ptrace

ptrace is a system call found in several Unix and Unix-like operating systems. By using ptrace (the name is a abbreviation of "process trace") one process can control another, enabling the controller to inspect and manipulate the internal state of its target. ptrace is used by debuggers and other code-analysis tools, mostly as aids to software development.

Uses

ptrace is used by debuggers (such as gdb and dbx), by tracing tools like strace and ltrace, and by code coverage tools. ptrace is also used by specialised programs to patch running programs, to avoid unfixed bugs or to overcome security features.

By attaching to another process using the ptrace call, a tool has extensive control over the operation of its target. This includes manipulation of its file descriptors, memory, and registers. It can single-step through the target's code, can observe system calls and their results, and can manipulate the target's signal handlers and both receive and send signals on its behalf. The ability to write into the target's memory allows not only its data store to be changed, but also the applications own code segment, allowing the controller to install breakpoints and patch the running code of the target.^[1]

As the ability to inspect and alter another process is very powerful, ptrace can attach only to processes that the owner can send signals to (typically only their own processes); the superuser account can ptrace almost any process (except init). In Linux systems that feature capabilities based security, the ability to ptrace is further limited by the CAP_SYS_PTRACE capability.^[2] In FreeBSD, it's limited by FreeBSD jails and Mandatory Access Control policies.

Limitations

Communications between the controller and target take place using repeated calls of ptrace, passing a small fixed-size block of memory between the two (necessitating two context switches per call); this is acutely inefficient when accessing large amounts of the target's memory, as this can only be done in word sized blocks (with a ptrace call for each word).^[3] For this reason the 8th edition of Unix introduced procfs, which allows permitted processes direct access to the memory of another process - 4.4BSD followed, and the use of /proc for debugger support was inherited by Solaris, BSD, and AIX, and mostly copied by Linux.^[3] Some, such as Solaris, have removed ptrace as a system call altogether, retaining it as a library call that reinterprets calls to ptrace in terms of the platform's procfs.^[4] FreeBSD, on the other hand, extended ptrace to remove mentioned problems, and declared procfs obsolete due to its inherent design problems.

ptrace only provides the most basic interface necessary to support debuggers and similar tools. Programs using it must have intimate knowledge of the specifics of the OS and architecture, including stack layout, application binary interface, name mangling, the format of any debug data, and are responsible for understanding and disassembling machine code themselves. Understanding system calls requires the controller know the mapping of the syscall table and understand the parameters passed by each call. Further, programs that inject executable code into the target process or (like gdb) allow the user to enter commands that are executed in the context of the target must generate and load that code themselves, generally without the help of the program loader.

Support

ptrace was first implemented in Seventh Edition Unix,^[5] and was present in both the SVr4 and 4.3BSD branches of Unix.^[2] ptrace is available as a system call on IRIX, ^[6] IBM AIX,^[7] NetBSD,^[8] FreeBSD,^[5] OpenBSD,^[9] and Linux.^[2] ptrace is implemented as a library call on Solaris, built on the Solaris kernel's procfs filesystem; Sun notes that ptrace on Solaris is intended for compatibility, and recommends that new implementations use the richer interface that proc supplies instead. ^[4] UnixWare also features a limited ptrace^[10] but like Sun, SCO recommends implementers use the underlying procfs features instead.^[11] HP-UX supported ptrace until release 11i v3 (it was deprecated in favour of ttrace, a similar OS-specific call, in 11i v1).^[12]

Apple's Mac OS X also implements ptrace as a system call. Apple's version adds a special option PT_DENY_ATTACH - if a process invokes this option on itself, subsequent attempts to ptrace the process will fail.^[13] Apple uses this feature to limit the use of debuggers on programs that manipulate DRM-ed content, including iTunes.^[14] PT_DENY_ATTACH on also disables DTrace's ability to monitor the process.^[15] Debuggers on OS X typically use a combination of ptrace and the Mach VM and thread APIs.^[16] ptrace (again with PT_DENY_ATTACH) is available to developers for the Apple iPhone.^[17]

