AWS EC2 HVM instances may lie about cpuid_fault

cpuid faulting is a feature made available after intel ivy bridge CPUs, Linux kernel support have been pushed by rr, via arch_prctl(ARCH_SET_CPUID)[1]. It allows user space programs simulate CPUID instruction, by trapping cpuid instruction to SEGSEGV. [Read More]

glibc linker namespace

glibc provides a very powerful function dlmopen, allows user to load dynamic shared objects (DSOs) into a new isolated namespace[1]. The application still loads the DSOs it depends (or DT_NEEDED), as a result, they’re multiple copies of DSOs, loaded into the same address space. However, because the abstraction provied by dlmopen, they’re logically isolated. Which also means the symbol resolving in the new linker namspace won’t across the namesapce boundry, maybe except symbols within ld-linux.so. Same as dlopen, the handle returned is a pointer to struct link_map, iterating over the link_map shows ld-linux.so has a NULL load address without _DYNAMIC section. [Read More]

tls problems

In x86_64, thread local storage (tls) is implemented in userspace, mostly in libc. However, with dynamically linked application the dynamic linker also must initialize tls for the application, most importantly, it exports function __tls_get_addr (__tls_get_new is an weak alias to this function). tls function related to pthread are often implemented in libc or libpthread. [Read More]

Linux ptrace and exit_group

exit_group is a Linux syscall to kill all processes in the same process group, by kill, it means kernel sends SIGKILL to all processes in the same process group. Assuming you’re writing a non-trival tracer with proper thread support, exit_group can be quite difficult to deal with. According to strace document found here [Read More]