SlideShare a Scribd company logo

Let's write a Debugger!

L
Levente Kurusa

A short, introductory talk to the world of debuggers. During the talk, we write a simple debugger application in Rust. Video at: https://www.youtube.com/watch?v=qS51kIHWARM

Engineering
1 of 45
Download to read offline
Let’s write a Debugger! Levente Kurusa <levex@linux.com> Imperial College London linux.conf.au 2018, Sydney, Australia January 25, 2018
Who am I? • Final year undergraduate at Imperial College London • Previously at Apple and Red Hat • Mostly working on operating systems and low-level performance • Writes in C, Haskell, Rust, Go. 1
History of debuggers
Single user machines • One of the first computers in the world • Small application was loaded at the top of the memory • single step • examine registers • read/write memory TX-0 at MIT 2
Batch processing machines 3
Batch processing machines Debugged by putting macro call in the punch card and generating: • Snapshots (register dump) • Core dumps (contents of memory) 3
printf Then came CTSS (Compatible Time-Sharing System), one of the first time-sharing operating systems! Debugging suddenly became interactive. printf-debugging *ptr = 1337; printf("Did we crash at line %d?n", __LINE__); *((int *) 0) = 1337; printf("Did we crash at line %d?n", __LINE__); 4
Unix-es • The first version of UNIX had a debugger called, DB • GNU had GDB and LLDB • For Plan 9, ADB was created These debuggers should be familiar! 5
Tracing processes
ptrace Most debuggers heavily rely on a system call known as ptrace. The prototype of ptrace(2) #include <sys/ptrace.h> long ptrace(enum __ptrace_request request, pid_t pid, void *addr, void *data); 6
Signals How does int a = 3, b = 0, c = a / b result in a SIGFPE? 7
Signals How does int a = 3, b = 0, c = a / b result in a SIGFPE? 1. Division by zero is noticed by the CPU 7
Signals How does int a = 3, b = 0, c = a / b result in a SIGFPE? 1. Division by zero is noticed by the CPU 2. The CPU raises a divide-by-zero error (#DE) 7
Signals How does int a = 3, b = 0, c = a / b result in a SIGFPE? 1. Division by zero is noticed by the CPU 2. The CPU raises a divide-by-zero error (#DE) 3. A handler in the kernel is eventually called 7
Signals How does int a = 3, b = 0, c = a / b result in a SIGFPE? 1. Division by zero is noticed by the CPU 2. The CPU raises a divide-by-zero error (#DE) 3. A handler in the kernel is eventually called 4. The kernel sends a SIGFPE to the offending process 7
Signals How does int a = 3, b = 0, c = a / b result in a SIGFPE? 1. Division by zero is noticed by the CPU 2. The CPU raises a divide-by-zero error (#DE) 3. A handler in the kernel is eventually called 4. The kernel sends a SIGFPE to the offending process 5. Your signal handler is called (or not if it is SIGKILL) 7
Implementation • Enable tracing • Run until system call • Monitoring registers • Single stepping • Memory manipulation 8
Implementation • Enable tracing • Run until system call • Monitoring registers • Single stepping • Memory manipulation 8
Implementation • Enable tracing • PTRACE TRACEME • Run until system call • Monitoring registers • Single stepping • Memory manipulation 8
Implementation • Enable tracing • PTRACE TRACEME • Run until system call • Monitoring registers • Single stepping • Memory manipulation 8
Implementation • Enable tracing • PTRACE TRACEME • Run until system call • PTRACE SYSCALL • PTRACE SYSEMU • Monitoring registers • Single stepping • Memory manipulation 8
Implementation • Enable tracing • PTRACE TRACEME • Run until system call • PTRACE SYSCALL • PTRACE SYSEMU • Monitoring registers • Single stepping • Memory manipulation 8
Implementation • Enable tracing • PTRACE TRACEME • Run until system call • PTRACE SYSCALL • PTRACE SYSEMU • Monitoring registers • PTRACE PEEKUSER / PTRACE POKEUSER • PTRACE GETREGS / PTRACE SETREGS • Single stepping • Memory manipulation 8
Implementation • Enable tracing • PTRACE TRACEME • Run until system call • PTRACE SYSCALL • PTRACE SYSEMU • Monitoring registers • PTRACE PEEKUSER / PTRACE POKEUSER • PTRACE GETREGS / PTRACE SETREGS • Single stepping • Memory manipulation 8
Implementation • Enable tracing • PTRACE TRACEME • Run until system call • PTRACE SYSCALL • PTRACE SYSEMU • Monitoring registers • PTRACE PEEKUSER / PTRACE POKEUSER • PTRACE GETREGS / PTRACE SETREGS • Single stepping • PTRACE SINGLESTEP • Memory manipulation 8
Implementation • Enable tracing • PTRACE TRACEME • Run until system call • PTRACE SYSCALL • PTRACE SYSEMU • Monitoring registers • PTRACE PEEKUSER / PTRACE POKEUSER • PTRACE GETREGS / PTRACE SETREGS • Single stepping • PTRACE SINGLESTEP • Memory manipulation 8
Implementation • Enable tracing • PTRACE TRACEME • Run until system call • PTRACE SYSCALL • PTRACE SYSEMU • Monitoring registers • PTRACE PEEKUSER / PTRACE POKEUSER • PTRACE GETREGS / PTRACE SETREGS • Single stepping • PTRACE SINGLESTEP • Memory manipulation • PTRACE PEEKTEXT / PTRACE POKETEXT • PTRACE PEEKDATA / PTRACE POKEDATA 8
Architectural support
Interrupting a process PTRACE SINGLESTEP 9
Interrupting a process PTRACE SINGLESTEP %EFLAGS 9
Interrupting a process PTRACE SINGLESTEP %EFLAGS.TF 9
Interrupting a process PTRACE SINGLESTEP Trap flag (Sometimes referred to as ”Trace flag”) 9
Interrupting a process PTRACE SINGLESTEP Trap flag (Sometimes referred to as ”Trace flag”) • After each instruction, trap into #DB interrupt • The kernel delivers a SIGTRAP • This fact is delivered via a wait-event to the debugger 9
Interrupting a process Breakpoints 10
Interrupting a process Breakpoints • ud2 (machine code: 0x0F 0x0B) • Triggers #UD – Undefined instruction exception 10
Interrupting a process Breakpoints • ud2 (machine code: 0x0F 0x0B) • Triggers #UD – Undefined instruction exception • int $3 (machine code: 0xCC) • Triggers #BP – Breakpoint exception 10
Breakpoint implementation • Replace with ”int $3” 11
Breakpoint implementation • Replace with ”int $3” • Take note of the previous instruction 11
Breakpoint implementation • Replace with ”int $3” • Take note of the previous instruction • When the breakpoint is hit, replace with the previous instruction 11
Breakpoint implementation • Replace with ”int $3” • Take note of the previous instruction • When the breakpoint is hit, replace with the previous instruction • Try executing the instruction again Nota bene: • Could have used ”ud2” 11
Debug registers • DR0 - DR3: Linear addresses 12
Debug registers • DR0 - DR3: Linear addresses • DR6: Debug control Contains bitmasks for: • 1, 2, 4 or 8 bytes monitored • Break on read, write, execute, or read+write 12
Debug registers • DR0 - DR3: Linear addresses • DR6: Debug control Contains bitmasks for: • 1, 2, 4 or 8 bytes monitored • Break on read, write, execute, or read+write • DR7: Debug status Bitmask showing which of DR0-DR3 triggered the #DB 12
Debug registers • DR0 - DR3: Linear addresses • DR6: Debug control Contains bitmasks for: • 1, 2, 4 or 8 bytes monitored • Break on read, write, execute, or read+write • DR7: Debug status Bitmask showing which of DR0-DR3 triggered the #DB • DR4 & DR5: Obsolete aliases to DR6 & DR7 12
Thanks! Thank you for your attention! Twitter: @iLevex Email: <levex@linux.com> GitHub: levex Website: http://osdev.me/ The LATEX theme is available at github.com/matze/mtheme Both the theme and the talk are licensed under the CC-BY-SA 4.0 International license. 13

