102

2005

Linux Ptrace( ) *

( , 710072)

: Linux Ptrace( ) ;

; , Ptrace( ) Linux

: Linux; Ptrace( ) ; ; ;
: TP311, TP301

: A

: 1001- 3695( 2005) 08- 0102 - 03

Analysis of the Security of Ptrace( ) on Linux

LV Peng, DAI Guan-zhong
( College of Automation, Northwestern Polytechnical University, Xi
an Shanxi 710072, China)

Abstract: The process tracing and control ability of ptrace( ) on Linux are discussed in this paper. Further, the security
threat of ptrace( ) is analysed with the exploit of vulnerable Linux systems. In the end, the application of ptrace( ) to virus
hiding technology on Linux is discussed.
Key words: Linux; Ptrace( ) ; Process Tracing; Process Debugging; Virus Hiding
/ ,

Ptrace ( )

, UNIX

: Root

ptrace( ) ptrace( )

, ,

; ptrace( ) , ( at-

ptrace( )

tach) , / ,

, , ,

; (

Root , Root

) ,

,
ptrace( ) , Linux GNU
GDB

, Linux

Ptrace( ) , :

, ,

long int ptrace( enum __ptrace_ request request, pid_ t pid,

EUID EGID 0

void * addr, void * data)

ptrace( )

, , ptrace( ) ;

, EUID 0 ptrace( )

, ,

ptrace( ) ,

include/ linux/ ptrace. h

Linux Kernel kmod/ ptrace

,
,

Ptrace ( )
ptrace( ) ,

, ptrace( ) ,

fork( ) ,
socket( 0, 1, 0) , ,
request_module( ) ,
kernel_thread( exec_modprobe, ( void * ) module_name, 0)
, exec_modprobe( ) ,
kernel / kmod. c
static int exec_modprobe( void * module_name)

: 2004- 07- 24; : 2004- 09- 07

: ( 01F53031) ;
( 20020699026)

{
static char * envp[ ] = { " HOME = / " , " TERM = linux" , " PATH = /
sbin: / usr/ sbin: / bin: / usr / bin" , NULL } ;
char * argv[ ] = { modprobe_ path, " -s" , " -k " , " --" , ( char* )

: Linux Ptrace( )

module_name, NULL } ;

103

( current- > uid! = child- > suid) ||( current- > uid! = child- > uid) |

int ret;
ret = exec_usermodehelper( modprobe_path, argv, envp) ;

if ( ret) {
printk( KERN_ERR" kmod: failed to exec % s -s -k % s, errno = % d \n" ,

modprobe_path, ( char* ) module_name, errno) ;

|( current- > gid! = child- > gid) ) &&! capable( CAP_SYS_PTRACE) )

( current- > gid! = child- > egid) ||( current- > gid! = child- > sgid) |
( ! cap_issubset( child- > cap_permitted, current- > cap_permitted) ) |

}
return ret;

goto out_tsk;
...

ptrace( ) Tracing Traced

socket( 0, 1, 0) , module_name net-pf- 0,

modprobe_ path = " /sbin/ modprobe" ,

argv[ ] / sbin/ modprobe -s -k net-pf-0

,
, Root

exec_modprobe( )

, Linux

, fs_ struct ,

, sys_ execve

: Ptraced,

, exec_

, Ptraced SUID

usermodehelper( ) ( kmod. c )

, SUID ,

int exec_usermodehelper( char * program_path, char * argv[ ] , char

* envp[ ] )
{

..
curtask - > euid = curtask - > fsuid = 0;
curtask - > egid = curtask - > fsgid =0 ;
cap_set_full( curtask - > cap_effective) ;
. ..
set_fs( KERNEL_DS) ;
. ..
if ( execve( program_path, argv, envp) < 0)

SUID Setuid
, Setuid
SUID ,
,
,

Linux , ptrace( )

return -errno;
return 0 ;
}

, EUIDEGID , , ,
,

Ptrace ( )

,
,
, EIP
, ,
,

fork( ) ,

, ,

socket( 0, 1, 0) ,

ID fork( )

