1. 13

Slides

  1.  

  2. 2

    Does anyone know what he’s talking about w.r.t. “breakpoints” used by strace around the 17:00 mark? strace uses PTRACE_SYSCALL machinery, not any hardware breakpoints (e.g. the int3 instruction on x86); the claims of it being unsafe came off as a bit FUDdy in an otherwise-good talk.

    1. 1

      ptrace implements breakpoints by replacing an instruction with an int3 / 0xcc

      1. 1

        But my point is that (unless I’m grossly misreading the source…) strace’s syscall-tracing isn’t implemented using “breakpoints” at all – it uses ptrace(PTRACE_SYSCALL, ...) to request that the kernel, as you describe in the talk, stop the tracee and hand control to the tracing process when the tracee makes a syscall. This is implemented via a simple conditional branch on a process flag in the kernel’s syscall-entry path (here, here, and here); the ptrace call just sets the magic flag on the target process (here).

    2. 2

      I ended up going to see what this Sysdig shindig was, and wow, the demo is amazing.