‘Dynamic’ kernel patchingSystem calls‘Open Source’ philosophyAlternative to edit/recompileInvoking kernel servicesThe system-call jump-tableAssembly language (.data)The ‘jump-table’ ideaAssembly language (.text)Changing the jump-tableFinding the jump-tableUsing ‘uname’ and ‘grep’The ‘vmlinux’ fileWhere is ‘sys_call_table[ ]’?Exporting ‘sys_call_table’Avoid hard-coded constantModule paramererssimple_strtoul()Shell scriptsshell-script formatThe ‘cut’ commandFinishing upThe ‘objdump’ programWhich entry can we change?‘newcall.c’Recently… an extra obstaclepage-frame attributesTweak page-frame attributesIn-class exercise #1‘Dynamic’ kernel patchingHow you could add your own system-calls to Linux without editing and recompiling the kernelSystem calls•System Calls are the basic OS mechanism for providing privileged kernel services to application programs (e.g., fork(), clone(), execve(), read(), write(), signal(), getpid(), waitpid(), gettimeofday(), setitimer(), etc.)•Linux implements over 300 system calls•To understand how system calls work, we can try creating one of our own design‘Open Source’ philosophy•Linux source-code is publicly available•In principle, anyone could edit the sources to add their own new functions into Linux•In practice, it is inconvenient to do this •The steps needed involve reconfiguring, recompiling, and reinstalling your kernel•For novices these steps are treacherous!•Any error risks data-loss and down-timeAlternative to edit/recompile•Linux modules offer an alternative method for modifying the OS kernel’s functionality•It’s safer -- and vastly more convenient – since error-recovery only needs a reboot, and minimal system knowledge suffices•The main hurdle to be overcome concerns the issue of ‘linking’ module code to some non-exported Linux kernel data-structuresInvoking kernel servicesapplicationprogram user-mode (restricted privileges) kernel-mode (unrestricted privileges)standardruntimelibrariescallretLinux kernelint 0x80iretinstallable modulecallretThe system-call jump-table•There are approximately 300 system-calls•Any specific system-call is selected by its ID-number (it’s placed into register %eax) •It would be inefficient to use if-else tests or even a switch-statement to transfer to the service-routine’s entry-point•Instead an array of function-pointers is directly accessed (using the ID-number)•This array is named ‘sys_call_table[]’Assembly language (.data).section .datasys_call_table:.long sys_restart_syscall.long sys_exit.long sys_fork.long sys_read.long sys_write// …etc (from ‘arch/i386/kernel/entry.S’)The ‘jump-table’ ideasys_restart_syscallsys_exitsys_forksys_readsys_writesys_opensys_close…etc…sys_call_table.section .text012345678Assembly language (.text).section .textsystem_call:// copy parameters from registers onto stack…call sys_call_table(, %eax, 4)jmp ret_from_sys_callret_from_sys_call:// perform rescheduling and signal-handling…iret // return to caller (in user-mode)Changing the jump-table•To install our own system-call function, we just need to change an entry in the Linux ‘sys_call_table[]’ array, so it points to our own module function, but save the former entry somewhere (so we can restore it if we remove our module from the kernel)•But we first need to find ‘sys_call_table[]’ -- and there are two easy ways to do thatFinding the jump-table•Older versions of Linux (prior to 2.4.18) used to ‘export’ the ‘sys_call_table[]’ as a global symbol, but current versions keep this table’s address private (for security)•But often during kernel-installation there is a ‘System.map’ file that gets put into the ‘/boot’ directory and – assuming it matches your compiled kernel – it holds the kernel address for the ‘sys_call_table[]’ arrayUsing ‘uname’ and ‘grep’•You can use the ‘uname’ command to find out which kernel-version is running:$ uname -r•Then you can use the ‘grep’ command to find ‘sys_call_table’ in your System.map file, like this:$ grep sys_call_table /boot/System.map-2.6.22.5cslabsThe ‘vmlinux’ file•Your compiled kernel (uncompressed) is left in the ‘/usr/src/linux’ directory •It is an ELF-format (executable) file•It contains .text and .data sections •You can examine your ‘vmlinux’ kernel with the ‘objdump’ system-utility •You can pipe the output through the ‘grep’ utility to locate the ‘sys_call_table’ symbolSection-Header Table(optional)Executable versus LinkableELF HeaderSection 2 DataSection 3 Data…Section n DataSegment 1 DataSegment 2 DataSegment 3 Data…Segment n DataLinkable File Executable FileSection-Header TableProgram-Header Table(optional)Program-Header TableELF HeaderSection 1 DataWhere is ‘sys_call_table[ ]’?•This is how you use ‘objdump’ and ‘grep’ to find the ‘sys_call_table[]’ address: $ cd /usr/src/linux $ objdump –t vmlinux | grep sys_call_tableExporting ‘sys_call_table’•Once you know the address of your kernel’s ‘sys_call_table[]’, you can write a module to export that address to other modules, e.g.: // declare global variableunsigned long *sys_call_table;EXPORT_SYMBOL(sys_call_table);int init_module( void){sys_call_table = (unsigned long *)0xC0251500;return 0;}Avoid hard-coded constant•You probably don’t want to ‘hard code’ the sys_call_table’s value in your module – if you ever recompile your kernel, or use a differently configured kernel, you’d have to remember to edit your module and then recompile it – or risk a corrupted system!•There’s a way to suply the required value as a module-parameter during ‘insmod’Module paramererschar *svctable; // declare global variablemodule_param( svctable, charp, 0444 );// Then you install your module like this:$ /sbin/insmod myexport.ko svctable=c0251500// Linux will assign the address of your input string “c0251500” to the ‘svctable’ pointer:simple_strtoul()•There is a kernel function you can use, in your ‘init_module()’ function, that will convert a string of hexadecimal digits into an ‘unsigned long’’:int init_module( void ){unsigned long myval;myval = simple_strtoul( svctable, NULL, 16 );sys_call_table = (unsigned long *)myval;return 0;}Shell scripts•It’s inconvenient – and risks typing errors – if you must manually search ‘vmlinux’ and