Kernel Korner - Kprobes—a Kernel Debugger
To understand better how Kprobes works, we should know the general concept of breakpoints, because Kprobes makes use of the same mechanism. A breakpoint is a mechanism provided by the hardware in most processors that we can use for debugging. For now, we are going to consider the x86 architecture. The instruction set for the processor provides a breakpoint instruction, and this instruction generates a breakpoint exception. Thus, control is transferred to the breakpoint exception handler. Most debuggers use this facility.
Suppose the debugger makes use of the breakpoint mechanism to debug. If it has to debug an instruction at a particular location, it replaces the corresponding instruction with the breakpoint instruction. The breakpoint instruction then generates the exception. The debugger contains a provision to be informed whenever such an exception is generated. The debugger then takes the necessary debugging steps, such as printing out the register values and manipulating them, as well as replacing the instruction with the original instruction. After this, execution of the instruction proceeds as usual.
When we register a pre-handler, what actually happens is Kprobes replaces the instruction at the memory location with a breakpoint instruction. The instruction that was present there is saved for later reference.
The following lines from the function int register_kprobe(struct kprobe *p) in the kernel/kprobes.c do this:
p->opcode = *p->addr; *p->addr = BREAKPOINT_INSTRUCTION;
Hence, whenever control reaches the particular location, the breakpoint exception occurs. The default breakpoint exception handler is modified by Kprobes. The modified exception handler checks whether the address has an instance of Kprobe associated with it. If there is an associated Kprobe, the exception handler executes the pre-handler. Otherwise, control is transferred to the normal breakpoint exception handler. If Kprobe is registered for that particular location, it prepares the processor to call the post-handler, which takes over once the pre-handler has executed.
The function responsible for handling the breakpoint is listed below:
asmlinkage int do_int3(struct pt_regs *regs, long error_code);
and the function that invokes the pre-handler is here:
static inline int kprobe_handler(struct pt_regs *regs);
The post-handler is executed after the instruction with which we associate the probe has executed. To facilitate this, the Kprobes framework gets some help from the hardware, specifically from a processor feature called trap generation.
If we have set the trap flag of the processor, it generates a trap exception after every instruction. After the pre-handler is run, the Kprobes framework sets the trap flag. It then replaces the breakpoint instruction with the original instruction. The function that prepares for the post-handler is presented below:
static inline void prepare_singlestep(struct kprobe *p, struct pt_regs *regs);
After the instruction we are debugging has executed, the processor generates a trap exception. The function responsible for the exception handling of the trap generation looks like this:
asmlinkage void do_debug(struct pt_regs * regs, long error_code);
and the function that does the necessary activities for the Kprobes post-handler is:
static inline int post_kprobe_handler(struct pt_regs *regs);
The post_kprobe_handler function calls the post-handler that we have registered for that particular probe.
The fault handler is executed whenever a fault is generated when executing the instruction under debug. The function responsible for Kprobes' activities on faults looks like this:
static inline int kprobe_fault_handler(struct pt_regs *regs, int trapnr);
This function is called under two circumstances:
Whenever a general protection fault occurs, do_general_protection, and we know that it has been generated by a Kprobes instruction.
Whenever a device-not-available fault generation occurs, and we know it has been generated by a Kprobes instruction.
In either of these cases, the fault handler can be used to discover what went wrong.
One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems
Join editor Bill Childers and Bit9's Paul Riegle on April 27 at 12pm Central to learn how to keep your Linux systems secure.
Free to Linux Journal readers.Register Now!
|Security Hardening with Ansible||Aug 18, 2014|
|Monitoring Android Traffic with Wireshark||Aug 14, 2014|
|IndieBox: for Gamers Who Miss Boxes!||Aug 13, 2014|
|Non-Linux FOSS: a Virtualized Cisco Infrastructure?||Aug 11, 2014|
|Linux Security Threats on the Rise||Aug 08, 2014|
|Android Candy: Oyster—Netflix for Books!||Aug 07, 2014|
- Security Hardening with Ansible
- NSA: Linux Journal is an "extremist forum" and its readers get flagged for extra surveillance
- Readers' Choice Awards 2013
- Monitoring Android Traffic with Wireshark
- Tech Tip: Really Simple HTTP Server with Python
- [<Megashare>] Watch Mrs Brown's Boys Movie Online Full Movie HD 2014
- RSS Feeds
- IndieBox: for Gamers Who Miss Boxes!
- Returning Values from Bash Functions
- Linux Security Threats on the Rise