EPIC: uprobe
Opened this issue · 4 comments
Schwierigkeit: methoden finden
bpfdroid paper lesen: .oat and .so files, pages 7-9
Edit by @fhilgers:
As a PO I want to trace arbitrary function calls from programs running on the device.
Acceptance criteria:
- Retrieving memory addresses to attach uprobe ebpf programs
Further tickets:
- Writing uprobe ebpf programs that export information
- Loading and configuring them via the daemon
We definitely have to split this task up a lot.
For research:
- Read the pages in the paper
- Read the code from the paper
Then the actual implementation are multiple parts as well:
- Getting the right symbols this happens outside of ebpf)
- Actually tracing those (inside ebpf)
The implementation of the paper gets symbols from shared libraries (.so) files and .oat files.
- Find a list of shared libraries on the system
- getting oat files from zygote
The bpfroid repository (from the paper) has shell scripts:
- Get the scripts to work as sanity check (https://github.com/yanivagman/BPFroid/tree/main/utils)
Afterwards we have to decide whether we want to offer the capabilities for finding available uprobe entries while the loader is running, or whether that happens as part of generating a configuration.
I suggest:
- Find methods via script outside of the actual process via adb and make them available to the daemon via a config or settings file
- Call external programs which are on android devices in our loader for retrieving methods (oatdump).
- Write a library to the the methods without external program calls
We should start with 1 and defer 2 and 3 to new tickets.
In the BPFroid repo the mentioned scripts for searching symbols are implemented in go in the tracee.go file (https://github.com/yanivagman/BPFroid/tree/main/tracee/tracee.go) in the function initLibBases.
We could follow that. It works as follows:
- find the zygote-process so you can later calculate the symbols' memory-addresses via a offset from that zygote-base-adress
- search for .so and .oat files included in the zygote (and therefore in all applications) via /proc/$ZYGOTE_PID/maps
- calculate the correct addresses and extract the symbols
But with that code - afaik - BPFroid only traces standard-lib methods, which are included in every process. So if we wanted to trace arbitrary methods which aren't included by default, we would have to search every $PID in /proc/$PID/maps
We should just start with standard-lib methods and get that working. Afterward we expand to more, but as part of new tickets, so the work is better split up and we have continuous progress.