Recommended

Midterm Presentation
Midterm PresentationMidterm Presentation
Midterm PresentationZhongzhi Yu
 
PLDI 2010: Safe to the Last Instruction
PLDI 2010: Safe to the Last InstructionPLDI 2010: Safe to the Last Instruction
PLDI 2010: Safe to the Last Instructionjxyz
 
A brief history of system calls
A brief history of system callsA brief history of system calls
A brief history of system callsSysdig
 
Solaris Kernel Debugging V1.0
Solaris Kernel Debugging V1.0Solaris Kernel Debugging V1.0
Solaris Kernel Debugging V1.0Jarod Wang
 
Linux Capabilities - eng - v2.1.5, compact
Linux Capabilities - eng - v2.1.5, compactLinux Capabilities - eng - v2.1.5, compact
Linux Capabilities - eng - v2.1.5, compactAlessandro Selli
 
TIP1 - Overview of C/C++ Debugging/Tracing/Profiling Tools
TIP1 - Overview of C/C++ Debugging/Tracing/Profiling ToolsTIP1 - Overview of C/C++ Debugging/Tracing/Profiling Tools
TIP1 - Overview of C/C++ Debugging/Tracing/Profiling ToolsXiaozhe Wang
 
Zn task - defcon russia 20
Zn task - defcon russia 20Zn task - defcon russia 20
Zn task - defcon russia 20DefconRussia
 
Translation Cache Policies for Dynamic Binary Translation
Translation Cache Policies for Dynamic Binary TranslationTranslation Cache Policies for Dynamic Binary Translation
Translation Cache Policies for Dynamic Binary TranslationSaber Ferjani
 

Recommended

Midterm Presentation
Midterm PresentationMidterm Presentation
Midterm PresentationZhongzhi Yu
 
PLDI 2010: Safe to the Last Instruction
PLDI 2010: Safe to the Last InstructionPLDI 2010: Safe to the Last Instruction
PLDI 2010: Safe to the Last Instructionjxyz
 
A brief history of system calls
A brief history of system callsA brief history of system calls
A brief history of system callsSysdig
 
Solaris Kernel Debugging V1.0
Solaris Kernel Debugging V1.0Solaris Kernel Debugging V1.0
Solaris Kernel Debugging V1.0Jarod Wang
 
Linux Capabilities - eng - v2.1.5, compact
Linux Capabilities - eng - v2.1.5, compactLinux Capabilities - eng - v2.1.5, compact
Linux Capabilities - eng - v2.1.5, compactAlessandro Selli
 
