=================================================================================
LSE RECRUITEMENT 2016 - MY MEMCHECK
=================================================================================
Goal: Reimplement a memory checker, A.K.A look for invalid (out of bounds) memory
accesses, and memory leaks
https://lse.epita.fr/data/sujets/sujet-my_mmck.pdf
Level1 - Strace:
src/level1
Use of ptrace to track system calls from a traced program
Prints arguments for execve, fork, vfork, clone, exit,
exit_group, brk, mmap, munmap, mremap, mprotect
Catches return code with edi (exit*)
prints PID and where the error was raised
Prints other functions names, but no arguments
Level2 - Hooked Strace:
src/level2
#include Level1
- PTRACE_SYSCALL
+ HOOK ON SYSCALLS
1 line against 700 less effective but hey, WE rule the stuff now
Level3 - Memory tracer:
src/level3
#include Level{1,2}
Hooks on frequently used function that play with memory
malloc, realloc, free, calloc
Save each allocated area, to check if we are not out of bound
Pretty neat
memory_hook.c generates libhooks.so. Preloaded, it allows memcheck
to trace malloc style functions
Level4 - Memory checker:
src/level4
#include Level{1...3}
Remove memory access
Handle segfaults from that
display memory leaks and invalid accesses from mmap
display memory leaks and invalid accesses now from malloc
What works:
* Catch, print, and run child's syscall
* Maintain a map of every allocated memory from the child,
from mmap and malloc
* Syscalls from loaded libraries too
* Display memory leaks from mmap and malloc (tells if on the heap or not)
* Display invalid accesses from mmap and now malloc (RW)
* Handles segfaults too, skip them and continue
* Get instructions sizes (access)
What doesn't:
* Differentiates reads from writes 100% of the time
* Handle invalid frees
NOTES:
XIP, XAX, and other variables like this were an attempt at preparing for a
*possible* multi-arch compliant program. They translate to rip or eip (in the
case of XIP for example) regarding the machine.
├── src
│ ├── helpers
│ │ └── helpers.cc // Some helper functions used in the project
│ ├── includes
│ │ ├── colors.hh // Pretty printing helper
│ │ ├── defines.hh // Every included header, macro, and some class
│ │ ├── helpers.hh
│ │ ├── level1.hh
│ │ ├── level2.hh
│ │ ├── level4.hh
│ │ ├── shared.hh // Shared data between memcheck and libhooks.so
│ │ └── syscalls.hh
│ ├── level1 // Basic strace implementation
│ │ ├── mem_strace.cc
│ │ ├── strace.cc
│ │ └── syscalls.cc
│ ├── level2 // Strace without PTRACE_SYSCALLS
│ │ ├── breaker.cc
│ │ ├── dig_into_mem.cc
│ │ └── mem_strace_hook.cc
│ ├── level3 // Memory tracker
│ │ ├── memory_hooks.c // Generates libhooks.so
│ │ ├── mem_tracker.cc
│ │ └── tracker.cc
│ └── level4 // Inject code, and check memory access
│ ├── injector.cc
│ ├── mem_checker.cc
│ └── sanity_check.cc
├── tests // Quick tests
│ └── debug.cc