srg-imperial / sabre Goto Github PK

Load-time selective binary rewriting

License: Other

CMake 2.32% C 88.66% Assembly 5.90% Shell 2.28% Python 0.68% Dockerfile 0.16%

sabre's Introduction

SaBRe 2.0

SaBRe is a modular selective binary rewriter. It is able to rewrite system calls, vDSO and named functions. We currently support two architectures: x86_64 and RISC-V. We provide three plugins:

sbr-id: intercepts system calls but does not do any processing -- mainly aimed at testing
sbr-trace: a fast system-call tracer that mimics the original strace output
sbr-scfuzzer: a parametric fault injector to fuzz system calls

SaBRe has two different system architectures. SaBRe 1.0 currently lives under branch sabre_1.0 of this repo, while SaBRe 2.0 is the current main branch. For the differences between the two systems, look at section SaBRe 1.0 vs 2.0. To learn more about the implementation details read our papers in SaBRe research and papers.

Building SaBRe

Quick start and requirements

SaBRe execution does not rely on any third-party library. However, SaBRe requires cmake, make and gcc for building. To quickly get started, run:

git clone https://github.com/srg-imperial/SaBRe
cd SaBRe
mkdir build
cd build
cmake ..
make

The executable will be located at ./sabre assuming you are in the build directory you just created. The compiled plugins will lie in separate subfolders under plugins/. For instance, to run the ls command under the sbr-trace plugin:

./sabre plugins/sbr-trace/libsbr-trace.so -- /bin/ls

Compiling SaBRe executable

gcc is recommended for compiling SaBRe. Also the build system uses cmake and make. So if you do not have them installed, use your package manager, e.g. for Debian/Ubuntu:

sudo apt install cmake make gcc

You can download a snapshot of the repository or clone it if you have git installed:

git clone https://github.com/srg-imperial/SaBRe

The following build instructions assume that you are currently in the top level directory of your copy of the SaBRe repository:

cd SaBRe
mkdir build
cd build
cmake ..
make

The sequel assumes the working directory is still build/. If everything goes well, the executable will be located at ./sabre.

Running SaBRe

The general syntax to invoke SaBRe is:

SaBRe <PLUGIN> [<PLUGIN_OPTIONS>] -- <CLIENT> [<CLIENT_OPTIONS>]

Both PLUGIN and CLIENT denote full paths to, respectively, the plugin library and the client program to be run under SaBRe. Once built, plugin libraries are located in separate subfolders under plugins/. For instance, the path to the sbr-trace library is: plugins/sbr-trace/libsbr-trace.so. As a full working example, if you want to execute the ls command under the sbr-trace plugin, just run:

./sabre plugins/sbr-trace/libsbr-trace.so -- /bin/ls

How to debug in SaBRe

When using GDB with SaBRe you will notice that when the execution has reached the plugin's or the client's code, GDB is not able to show neither symbols nor source code. To fix this you will have to load debug-tools/gdb-symbol-loader.py in your GDB and then run the registered commands. SaBRe offers two helper commands:

sbr-src: Loads some paths for the source code of well known libraries like libc under Ubuntu 18.04.
sbr-sym: If provided with no arguments, it tries to load the symbols of some well know libraries that SaBRe is currently relocating (e.g. libc, pthreads, etc.). If strings are provided as arguments, we try to match those with the paths of libraries found in the maps of the running application and load their symbols. sbr-sym is using add-symbol-file under the hood and thus all restrictions and requirements apply.

SaBRe 1.0 vs 2.0

SaBRe is binary rewriter that loads a user provided plugin into the memory space of a client application. This plugin is called to handle the intercepted system calls or function calls of the client application. The main difference between SaBRe 1.0 and 2.0 is in which memory space the plugin lives and operates.

Under SaBRe 1.0 the plugin lives in the memory space of SaBRe. That gives the maximum possible isolation between memory management and called libraries between SaBRe and the client. For example, if you use malloc inside the plugin, the memory will be allocated inside the memory arenas of SaBRe, while in 2.0 the plugin uses the same infrastructure as the client. The same difference applies for libraries too. If you choose some libc alternative or different version to be loaded with your plugin, SaBRe 1.0 will keep your plugin dependencies separate from the client. SaBRe 2.0 blends the plugin with the dependencies of the underlying client, and thus the same libraries will be used.

SaBRe 1.0 comes with some technical limitations though. Keeping this isolation between client and plugin is not an easy task. For example a custom allocator needs to be properly and carefully used. There are also some other restrictions with respect to multithreading and the TLS. There is currently a long discussion here that highlights some of these technical limitations and what effort is required from the plugin developer to overcome them.

If your priority is to maximise memory isolation and library interference, choose SaBRe 1.0. If you want to build complex application we recommend SaBRe 2.0.

SaBRe research and papers

sabre's People

Contributors

Stargazers

Watchers

Forkers

parras daniel-grumberg ccadar atshaas bwry andronat clayne lordcasser jasonwhite rnshah9 riscinside gmh5225 noorahsmith xht03

sabre's Issues

Test dependencies

Currently, SaBRe cannot be built if some test dependencies are not met (e.g. efibootmgr). These should be optional.

Cleanup the build system and add basic smoke tests

I think we can agree that the build system is quite messy and that we need some basic smoke tests to make sure that non of the "official" plugins don't randomly break.

I am quite happy to do the work to get this in, but would like to discuss what it is we want from the smoke tests. What I add in mind was to have build check for every platform we support (x86_64 and risc-v) and a simple run of all three plugins to check they work alright, maybe on ls as a start.