TIP1 - Overview of C/C++ Debugging/Tracing/Profiling Tools
TIP1 - Overview of C/C++ Debugging/Tracing/Profiling ToolsTIP1 - Overview of C/C++ Debugging/Tracing/Profiling Tools
TIP1 - Overview of C/C++ Debugging/Tracing/Profiling ToolsXiaozhe Wang
 
Zn task - defcon russia 20
Zn task - defcon russia 20Zn task - defcon russia 20
Zn task - defcon russia 20DefconRussia
 
Translation Cache Policies for Dynamic Binary Translation
Translation Cache Policies for Dynamic Binary TranslationTranslation Cache Policies for Dynamic Binary Translation
Translation Cache Policies for Dynamic Binary TranslationSaber Ferjani
 
No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)
No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)
No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)Pixie Labs
 
Linux kernel debugging(ODP format)
Linux kernel debugging(ODP format)Linux kernel debugging(ODP format)
Linux kernel debugging(ODP format)yang firo
 
Measuring directly from cpu hardware performance counters
Measuring directly from cpu hardware performance countersMeasuring directly from cpu hardware performance counters
Measuring directly from cpu hardware performance countersJean-Philippe BEMPEL
 
Austin c-c++-meetup-feb2018-spectre
Austin c-c++-meetup-feb2018-spectreAustin c-c++-meetup-feb2018-spectre
Austin c-c++-meetup-feb2018-spectreKim Phillips
 
Debugging linux kernel tools and techniques
Debugging linux kernel tools and techniquesDebugging linux kernel tools and techniques
Debugging linux kernel tools and techniquesSatpal Parmar
 
Debugging linux
Debugging linuxDebugging linux
Debugging linuxAndrea Righi
 
AOS Lab 8: Interrupts and Device Drivers
AOS Lab 8: Interrupts and Device DriversAOS Lab 8: Interrupts and Device Drivers
AOS Lab 8: Interrupts and Device DriversZubair Nabi
 
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMU
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMUSFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMU
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMULinaro
 
Auditing the Opensource Kernels
Auditing the Opensource KernelsAuditing the Opensource Kernels
Auditing the Opensource KernelsSilvio Cesare
 
Concurrency bug identification through kernel panic log (english)
Concurrency bug identification through kernel panic log (english)Concurrency bug identification through kernel panic log (english)
Concurrency bug identification through kernel panic log (english)Sneeker Yeh
 
Kernel Recipes 2016 - entry_*.S: A carefree stroll through kernel entry code
Kernel Recipes 2016 - entry_*.S: A carefree stroll through kernel entry codeKernel Recipes 2016 - entry_*.S: A carefree stroll through kernel entry code
Kernel Recipes 2016 - entry_*.S: A carefree stroll through kernel entry codeAnne Nicolas
 
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]RootedCON
 
Linux Troubleshooting
Linux TroubleshootingLinux Troubleshooting
Linux TroubleshootingKeith Wright
 
Kernel Recipes 2017: Using Linux perf at Netflix
Kernel Recipes 2017: Using Linux perf at NetflixKernel Recipes 2017: Using Linux perf at Netflix
Kernel Recipes 2017: Using Linux perf at NetflixBrendan Gregg
 
Contiki introduction I.
Contiki introduction I.Contiki introduction I.
Contiki introduction I.Dingxin Xu
 
⭐⭐⭐⭐⭐ CHARLA #PUCESE Arduino Week: Hardware de Código Abierto TSC-LAB
⭐⭐⭐⭐⭐ CHARLA #PUCESE Arduino Week: Hardware de Código Abierto TSC-LAB ⭐⭐⭐⭐⭐ CHARLA #PUCESE Arduino Week: Hardware de Código Abierto TSC-LAB
⭐⭐⭐⭐⭐ CHARLA #PUCESE Arduino Week: Hardware de Código Abierto TSC-LAB Victor Asanza
 
Audit
AuditAudit
AuditMark Ellzey Thomas
 
Linux Performance Profiling and Monitoring
Linux Performance Profiling and MonitoringLinux Performance Profiling and Monitoring
Linux Performance Profiling and MonitoringGeorg Schönberger
 
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...PROIDEA
 
Scale17x buffer overflows
Scale17x buffer overflowsScale17x buffer overflows
Scale17x buffer overflowsjohseg
 
CNIT 127 Ch 1: Before you Begin
CNIT 127 Ch 1: Before you BeginCNIT 127 Ch 1: Before you Begin
CNIT 127 Ch 1: Before you BeginSam Bowne
 
04 performance
04 performance04 performance
04 performancemarangburu42
 

More Related Content

What's hot

No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)
No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)
No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)Pixie Labs
 
Linux kernel debugging(ODP format)
Linux kernel debugging(ODP format)Linux kernel debugging(ODP format)
Linux kernel debugging(ODP format)yang firo
 
Measuring directly from cpu hardware performance counters
Measuring directly from cpu hardware performance countersMeasuring directly from cpu hardware performance counters
Measuring directly from cpu hardware performance countersJean-Philippe BEMPEL
 
Austin c-c++-meetup-feb2018-spectre
Austin c-c++-meetup-feb2018-spectreAustin c-c++-meetup-feb2018-spectre
Austin c-c++-meetup-feb2018-spectreKim Phillips
 
