E1 - Scavenger Hunt 🔎

We will assign you a system call and give you a specially designed program. Your task is to trace invocations of that system call by the program within userspace and kernelspace and document your observations.

Outcomes:

What to submit:

Procedure:

  1. Create an E1 directory in your username directory

  2. Copy the provided E1/questions.txt file into your username/E1

    1. You can make the commit for your first patch at this point.
  3. Play with the provided program, either program_amd64 or program_arm64 depending on your architecture

    1. Regardless of the location of the binary, the program will create a log.txt file in the directory where the program is invoked

    2. You will need this output for patch 5

  4. Disassemble the appropriate binary using a tool like objdump -d <binary>

    1. Identify the lines of code that prepare the arguments for your system call, specify the system call number, and invoke the kernel

    2. Use this to answer question 0 for your architecture

  5. Run strace on the provided program

    1. Locate the lines corresponding to call(s) to your system call in the output

    2. Use this to answer question 1

  6. Read the manual page for your system call (type man 2 [system call name] e.g. man 2 execve)

    1. Use this to answer questions 2, 3, and 4
  7. Analyze the disassembled binary to answer question 5

  8. Find the system call definition within the kernel source

    1. Suggested: make use of git grep or elixir or cscope

    2. Use this to answer question 6

  9. If you previously made a shallow (--depth=1) local clone, pull the full history of the Linux kernel repository

    1. Use git pull --unshallow (this will take a little while to download)
  10. Run git blame on the file containing the definition of the system call

    1. Find the most recently modified line or lines in the system call handler

    2. Use this to answer questions 7, 8, 9, and 10

  11. Identify the probe you will use for tracing by searching for available probes that match your system call with sudo bpftrace -l

  12. Write the bpf script that inserts a probe triggered by the program running your system call

    1. The program prints the system call arguments, the kernelspace stack, and the userspace stack each time the system call is executed by the program

    2. Ensure that the probe is only triggered on instances of the system call caused by running the provided program

  13. Capture the necessary output, and create commits out of your changes as described above

  14. Generate patches out of your commits

Tools of interest

Policies & Procedures


msg = (silence)
whoami = None
singularity v0.5 https://github.com/underground-software/singularity