As far as the build system goes, I would like to create a CMake function for creating a plugin that sets up all the relevant options automatically based on the build type as well as cleaning up a bit loader/CMakeLists.txt.

If people are OK with this proposal I will go ahead and make a patch.

Unable to get backtraces from client program from SIGSEGV handler

When a signal action is attached from the plugin, it is not possible to properly locate symbols for functions in the client program in order to present the user with a backtrace for debugging purposes.

A minimal reproduction is given with this patch. This can be applied by the usual means using the patch utility from the top level of the SaBRe tree with the following command patch -p1 < sigsegv_repro.patch

To observe the unexpected behaviour, build the SaBRe tree normally. This will produce an additional subdirectory in the build tree under plugins/sigsegv-repro. This contains two products, a shared object plugin for SaBRe that installs a signal handler for SIGSEGV from within the plugin, the resulting shared object is libbacktrace-plugin.so. The other build product is a small sample executable that triggers a segmentation fault by attempting to dereference the NULL pointer with three levels of function call indirection to be able to observe a backtrace, this product is called backtrace-offender. The command to observe the issue is ./sabre plugins/sigsegv-repro/libbacktrace-plugin.so plugins/sigsegv-repro/backtrace-offender

To be able to observe the expected behaviour of the signal handler, it needs to be installed from the sample executable backtrace-offender. The build system provides a facility to conveniently enable this functionality by passing the -DHANDLER_IN_OFFENDER=ON option to CMake when configuring the build system. You can run the same command as previously to observe a correct backtrace.

Build real_syscall in a separate static library

Currently, a plugin needs to link against the all the architecture dependent code to get the real_syscall symbol, pulling in the entire loader, which is not ideal. Furthermore, this means the the loader needs to be compiled with -fPICwhen it really should only be -fPIE.

Missing ld symbols on Arch Linux when runnning "/bin/ls" under SaBRe

I am trying to get ./sabre plugins/sbr-trace/libsbr-trace.so -- /bin/ls to work on Arch Linux. I am getting this error:

sabre: /home/notiurii/Uni/UROP2/SaBRe/loader/rewriter.c:562: find_ld_symbol: Assertion `false && "We couldn't find ld symbols"' failed.
fish: Job 1, './sabre plugins/sbr-trace/libsb…' terminated by signal SIGABRT (Abort)

How do I approach this issue? See full log at https://www.toptal.com/developers/hastebin/conexaqoku.log

Using pthread_create inside a plugin

Hi,

Is it possible to call pthread_create, to create a thread inside a plugin?

I tried to follow old issues and forks, and it seems it could be done somehow (with some TLS magic).
Any pointer or example?

The thread does not need to be intercepted, only the client.

Regards,

How to use gdb to debug plugins in Sabre

For example
/sabre ./plugins/sbr-trace/libsbr-trace.so -- test_sbrtrace_hello.

What should we do to debug libsbr-trace.so intercept and replace system calls in gdb? For example, the program executes the write system call, and the plugin prints out some log messages before executing write.

Even though I used gdb to debug sabre, gdb was never able to intercept and view the code function in the dynamic link library libsbr-trace.so that rewrites the system call.

Understanding this process is very important for writing new plugins, can you answer and explain this process, thanks.

Rename ./run into ./sabre

Sabre doesn't rewrite user defined function detours

Rewrite functions when the user plugin defines it is currently a no-op.

While we are passing the appropriate detour registration function to the plugin here: https://github.com/srg-imperial/SaBRe/blob/master/loader/premain.c#L96-L101 we still need to invoke the rewriter like we do here: https://github.com/srg-imperial/SaBRe/blob/master/loader/ld_sc_handler.c#L349

Unfortunately this is not a trivial change because invoking a function rewrite from within the plugin creates the following 3 problems:

a recursive chicken and egg problem where we rewrite e.g. malloc and then sabre calls malloc, which is solved easily with our enter_plugin() and exit_plugin() plugin methods.
we need to swap TLS from the client to Sabre as we are executing Sabre code from the rewriter. This is also accommodated easily with load_sabre_tls() and load_client_tls().
The rewriter is not idempotent.

From all the issues above, number 3 is the real blocker and this require significant engineering effort to fix properly. We need to work on some accounting to keep track of the .so in memory and make sure we don't double patch stuff.

How to use gdb to debug target binary programs in Sabre

I would like to know how to use gdb to debug the target program (test_sbrtrace_hello) that Sabre started,
i.e., ./sabre ./plugins/sbr-trace/libsbr-trace.so -- test_sbrtrace_hello.
I followed what was mentioned in the README and loaded debug-tools/gdb-symbol-loader.py, but it did not work.
I wanted to debug the target program because I had encountered plugins in other scenarios that caused the target binary to crash, so I had to use gdb to debug and check.

The following is the entire process of my debugging, am I missing anything and what do I need to do about it?

test_sbrtrace_hello

#include <stdio.h>

int main(int argc, char *argv[]) {
  printf("Hello World!\n");
  return 0;
}

Let's execute the command, and see this:

./sabre ./plugins/sbr-trace/libsbr-trace.so -- test_sbrtrace_hello

Now let's use gdb to debug sabre:

gdb sabre
set args ./plugins/sbr-trace/libsbr-trace.so -- test_sbrtrace_hello
source ../debug-tools/gdb-symbol-loader.py
b main 
r

Then next and next:

then next:

Finally, the target program runs and exits, and gdb cannot debug it.

Whether I am operating improperly, I hope to get your reply, thank you very much.
: )