Debugging linux kernel tools and techniques
Debugging linux kernel tools and techniquesDebugging linux kernel tools and techniques
Debugging linux kernel tools and techniquesSatpal Parmar
 
AOS Lab 8: Interrupts and Device Drivers
AOS Lab 8: Interrupts and Device DriversAOS Lab 8: Interrupts and Device Drivers
AOS Lab 8: Interrupts and Device DriversZubair Nabi
 
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMU
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMUSFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMU
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMULinaro
 
Auditing the Opensource Kernels
Auditing the Opensource KernelsAuditing the Opensource Kernels
Auditing the Opensource KernelsSilvio Cesare
 
Concurrency bug identification through kernel panic log (english)
Concurrency bug identification through kernel panic log (english)Concurrency bug identification through kernel panic log (english)
Concurrency bug identification through kernel panic log (english)Sneeker Yeh
 
Kernel Recipes 2016 - entry_*.S: A carefree stroll through kernel entry code
Kernel Recipes 2016 - entry_*.S: A carefree stroll through kernel entry codeKernel Recipes 2016 - entry_*.S: A carefree stroll through kernel entry code
Kernel Recipes 2016 - entry_*.S: A carefree stroll through kernel entry codeAnne Nicolas
 
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]RootedCON
 
Linux Troubleshooting
Linux TroubleshootingLinux Troubleshooting
Linux TroubleshootingKeith Wright
 
Kernel Recipes 2017: Using Linux perf at Netflix
Kernel Recipes 2017: Using Linux perf at NetflixKernel Recipes 2017: Using Linux perf at Netflix
Kernel Recipes 2017: Using Linux perf at NetflixBrendan Gregg
 
Contiki introduction I.
Contiki introduction I.Contiki introduction I.
Contiki introduction I.Dingxin Xu
 
⭐⭐⭐⭐⭐ CHARLA #PUCESE Arduino Week: Hardware de Código Abierto TSC-LAB
⭐⭐⭐⭐⭐ CHARLA #PUCESE Arduino Week: Hardware de Código Abierto TSC-LAB ⭐⭐⭐⭐⭐ CHARLA #PUCESE Arduino Week: Hardware de Código Abierto TSC-LAB
⭐⭐⭐⭐⭐ CHARLA #PUCESE Arduino Week: Hardware de Código Abierto TSC-LAB Victor Asanza
 
Linux Performance Profiling and Monitoring
Linux Performance Profiling and MonitoringLinux Performance Profiling and Monitoring
Linux Performance Profiling and MonitoringGeorg Schönberger
 
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...PROIDEA
 
Scale17x buffer overflows
Scale17x buffer overflowsScale17x buffer overflows
Scale17x buffer overflowsjohseg
 

What's hot (20)

No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)
No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)
No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)
 
Linux kernel debugging(ODP format)
Linux kernel debugging(ODP format)Linux kernel debugging(ODP format)
Linux kernel debugging(ODP format)
 
Measuring directly from cpu hardware performance counters
Measuring directly from cpu hardware performance countersMeasuring directly from cpu hardware performance counters
Measuring directly from cpu hardware performance counters
 
Austin c-c++-meetup-feb2018-spectre
Austin c-c++-meetup-feb2018-spectreAustin c-c++-meetup-feb2018-spectre
Austin c-c++-meetup-feb2018-spectre
 
Debugging linux kernel tools and techniques
Debugging linux kernel tools and techniquesDebugging linux kernel tools and techniques
Debugging linux kernel tools and techniques
 
Debugging linux
Debugging linuxDebugging linux
Debugging linux
 
AOS Lab 8: Interrupts and Device Drivers
AOS Lab 8: Interrupts and Device DriversAOS Lab 8: Interrupts and Device Drivers
AOS Lab 8: Interrupts and Device Drivers
 
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMU
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMUSFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMU
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMU
 
Auditing the Opensource Kernels
Auditing the Opensource KernelsAuditing the Opensource Kernels
Auditing the Opensource Kernels
 
Concurrency bug identification through kernel panic log (english)
Concurrency bug identification through kernel panic log (english)Concurrency bug identification through kernel panic log (english)
Concurrency bug identification through kernel panic log (english)
 
Kernel Recipes 2016 - entry_*.S: A carefree stroll through kernel entry code
Kernel Recipes 2016 - entry_*.S: A carefree stroll through kernel entry codeKernel Recipes 2016 - entry_*.S: A carefree stroll through kernel entry code
Kernel Recipes 2016 - entry_*.S: A carefree stroll through kernel entry code
 
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]
 
Linux Troubleshooting
Linux TroubleshootingLinux Troubleshooting
Linux Troubleshooting
 
Kernel Recipes 2017: Using Linux perf at Netflix
Kernel Recipes 2017: Using Linux perf at NetflixKernel Recipes 2017: Using Linux perf at Netflix
Kernel Recipes 2017: Using Linux perf at Netflix
 
Contiki introduction I.
Contiki introduction I.Contiki introduction I.
Contiki introduction I.
 
