Skip to main content

Ptrace

Ptrace is a nice setup ( some people call dirty setup) on linux to debug running processes. This ptrace in sys/ptrace.h is used by strace and gdb. To trace a child process, the child process should call PTRACE_TRACEME. The kernel during each system call(or execution of each instruction) checks if the process is traced. If it is traced, it issues a SIGTRAP, the parent process if in wait() state, will get a signal. The parent issues a SIGSTOP to hold current state of child and can access the registers and memory of child using PEEKDATA and alter the values in register and memory using POKEDATA. Once the required job is done, parent will allow the child to run with a SIGCONT signal. Since one can access registers, the next instruction to be executed can be easily found using instruction pointer, this comes in handy when we need to set breakpoints while debugging. The entire code base can also be changed using ptrace.

PTRACE_ATTACH attaches a running process. It does some hack to become a temporary parent of the process(though PPID of the process points to the original parent). This helps us to run strace on any process with just the pid.
A comprehensive tutorial on ptrace is availabe at
http://www.linuxjournal.com/article/6100?page=0,0
http://www.linuxjournal.com/article/6210?page=0,0

Ptrace will cause huge performance degradation as it causes the child to make a lot of context switching(due to SIGSTOP signal)
Since Ubuntu 10.10, some restrictions are put on ptrace_attach where a non privileged user cant attach a process even if it is  running with the same uid as his. The file /etc/sysctl.d/10-ptrace.conf(the file  is self explanatory) has to edited appropriately if PTRACE_ATTACH is to be executed by non privileged users.

Comments

  1. Anonymous23 January 2022 at 18:57

    Star Sands Casino, New Jersey - Shootercasino
    Play and win 샌즈카지노 at Star Sands Casino with real casino games and a Welcome Bonus. Get bet365 your Sign Up Bonus when you join today!

    ReplyDelete

Post a Comment

Popular posts from this blog

How we have systematically improved the roads our packets travel to help data imports and exports flourish

This blog post is an account of how we have toiled over the years to improve the throughput of our interDC tunnels. I joined this company around 2012. We were scaling aggressively then. We quickly expanded to 4 DCs with a mixture of AWS and colocation. Our primary DC is connected to all these new DCs via IPSEC tunnels established from SRX. The SRX model we had, had an IPSEC throughput of 350Mbps. Around December 2015 we saturated the SRX. Buying SRX was an option on the table. Buying one with 2Gbps throughput would have cut the story short. The tech team didn't see it happening. I don't have an answer to the question, "Is it worth spending time in solving a problem if a solution is already available out of box?" This project helped us in improving our critical thinking and in experiencing the theoretical network fundamentals on live traffic, but also caused us quite a bit of fatigue due to management overhead. Cutting short the philosophy, lets jump to the story. ...
8 comments
Read more

LXC and Host Crashes

 We had set up a bunch of lxc containers on two servers each with 16 core CPUs and 64 GB RAM(for reliability and loadbalancing). Both the servers are on same vlan. The servers need to have atleast one of their network interface in promiscuous mode so that it forwards all packets on vlan to the bridge( http://blogs.eskratch.com/2012/10/create-your-own-vms-i.html ) which takes care of the routing to containers. If the packets are not addressed to the containers, the bridge drops the packet. Having this setup, we moved all our platform maintenance services to these containers. They are fault tolerant as we used two host machines where each host machine has a replica of the containers on the other. The probability to crash for both the servers at the same time due to some hardware/software failure is less. But to my surprise both the servers are crashing exactly the same time with a mean life time 20 days. We had to wake up late nights(early mornings) to fix stuffs that go...
Post a Comment
Read more

The FB outage

 This outage has caused considerable noise everywhere. It was quite discomforting for me because during the whole conversation nobody bothered to understand the gravity of the issue. I don't expect end users to understand the issue. But this is going to be a blogpost for all of those in the tech field, Such an event can happen how much ever chaos engineering, best of the tech jargon we implement in the stack To all my Site Reliability Engineer friends, Site Up is our first priority. I myself said many a times outage is news and SREs should prevent outage. But I'm afraid this is leading to a cult in the industry who despises outages and takes no learnings from it. I don't know what has happened in Facebook. I can explain a scenario which may or may not be right but that can definitely show the gravity of the issue. Let's draw a probable Facebook architecture Disclaimer I don't work at Facebook. So this might not be how facebook routes traffic. This is based on my exp...
2 comments
Read more