BOFH meets SystemTap DC4420 London talk follow up

BOFH meets SystemTap DC4420 London talk follow up

[Adrien Kunysz]

[-- Attachment #1: Type: text/plain, Size: 2736 bytes --]

The slides are available from http://stapbofh.krunch.be/systemtap-bofh-dc4420-20110323.pdf
The actual examples are in the same directory http://stapbofh.krunch.be/

Due to beer consumption I might not have properly answered the
questions I got after the talk. Let's try to fix this here:

* What language does SystemTap use? Is it D like DTrace?

It's a specific language. The concepts and feature are pretty similar
to D but the syntax is different. I can't really comment further as I
have no practical experience with DTrace. You can find the language
reference at http://sourceware.org/systemtap/langref/ and lot of
examples at http://sourceware.org/systemtap/examples/ (both also
shipped with SystemTap).

You can find a comparison table at
http://sourceware.org/systemtap/wiki/SystemtapDtraceComparison

* Do you need root?

The short answer is yes. But then, Christer demonstrated last month
that, in general, getting root on a Linux system is not all that hard.

Actually you can also allow users that are part of the stapdev or
stapusr groups to run arbitrary or "trusted" scripts respectively.
This is described in the "SAFETY AND SECURITY" section of the stap(1)
manual <http://sourceware.org/systemtap/man/stap.1.html#lbAX>.
Yeah, that's more pwnage potential. Report any bugs you find to the
SystemTap developers please.

* How does it actually work?

That depends on what you are instrumenting. For the kernel side it is
mostly using kprobes. For the userland side it's uprobes (which is not
in the mainline kernel...yet?). Other facilities provided by the kernel
may also be used (tracepoints, perf events,...). See "man stapprobes"
and /usr/src/linux/Documentation/{kprobes.txt,trace/}
<http://sourceware.org/systemtap/man/stapprobes.3stap.html>
<http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=tree;f=Documentation>

* Can you use it to extract crypto keys from applications?

Most probably yes. However you will need an uprobe-enabled kernel
(Fedora and RHEL-derived kernels are probably the easiest way to get
started) and good debug symbols for the application/library you target
(building with a newish gcc version helps). This means it won't work
very well with proprietary or obfuscated binaries unless you want to
track down the address of whatever you want to observe manually.

To instrument "hostile" applications, you may want to have a look
at http://code.google.com/p/processtap/ (unrelated to SystemTap).

If you end up writing a BOFHesque SystemTap script (OpenSSL and OpenSSH
suddenly look like promising targets), I would be happy to hear about
it.

* What is your window manager?

An old version of Ion 3. Don't use it.
http://en.wikipedia.org/wiki/Ion_(window_manager)#Controversy

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 197 bytes --]