⭐⭐⭐⭐⭐ CHARLA #PUCESE Arduino Week: Hardware de Código Abierto TSC-LAB
⭐⭐⭐⭐⭐ CHARLA #PUCESE Arduino Week: Hardware de Código Abierto TSC-LAB ⭐⭐⭐⭐⭐ CHARLA #PUCESE Arduino Week: Hardware de Código Abierto TSC-LAB
⭐⭐⭐⭐⭐ CHARLA #PUCESE Arduino Week: Hardware de Código Abierto TSC-LAB
 
Audit
AuditAudit
Audit
 
Linux Performance Profiling and Monitoring
Linux Performance Profiling and MonitoringLinux Performance Profiling and Monitoring
Linux Performance Profiling and Monitoring
 
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
 
Scale17x buffer overflows
Scale17x buffer overflowsScale17x buffer overflows
Scale17x buffer overflows
 

Similar to Let's write a Debugger!

CNIT 127 Ch 1: Before you Begin
CNIT 127 Ch 1: Before you BeginCNIT 127 Ch 1: Before you Begin
CNIT 127 Ch 1: Before you BeginSam Bowne
 
Performance Enhancement with Pipelining
Performance Enhancement with PipeliningPerformance Enhancement with Pipelining
Performance Enhancement with PipeliningAneesh Raveendran
 
CNIT 127 Ch Ch 1: Before you Begin
CNIT 127 Ch Ch 1: Before you BeginCNIT 127 Ch Ch 1: Before you Begin
CNIT 127 Ch Ch 1: Before you BeginSam Bowne
 
Debugging Complex Systems - Erlang Factory SF 2015
Debugging Complex Systems - Erlang Factory SF 2015Debugging Complex Systems - Erlang Factory SF 2015
Debugging Complex Systems - Erlang Factory SF 2015lpgauth
 
Servers and Processes: Behavior and Analysis
Servers and Processes: Behavior and AnalysisServers and Processes: Behavior and Analysis
Servers and Processes: Behavior and Analysisdreamwidth
 
SMP implementation for OpenBSD/sgi
SMP implementation for OpenBSD/sgiSMP implementation for OpenBSD/sgi
SMP implementation for OpenBSD/sgiTakuya ASADA
 
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...CanSecWest
 
Performance analysis and troubleshooting using DTrace
Performance analysis and troubleshooting using DTracePerformance analysis and troubleshooting using DTrace
Performance analysis and troubleshooting using DTraceGraeme Jenkinson
 
Presentation of mpu
Presentation of mpuPresentation of mpu
Presentation of mpuKyawthu Koko
 
Embedded Recipes 2018 - Finding sources of Latency In your system - Steven Ro...
Embedded Recipes 2018 - Finding sources of Latency In your system - Steven Ro...Embedded Recipes 2018 - Finding sources of Latency In your system - Steven Ro...
Embedded Recipes 2018 - Finding sources of Latency In your system - Steven Ro...Anne Nicolas
 
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...Alexandre Moneger
 

Similar to Let's write a Debugger! (20)

CNIT 127 Ch 1: Before you Begin
CNIT 127 Ch 1: Before you BeginCNIT 127 Ch 1: Before you Begin
CNIT 127 Ch 1: Before you Begin
 
04 performance
04 performance04 performance
04 performance
 
Performance Enhancement with Pipelining
Performance Enhancement with PipeliningPerformance Enhancement with Pipelining
Performance Enhancement with Pipelining
 
CNIT 127 Ch Ch 1: Before you Begin
CNIT 127 Ch Ch 1: Before you BeginCNIT 127 Ch Ch 1: Before you Begin
CNIT 127 Ch Ch 1: Before you Begin
 
Os lectures
Os lecturesOs lectures
Os lectures
 
Os introduction
Os introductionOs introduction
Os introduction
 
Os introduction
Os introductionOs introduction
Os introduction
 
Debugging Complex Systems - Erlang Factory SF 2015
Debugging Complex Systems - Erlang Factory SF 2015Debugging Complex Systems - Erlang Factory SF 2015
Debugging Complex Systems - Erlang Factory SF 2015
 
Servers and Processes: Behavior and Analysis
Servers and Processes: Behavior and AnalysisServers and Processes: Behavior and Analysis
Servers and Processes: Behavior and Analysis
 
SMP implementation for OpenBSD/sgi
SMP implementation for OpenBSD/sgiSMP implementation for OpenBSD/sgi
SMP implementation for OpenBSD/sgi
 
W10: Interrupts
W10: InterruptsW10: Interrupts
W10: Interrupts
 
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
 
A22 Introduction to DTrace by Kyle Hailey
A22 Introduction to DTrace by Kyle HaileyA22 Introduction to DTrace by Kyle Hailey
A22 Introduction to DTrace by Kyle Hailey
 
Interrupts.ppt
Interrupts.pptInterrupts.ppt
Interrupts.ppt
 
Performance analysis and troubleshooting using DTrace
Performance analysis and troubleshooting using DTracePerformance analysis and troubleshooting using DTrace
Performance analysis and troubleshooting using DTrace
 
Presentation of mpu
Presentation of mpuPresentation of mpu
Presentation of mpu
 
PILOT Session for Embedded Systems
PILOT Session for Embedded Systems PILOT Session for Embedded Systems
PILOT Session for Embedded Systems
 
Embedded Recipes 2018 - Finding sources of Latency In your system - Steven Ro...
Embedded Recipes 2018 - Finding sources of Latency In your system - Steven Ro...Embedded Recipes 2018 - Finding sources of Latency In your system - Steven Ro...
Embedded Recipes 2018 - Finding sources of Latency In your system - Steven Ro...
 
