Kernel Development Learning Pipeline

E1 - Scavenger Hunt 🔎

We will assign you a syscall and give you our specially designed program. Your task is to trace invocations of that syscall by the program within userspace and kernelspace and document your observations.

Outcomes:

• Strengthen understanding of the interaction between the kernel and userspace
• Learn how to monitor the syscalls being executed by a program
• Understand how C code translates into system calls and vice versa
• Build awareness of and basic familiarity with the linux BPF subsystem via bpftrace
• Gain experience with tracing based debugging

What to submit

• A cover letter following the assignment submission guidelines (as always)
• A patch which adds a directory named firstname_lastname to the E1 folder of the class repo with a copy of questions.txt.
• A patch that includes two logs with the full output from strace while running the program. Once as your regular user and once as running as root using sudo. Make sure you label which is which
• A patch that adds your *.bp bpftrace program, and a file that shows the expected output of it successfully tracing the syscall within the program
• A patch that includes the changes to your copy of questions.txt made by answering the questions
• A patch that adds the log.txt file in your folder with the output from all the times you ran the program

Procedure:

1. Create a firstname_lastname folder named for yourself within the e1 directory and cd into it.
2. Copy the provided questions.txt file into your folder (cp ../questions.txt .).
3. You can make the commit for your first patch at this point.
4. Play with the provided program. You can run it by typing ../program_amd64 (or ../program_arm64 if you are running fedora aarch64 on an apple silicon mac)
   • It will create a log.txt file in your folder, look at what values it printed there
5. Examine the source code for the provided program here
   • Look for the places where it makes your assigned system call
6. Run strace on the provided program
   • Locate the lines corresponding to call(s) to your syscall in the output.
7. Answer question 0 in questions.txt
8. Read the manual page for your system call (type man 2 [syscall name] e.g. man 2 execve)
9. Answer question 1 in questions.txt
10. Find the syscall definition within the kernel source
    • Suggested: make use of git grep or elixir or cscope
11. Answer question 2 in questions.txt
12. Pull the full history of the linux repository with git pull --unshallow (this will take a little while to download)
13. Run git blame on the file containing the definition of the syscall and scroll to the lines containing the definition
    • Find the line or lines that most recently changed.
14. Answer question 3 in questions.txt
15. Identify the probe you will use for tracing by searching for kprobes that match your syscall with sudo bpftrace -l
16. Write the bpf script that inserts a probe and prints the syscall arguments, the kernelspace stack, and the userspace stack each time the syscall is executed by the program.
    • Ensure that the probe is only triggered on instances of the system call caused by running our command.
17. Capture the necessary output, and create commits out of your changes as described in “what to submit”
18. Generate patches out of your commits. Don’t forget the cover letter
19. Submit your patches to exercise1@kdlp.underground.software

Tools of interest

• strace
• man
• cscope
• git-blame
• git-grep [ -n ]
• bpftrace and other BPF tooling

Submission Guidelines