References

^ For example retty uses ptrace to alter another process' file descriptors, and to inject executable code into the target's text segment
^ ^a ^b ^c "ptrace(2) manpage", Linux manual section 2
^ ^a ^b The Design and Implementation of the 4.4 BSD Operating System, Marshall Kirk McKusick, Keith Bostic, Michael J. Karels, John Quarterman, Addison-Wesley, April 1996, ISBN 0-201-54979-4
^ ^a ^b "ptrace() Request Values", Solaris Transition Guide, Sun Microsystems, 2000
^ ^a ^b [1], FreeBSD manual, section 2
^ "ptrace(2)", IRIX 6.5 manual, section 2, SGI techpubs library
^ "ptrace,ptracex,ptrace64 subroutine", IBM AIX Technical Reference: Base Operating System and Extensions, Volume 1
^ ptrace(2), netbsd manual, section 2
^ "ptrace(2)", OpenBSD manual, section 2
^ ptrace(2), SCO UnixWare 7 manual, section 2
^ "System call compatibility notes", UnixWare 7 Documentation
^ "ptrace() System Call (Obsolete)", HP-UX 11i Version 3 Release Notes: HP 9000 and HP Integrity Servers, Hewlett Packard, February 2007
^ "ptrace(2) manual page", Apple Darwin/OS-X manual
^ "Owning the Fanboys : Hacking Mac OS X", Charlie Miller, Black Hat Briefings conference 2008
^ "Apple 'breaks' Sun developer app", Matthew Broersma, Computerworld UK, 24 January 2008
^ Chapter 9, Mac OS X internals: a systems approach, Amit Singh, ISBN 978-0321278548, Addison Wesley, 2006
^ "ptrace(2)", BSD System Calls Manual, Apple iPhone OS Reference Library

External links

[retty-1] For example retty uses ptrace to alter another process' file descriptors, and to inject executable code into the target's text segment

[linux_manpage-2] "ptrace(2) manpage", Linux manual section 2

[mckusick-3] The Design and Implementation of the 4.4 BSD Operating System, Marshall Kirk McKusick, Keith Bostic, Michael J. Karels, John Quarterman, Addison-Wesley, April 1996, ISBN 0-201-54979-4

[solaris_ptrace_proc-4] "ptrace() Request Values", Solaris Transition Guide, Sun Microsystems, 2000

[freebsd-5] [1], FreeBSD manual, section 2

[irix_manual-6] "ptrace(2)", IRIX 6.5 manual, section 2, SGI techpubs library

[aix_manual-7] "ptrace,ptracex,ptrace64 subroutine", IBM AIX Technical Reference: Base Operating System and Extensions, Volume 1

[netbsd-8] trace(2), netbsd manual, section 2

[openbsd-9] "ptrace(2)", OpenBSD manual, section 2

[unixware_manual-10] trace(2), SCO UnixWare 7 manual, section 2

[sco_porting-11] "System call compatibility notes", UnixWare 7 Documentation

[hpux_obsoleted-12] "ptrace() System Call (Obsolete)", HP-UX 11i Version 3 Release Notes: HP 9000 and HP Integrity Servers, Hewlett Packard, February 2007

[osx_manpage-13] "ptrace(2) manual page", Apple Darwin/OS-X manual

[miller-14] "Owning the Fanboys : Hacking Mac OS X", Charlie Miller, Black Hat Briefings conference 2008

[computerworld-15] "Apple 'breaks' Sun developer app", Matthew Broersma, Computerworld UK, 24 January 2008

[singh-16] Chapter 9, Mac OS X internals: a systems approach, Amit Singh, ISBN 978-0321278548, Addison Wesley, 2006

[iphone-17] "ptrace(2)", BSD System Calls Manual, Apple iPhone OS Reference Library

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]

[17]