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
 
02 performance
02 performance02 performance
02 performance
 

More from Levente Kurusa

Linux Kernel - Bevezetes
Linux Kernel - BevezetesLinux Kernel - Bevezetes
Linux Kernel - BevezetesLevente Kurusa
 
Hacking the Linux Kernel - An Introduction
Hacking the Linux Kernel - An IntroductionHacking the Linux Kernel - An Introduction
Hacking the Linux Kernel - An IntroductionLevente Kurusa
 
Introduction to Linux Kernel Development
Introduction to Linux Kernel DevelopmentIntroduction to Linux Kernel Development
Introduction to Linux Kernel DevelopmentLevente Kurusa
 
Linux Kernel - Let's Contribute!
Linux Kernel - Let's Contribute!Linux Kernel - Let's Contribute!
Linux Kernel - Let's Contribute!Levente Kurusa
 
How is the Fedora Kernel different?
How is the Fedora Kernel different?How is the Fedora Kernel different?
How is the Fedora Kernel different?Levente Kurusa
 
Linux Desktop: When is our year?
Linux Desktop: When is our year?Linux Desktop: When is our year?
Linux Desktop: When is our year?Levente Kurusa
 

More from Levente Kurusa (6)

Linux Kernel - Bevezetes
Linux Kernel - BevezetesLinux Kernel - Bevezetes
Linux Kernel - Bevezetes
 
Hacking the Linux Kernel - An Introduction
Hacking the Linux Kernel - An IntroductionHacking the Linux Kernel - An Introduction
Hacking the Linux Kernel - An Introduction
 
Introduction to Linux Kernel Development
Introduction to Linux Kernel DevelopmentIntroduction to Linux Kernel Development
Introduction to Linux Kernel Development
 
Linux Kernel - Let's Contribute!
Linux Kernel - Let's Contribute!Linux Kernel - Let's Contribute!
Linux Kernel - Let's Contribute!
 
How is the Fedora Kernel different?
How is the Fedora Kernel different?How is the Fedora Kernel different?
How is the Fedora Kernel different?
 
Linux Desktop: When is our year?
Linux Desktop: When is our year?Linux Desktop: When is our year?
Linux Desktop: When is our year?
 

Recently uploaded

ZXCTN 5804 / ZTE PTN / ZTE POTN / ZTE 5804 PTN / ZTE POTN 5804 ( 100/200 GE Z...
ZXCTN 5804 / ZTE PTN / ZTE POTN / ZTE 5804 PTN / ZTE POTN 5804 ( 100/200 GE Z...ZXCTN 5804 / ZTE PTN / ZTE POTN / ZTE 5804 PTN / ZTE POTN 5804 ( 100/200 GE Z...
ZXCTN 5804 / ZTE PTN / ZTE POTN / ZTE 5804 PTN / ZTE POTN 5804 ( 100/200 GE Z...ZTE
 
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube ExchangerStudy on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube ExchangerAnamika Sarkar
 
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...VICTOR MAESTRE RAMIREZ
 
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130Suhani Kapoor
 
College Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service NashikCollege Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service NashikCall Girls in Nagpur High Profile
 
microprocessor 8085 and its interfacing
microprocessor 8085 and its interfacingmicroprocessor 8085 and its interfacing
microprocessor 8085 and its interfacingjaychoudhary37
 
Internship report on mechanical engineering
Internship report on mechanical engineeringInternship report on mechanical engineering
Internship report on mechanical engineeringmalavadedarshan25
 
Heart Disease Prediction using machine learning.pptx
Heart Disease Prediction using machine learning.pptxHeart Disease Prediction using machine learning.pptx
Heart Disease Prediction using machine learning.pptxPoojaBan
 
Call Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile serviceCall Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile servicerehmti665
 
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...Soham Mondal
 
IVE Industry Focused Event - Defence Sector 2024
IVE Industry Focused Event - Defence Sector 2024IVE Industry Focused Event - Defence Sector 2024
IVE Industry Focused Event - Defence Sector 2024Mark Billinghurst
 
Past, Present and Future of Generative AI
Past, Present and Future of Generative AIPast, Present and Future of Generative AI
Past, Present and Future of Generative AIabhishek36461
 
SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )Tsuyoshi Horigome
 
Sachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
Sachpazis Costas: Geotechnical Engineering: A student's Perspective IntroductionSachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
Sachpazis Costas: Geotechnical Engineering: A student's Perspective IntroductionDr.Costas Sachpazis
 
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝soniya singh
 
Oxy acetylene welding presentation note.
Oxy acetylene welding presentation note.Oxy acetylene welding presentation note.
Oxy acetylene welding presentation note.eptoze12
 

Recently uploaded (20)

ZXCTN 5804 / ZTE PTN / ZTE POTN / ZTE 5804 PTN / ZTE POTN 5804 ( 100/200 GE Z...
ZXCTN 5804 / ZTE PTN / ZTE POTN / ZTE 5804 PTN / ZTE POTN 5804 ( 100/200 GE Z...ZXCTN 5804 / ZTE PTN / ZTE POTN / ZTE 5804 PTN / ZTE POTN 5804 ( 100/200 GE Z...
ZXCTN 5804 / ZTE PTN / ZTE POTN / ZTE 5804 PTN / ZTE POTN 5804 ( 100/200 GE Z...
 
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube ExchangerStudy on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
 
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...
 
