mentioned in the statement of originality.
% Use either the English aitools or the German kitools. % Use either the English aitools or the German kitools.
\begin{aitools} \begin{aitools}
\todo{Enter your text here.} No generative AI tools were used in and for this work whatsoever.
\end{aitools} \end{aitools}
%\begin{kitools} %\begin{kitools}
@@ -174,8 +173,8 @@
\listoftables % Starred version, i.e., \listoftables*, removes the toc entry. \listoftables % Starred version, i.e., \listoftables*, removes the toc entry.
% Use an optional list of algorithms. % Use an optional list of algorithms.
\listofalgorithms %\listofalgorithms
\addcontentsline{toc}{chapter}{List of Algorithms} %\addcontentsline{toc}{chapter}{List of Algorithms}
% Use an optional list of listings. % Use an optional list of listings.
\cleardoublepage \cleardoublepage