0

I'm trying to prevent a hacker from attaching gdb to a process and have been successful forking a child process that ptrace attaches to the parent (which then prevents subsequent gdb ptrace attach). Problem solved...

However for a multi threaded program I'm stumped. I could have the child monitor the parent for new threads and then attach to those when seen; but seems like a high overhead approach.

Any ideas?

Goblinhack
  • 2,859
  • 1
  • 26
  • 26
  • Just found out about libthread_db and TD_CREATE; thinking another process could monitor the pid for thread creation and then ptrace attach dynamically to the target pid. – Goblinhack Jul 31 '15 at 00:35

1 Answers1

4

Problem solved...

You are deluding yourself if you think that merely attaching the parent will prevent a determined hacker from debugging your program.

Your protection will work only against the least sophisticated attacker. A more sophisticated one can:

  • kill your child process and attach your parent, or
  • build a custom libc.so that implements ptrace which doesn't actually attach the target, or
  • use LD_PRELOAD to inject a ptrace that does what he wants, or
  • run with a custom kernel that allows debugger to attach to an already attached process, or
  • a few dozen other ways

For an attacker that can modify the OS kernel, there is really very little you could do to protect your program.

As for "how to attach any newly-created thread", you can catch the sys_clone with PTRACE_SYSCALL, and attach the cloned process immediately on return. See also PTRACE_O_TRACECLONE in the ptrace man page.

Are there best practices for securing code?

This question has quite a few suggestions.

Community
  • 1
  • 1
Employed Russian
  • 199,314
  • 34
  • 295
  • 362
  • So apart from abandoning hope, are there any best practices for securing your code (to some degree) - everything can be hacked in the end, but what other approaches are out there to slow an attacker down or thwart the intermediate level hacke. Thanks for the sys_clone pointer BTW – Goblinhack Jul 31 '15 at 14:19