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
 
College Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service NashikCollege Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
 
★ CALL US 9953330565 ( HOT Young Call Girls In Badarpur delhi NCR
★ CALL US 9953330565 ( HOT Young Call Girls In Badarpur delhi NCR★ CALL US 9953330565 ( HOT Young Call Girls In Badarpur delhi NCR
★ CALL US 9953330565 ( HOT Young Call Girls In Badarpur delhi NCR
 
microprocessor 8085 and its interfacing
microprocessor 8085 and its interfacingmicroprocessor 8085 and its interfacing
microprocessor 8085 and its interfacing
 
Internship report on mechanical engineering
Internship report on mechanical engineeringInternship report on mechanical engineering
Internship report on mechanical engineering
 
Heart Disease Prediction using machine learning.pptx
Heart Disease Prediction using machine learning.pptxHeart Disease Prediction using machine learning.pptx
Heart Disease Prediction using machine learning.pptx
 
young call girls in Rajiv Chowk🔝 9953056974 🔝 Delhi escort Service
young call girls in Rajiv Chowk🔝 9953056974 🔝 Delhi escort Serviceyoung call girls in Rajiv Chowk🔝 9953056974 🔝 Delhi escort Service
young call girls in Rajiv Chowk🔝 9953056974 🔝 Delhi escort Service
 
Call Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile serviceCall Girls Delhi {Jodhpur} 9711199012 high profile service
Call Girls Delhi {Jodhpur} 9711199012 high profile service
 
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
 
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
 
IVE Industry Focused Event - Defence Sector 2024
IVE Industry Focused Event - Defence Sector 2024IVE Industry Focused Event - Defence Sector 2024
IVE Industry Focused Event - Defence Sector 2024
 
Past, Present and Future of Generative AI
Past, Present and Future of Generative AIPast, Present and Future of Generative AI
Past, Present and Future of Generative AI
 
Exploring_Network_Security_with_JA3_by_Rakesh Seal.pptx
Exploring_Network_Security_with_JA3_by_Rakesh Seal.pptxExploring_Network_Security_with_JA3_by_Rakesh Seal.pptx
Exploring_Network_Security_with_JA3_by_Rakesh Seal.pptx
 
SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )
 
Sachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
Sachpazis Costas: Geotechnical Engineering: A student's Perspective IntroductionSachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
Sachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
 
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
 
Oxy acetylene welding presentation note.
Oxy acetylene welding presentation note.Oxy acetylene welding presentation note.
Oxy acetylene welding presentation note.
 

Let's write a Debugger!

