2

For a security application I am looking into the possibility of one process (let's say tracer) to be able to modify the text segment of another process (let's say tracee). Tracee should not be able to write to its own text segment.
What are available options for something like that?

Ideally I would like this IPC to be as low overhead as possible (like shared memory if possible). In fact ideally I was hoping that I could do this at thread level, with a tracer thread and a tracee thread. But from what I understand Linux doesn't allow different threads of the same process to have different permissions.

Yunnosch
  • 26,130
  • 9
  • 42
  • 54
budchan chao
  • 327
  • 3
  • 15
  • Mostly text segment is read only and you can't change text segment. Forget about changing text segment of other process you can't change text segment of your own process. Do you know if your architecture allows changing of text segment? – Mayank Jain Mar 06 '18 at 23:04
  • That happens in self modifying code right? Linux provides mprotect() to change permissions of a mapped memory which I have used to self modify code. – budchan chao Mar 06 '18 at 23:09
  • Man page of mprotect says "If the calling process tries to access memory in a manner that violates the protections, then the kernel generates a SIGSEGV signal for the process." – Mayank Jain Mar 06 '18 at 23:13
  • I don't think this is impossible per se (can't think of a way to do this on top of my head, though I wouldn't be too surprised to find out there's some way to disable the default security mechanisms to allow for this), though it doesn't seem like a good idea to try to do this. If you wanted to, you'd be better off trying to instrument the binary before executing it (and even that seems a bit sketchy). If you just want to monitor a running process, just use a debugger. (see [ptrace](https://linux.die.net/man/2/ptrace)) – Cubic Mar 06 '18 at 23:13
  • I am just curious, how are you getting start address of text segment? By getting address of main function? – Mayank Jain Mar 06 '18 at 23:15
  • You can open /proc//mem but I'm not sure if you can write to read-only pages that way. – user253751 Mar 06 '18 at 23:18
  • 1
    Related: https://stackoverflow.com/questions/3800762/linux-equivalent-for-virtualprotectex – user253751 Mar 06 '18 at 23:19
  • sounds like this needs to happen in a kernel module to me. Modern OSes sandbox each process in user space to explicitly _prevent_ processes from stomping on each others' memory (if you've found some exploitable vulnerability to allow this, that's a different story, but the spirit of [memory protection](https://en.wikipedia.org/wiki/Memory_protection) shouldn't allow this). Operating in the kernel you should be able to do whatever you want if you know how (I don't) – yano Mar 06 '18 at 23:45
  • Please describe a little more about your plan. The chosen thread names are almost self-explaining, I admit, but a little more explanation might be helpful. More knowledge about your goals might open other possibilities and maybe attract more answerers. – Yunnosch Oct 01 '18 at 05:29

0 Answers0