dbrumley / linux_interposition Goto Github PK

**  Overview
This project contains the library interposition code for Linux.  We
use it to mine execution traces for bugs and other potentially
valuable information.  We hook into a number of functions, and install
mtrace() (a memory profiler to detect memory leaks) into malloc.

** Build 
To build, run 'make'

** To use
To use, run the application with LD_PRELOAD set to the built library,
e.g.,
  $  LD_PRELOAD=./libinterpose.so /bin/ls

There are additional environment variables. 

1. The FAS_INTERPOSE_LOG environment variable determines where output
is logged. If this variable is not set, nothing is logged.

2. The MALLOC_TRACE environment variable determines where mtrace
writes out its output. You can process the log data with the Linux
command mtrace.

3. The FAS_LOG_MEMORY determines whether memory is checked via
mtrace() command.  

4. The FAS_FUZZ_STRING environment variable determines the string we
search for in input to determine whether the input is tainted. For
example, this could be set to "AAA" to detect any string that contains
"AAA". Note we do a string search for the FAS_FUZZ_STRING, not an
exact match.


Given the above, a complete run may look like:

$ LD_PRELOAD=./libinterpose.so FAS_FUZZ_STRING="AAA" \
  FAS_INTERPOSE_LOG="/tmp/test.fas.log" \
  FAS_LOG_MEMORY=1 \
  MALLOC_TRACE="/tmp/test.mtrace.log" ./test AAAAAAA

Note that if there is a double free or similar you enter an infinite
loop in the memory checker. Thus it is essential this is only ran as a
second pass. As a first pass, run with MALLOC_CHECK_=3 (so that we get
a full dump and break on the first error).
$ MALLOC_CHECK_=3 ./prog AAA

** Notes

1. The code should work on x86_64 with minimal effort, though it is
currently untested. The one exception is the function
get_call_stack(). This function is not currently used; it's only
provided for information purposes. However, if we ended up using it we
would need to change it so that we used proper 64-bit calling
conventions. 

2. We walk the stack looking for the frame pointer, which only works
reliabily when the program is compiled with a frame pointer.  It does
not seem to crash when the frame pointer is omitted (but it certainly
wouldn't get the correct information). 

3. We don't hook calloc(). See note in interpose.c

4. We only check sprintf() for a tainted format string. We do not
record when the variatic arguments may contain input data. I'm not
sure how to do this; it's something we should look into in the
future. 

5. The list of functions to intercept was taken from
http://msdn.microsoft.com/en-us/library/bb288454.aspx 
Functions on the list which we don't intercept include the "n"
functions (e.g., strncpy), integer conversion (e.g., itoa).