  • 1. Let’s write a Debugger! Levente Kurusa <levex@linux.com> Imperial College London linux.conf.au 2018, Sydney, Australia January 25, 2018
  • 2. Who am I? • Final year undergraduate at Imperial College London • Previously at Apple and Red Hat • Mostly working on operating systems and low-level performance • Writes in C, Haskell, Rust, Go. 1
  • 4. Single user machines • One of the first computers in the world • Small application was loaded at the top of the memory • single step • examine registers • read/write memory TX-0 at MIT 2
  • 6. Batch processing machines Debugged by putting macro call in the punch card and generating: • Snapshots (register dump) • Core dumps (contents of memory) 3
  • 7. printf Then came CTSS (Compatible Time-Sharing System), one of the first time-sharing operating systems! Debugging suddenly became interactive. printf-debugging *ptr = 1337; printf("Did we crash at line %d?n", __LINE__); *((int *) 0) = 1337; printf("Did we crash at line %d?n", __LINE__); 4
  • 8. Unix-es • The first version of UNIX had a debugger called, DB • GNU had GDB and LLDB • For Plan 9, ADB was created These debuggers should be familiar! 5
  • 10. ptrace Most debuggers heavily rely on a system call known as ptrace. The prototype of ptrace(2) #include <sys/ptrace.h> long ptrace(enum __ptrace_request request, pid_t pid, void *addr, void *data); 6
  • 11. Signals How does int a = 3, b = 0, c = a / b result in a SIGFPE? 7
  • 12. Signals How does int a = 3, b = 0, c = a / b result in a SIGFPE? 1. Division by zero is noticed by the CPU 7
  • 13. Signals How does int a = 3, b = 0, c = a / b result in a SIGFPE? 1. Division by zero is noticed by the CPU 2. The CPU raises a divide-by-zero error (#DE) 7
  • 14. Signals How does int a = 3, b = 0, c = a / b result in a SIGFPE? 1. Division by zero is noticed by the CPU 2. The CPU raises a divide-by-zero error (#DE) 3. A handler in the kernel is eventually called 7
  • 15. Signals How does int a = 3, b = 0, c = a / b result in a SIGFPE? 1. Division by zero is noticed by the CPU 2. The CPU raises a divide-by-zero error (#DE) 3. A handler in the kernel is eventually called 4. The kernel sends a SIGFPE to the offending process 7
  • 16. Signals How does int a = 3, b = 0, c = a / b result in a SIGFPE? 1. Division by zero is noticed by the CPU 2. The CPU raises a divide-by-zero error (#DE) 3. A handler in the kernel is eventually called 4. The kernel sends a SIGFPE to the offending process 5. Your signal handler is called (or not if it is SIGKILL) 7
  • 17. Implementation • Enable tracing • Run until system call • Monitoring registers • Single stepping • Memory manipulation 8
  • 18. Implementation • Enable tracing • Run until system call • Monitoring registers • Single stepping • Memory manipulation 8
  • 19. Implementation • Enable tracing • PTRACE TRACEME • Run until system call • Monitoring registers • Single stepping • Memory manipulation 8
  • 20. Implementation • Enable tracing • PTRACE TRACEME • Run until system call • Monitoring registers • Single stepping • Memory manipulation 8
  • 21. Implementation • Enable tracing • PTRACE TRACEME • Run until system call • PTRACE SYSCALL • PTRACE SYSEMU • Monitoring registers • Single stepping • Memory manipulation 8
  • 22. Implementation • Enable tracing • PTRACE TRACEME • Run until system call • PTRACE SYSCALL • PTRACE SYSEMU • Monitoring registers • Single stepping • Memory manipulation 8
  • 23. Implementation • Enable tracing • PTRACE TRACEME • Run until system call • PTRACE SYSCALL • PTRACE SYSEMU • Monitoring registers • PTRACE PEEKUSER / PTRACE POKEUSER • PTRACE GETREGS / PTRACE SETREGS • Single stepping • Memory manipulation 8
  • 24. Implementation • Enable tracing • PTRACE TRACEME • Run until system call • PTRACE SYSCALL • PTRACE SYSEMU • Monitoring registers • PTRACE PEEKUSER / PTRACE POKEUSER • PTRACE GETREGS / PTRACE SETREGS • Single stepping • Memory manipulation 8
  • 25. Implementation • Enable tracing • PTRACE TRACEME • Run until system call • PTRACE SYSCALL • PTRACE SYSEMU • Monitoring registers • PTRACE PEEKUSER / PTRACE POKEUSER • PTRACE GETREGS / PTRACE SETREGS • Single stepping • PTRACE SINGLESTEP • Memory manipulation 8
  • 26. Implementation • Enable tracing • PTRACE TRACEME • Run until system call • PTRACE SYSCALL • PTRACE SYSEMU • Monitoring registers • PTRACE PEEKUSER / PTRACE POKEUSER • PTRACE GETREGS / PTRACE SETREGS • Single stepping • PTRACE SINGLESTEP • Memory manipulation 8
  • 27. Implementation • Enable tracing • PTRACE TRACEME • Run until system call • PTRACE SYSCALL • PTRACE SYSEMU • Monitoring registers • PTRACE PEEKUSER / PTRACE POKEUSER • PTRACE GETREGS / PTRACE SETREGS • Single stepping • PTRACE SINGLESTEP • Memory manipulation • PTRACE PEEKTEXT / PTRACE POKETEXT • PTRACE PEEKDATA / PTRACE POKEDATA 8
  • 30. Interrupting a process PTRACE SINGLESTEP %EFLAGS 9
  • 31. Interrupting a process PTRACE SINGLESTEP %EFLAGS.TF 9
  • 32. Interrupting a process PTRACE SINGLESTEP Trap flag (Sometimes referred to as ”Trace flag”) 9
  • 33. Interrupting a process PTRACE SINGLESTEP Trap flag (Sometimes referred to as ”Trace flag”) • After each instruction, trap into #DB interrupt • The kernel delivers a SIGTRAP • This fact is delivered via a wait-event to the debugger 9
  • 35. Interrupting a process Breakpoints • ud2 (machine code: 0x0F 0x0B) • Triggers #UD – Undefined instruction exception 10
  • 36. Interrupting a process Breakpoints • ud2 (machine code: 0x0F 0x0B) • Triggers #UD – Undefined instruction exception • int $3 (machine code: 0xCC) • Triggers #BP – Breakpoint exception 10
  • 38. Breakpoint implementation • Replace with ”int $3” • Take note of the previous instruction 11
  • 39. Breakpoint implementation • Replace with ”int $3” • Take note of the previous instruction • When the breakpoint is hit, replace with the previous instruction 11
  • 40. Breakpoint implementation • Replace with ”int $3” • Take note of the previous instruction • When the breakpoint is hit, replace with the previous instruction • Try executing the instruction again Nota bene: • Could have used ”ud2” 11
  • 41. Debug registers • DR0 - DR3: Linear addresses 12
  • 42. Debug registers • DR0 - DR3: Linear addresses • DR6: Debug control Contains bitmasks for: • 1, 2, 4 or 8 bytes monitored • Break on read, write, execute, or read+write 12
  • 43. Debug registers • DR0 - DR3: Linear addresses • DR6: Debug control Contains bitmasks for: • 1, 2, 4 or 8 bytes monitored • Break on read, write, execute, or read+write • DR7: Debug status Bitmask showing which of DR0-DR3 triggered the #DB 12
  • 44. Debug registers • DR0 - DR3: Linear addresses • DR6: Debug control Contains bitmasks for: • 1, 2, 4 or 8 bytes monitored • Break on read, write, execute, or read+write • DR7: Debug status Bitmask showing which of DR0-DR3 triggered the #DB • DR4 & DR5: Obsolete aliases to DR6 & DR7 12
  • 45. Thanks! Thank you for your attention! Twitter: @iLevex Email: <levex@linux.com> GitHub: levex Website: http://osdev.me/ The LATEX theme is available at github.com/matze/mtheme Both the theme and the talk are licensed under the CC-BY-SA 4.0 International license. 13