ID, 1, ID

, ,

ptrace( ) :

( 1) ptrace( PTRACE_ATTACH, . . . ) Attach

( 2) ptrace( PTRACE_GETREGS, . . . )

( 3) EIP , ptrace( PTRACE_

POKETEXT, . . . ) ,
, , EIP

( 4) ptrace( PTRACE_DETACH, . . . )
, ,
, Root
ptrace( ) ,
,

4. 1

Linux
Linux ,

: ; ,
malloc( ) , realloc( ) , free( ) calloc( )
, ,
, 1
Text

Memory Arena

Heap

(Unused)

08048000 08091000 08104000

Stack

(Unused)

Stack

08115000 BFFFC000 BFFFEAF0 C0000000

( 1) Text ,

Sys_ptrace :

if ( request = = PTRACE_ATTACH) {
if ( child = = current)

goto out_tsk;
if ( ( ! child- > dumpable ||( current- > uid! = child- > euid) ||

( 2) Memory Arena
, ( Heap)

 104

Heap

2005

gs struct user_regs_struct

( 3) Stack ,

( 3) 4. 3 addr

Stack ,

( 4) ptrace( PTRACE_POKEDATA, . . . ) addr

, addr
1 , Memory Arena

( 5) regs
, Backupregs

4. 2

( 6) : regs. eip = addr, EIP

/proc
Linux ,

: / proc / < pid > / maps

/ proc( ) ,
ID Maps
, :
proc ess file

( 7) ptrace( PTRACE_ SETREGS, TRACED_ID, NULL,

&regs)
( 8) ptrace ( PTRACE_ CONT, TRACED _ ID, NULL,
NULL)
( 9) , ptrace ( PTRACE_ SETREGS, TRACED_ID, NULL, &backupregs)

map start - map end

protec tion

offse t

dev

ino de

00000000 - 0002 f000

r- x- -

00000400

03 : 03

1401

0002 f000 - 00032000

rwx-p

0002f400

03 : 03

1401

00032000 - 0005 b000

rwx-p

00000000

00 : 00

NULL)

60000000 - 60098000

rwx-p

00000400

03 : 03

215

60098000 - 600 c7000

rwx-p

00000000

00 : 00

bfffa000 - c0000000

rwx-p

00000000

00 : 00

( 10) ptrace( PTRACE_DETACH, TRACED_ID, NULL,

, address ; protection , r
= read, w = write, x = execute, s = shared, p = private ( copy on

, ptrace( ) ,

write) ; offset ; dev (

GDB ,

: ) ; inode , 0

ptrace( ) ,

4. 3

Maps,

, :
( 1) ID , /proc / pid/ maps

( 2) ,
( 3) Maps ,
,
, ,
map start dev
( 4) dev , 00: 00

, ptrace( )
,
,

ptrace( ) , ,
,
ptrace( ) ,
ptrace( ) ,
Bug,
ptrace( ) ,

, map start

[ 1]

, . : , 2000 . 155-159.

( 5) map start
4. 4

Wall, M Watson, M Whitis, et al. GNU/ Linux [ M] .

[ 2]

. Linux C [ M] . : ,
2002. 217- 218.

[ 3]

Jbtzhm. Linux Ptrace [ EB / OL] . http: / / www. nsfocus.

, , ,

net / index. php? act = sec _self&do = view&doc _id = 719&keyword =

, ,

linux + ptrace% C2% A9% B6% B4 % B7% D6 % CE% F6, 2002- 09-

ptrace( ) ,

17 / 2004 - 04.

,
ptrace( ) :
( 1) ID, ptrace ( PTRACE _ ATTACH, TRACED_ID, NULL, NULL)
( 2) ptrace ( PTRACE _ GETREGS,
TRACED_ID, NULL, &regs) re-

[ 4]

Pradeep Padata. Playing with Ptrace [ EB / OL ] . http: / / www. linuxjournal. com/ article. php? sid = 6100, 2002-11 / 2004 - 04.

:
( 1979- ) , , ,
; ( 1937- ) , , , ,