SlideShare a Scribd company logo

Talk 160920 @ Cat System Workshop

Quey-Liang Kao, profile picture
Quey-Liang Kao

The document discusses dynamically hacking the Linux kernel with containers. It begins by introducing the speaker and their research interests. It then discusses three ways to modify the kernel space: kernel modules, live patching, and kernel detouring. Kernel detouring allows hijacking system calls within containers for cross-OS compatibility. Challenges include insufficient isolation and limited development. The talk demonstrates a proof-of-concept of running FreeBSD binaries on Linux using kernel detouring and containers. It remapped Linux system calls to FreeBSD equivalents and provided a FreeBSD environment within a Linux container.

Engineering
1 of 52
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
Dynamically Hacking the Kernel with Containers CAT System Workshop 2016.09.20 Quey-Liang Kao NTHUCS
About Myself ● PhD Student – Adviser: Che-Rung Lee ● Research topics ➢ HPC (numerical), Heterogeneous computing ➢ High-end hardware virtulization (InfiniBand, GPGPU) ➢ Container technology
About Myself - the other side ● Archoholic – Archwiki – AUR packager ● runc-git, openscap ● kpatch ● GNOME ● BICIB – https://github.com/NonerKao/BICIB
What is this?
Hacking the Kernel ...
Hack ... Computers. ● to modify (a computer program or electronic device) or write (a program) in a skillful or clever way. ● to circumvent security and break into (a network, computer, file, etc.), usually with malicious intent: Criminals hacked the bank's servers yesterday. http://www.dictionary.com/browse/hacking
Hack ... Computers. ● to modify (a computer program or electronic device) or write (a program) in a skillful or clever way. ● to circumvent security and break into (a network, computer, file, etc.), usually with malicious intent: Criminals hacked the bank's servers yesterday. http://www.dictionary.com/browse/hacking
Hacking the Kernel ... [ OK ] Dynamically ...
3 ways to modify the kernelspace Modules, Live patches, and Kernel detouring
Kernel Module: Loading Kernel ext.ko Kernel Space User Space Process: insmod ext.ko syscall: init_module
Kernel Module: Using some_ext.ko Kernel Space User Space Process: cat /dev/some_cdev syscall: read Kernel
Kernel Live Patching: Building fix.ko Kernel Space User Space Process: build fix.patch syscall: init_module File: fix.patch Current kernel source Bug() Bug-fixed()
Kernel Live Patching: Applying fix.ko Kernel Space User Space Process: insmod fix.ko syscall: init_module Bug() Bug-fixed()
Kernel Live Patching: Applying fix.ko Kernel Space User Space Bug() Bug-fixed() ftrace Normal Process
Kernel Kernel Detouring detour.ko Kernel Space User Space Normal Process Special Process func() func()
Hacking the Kernel ... [ OK ] Dynamically ... [ OK ] with Containers ...
Virtual Machines ( KVM ) Kernel User Space Kernel Space kvm.ko VM 2VM 1 Proc 1 Libs / Conf Guest Kernel Proc 3 Libs / Conf Guest Kernel Proc 2 hypercall
Processes Kernel Process 1 User Space Kernel Space Libraries / Configuration Process 2 Process 3
Container 2Container 1 Containers Kernel Process 1 User Space Kernel Space Libs / Conf Process 2 Process 3 Libs / Conf Namespaces
Kernel Kernel Detouring detour.ko (namespace- aware) Kernel Space User Space Normal Process Container func() func()
Hacking the Kernel ... [ OK ] Dynamically ... [ OK ] with Containers ... [ OK ]
Why?
The short story -- Just for fun!
The long story: 1. Impact http://alaskarobotics.com/2009/11/30/gallery-walk/ + =
The long story: 2. Trend SaaS PaaS IaaS CaaS ?
VM Process Libs / Conf Guest Kernel Container The long story: 3. Towards higher isolation Isolation++ Performance++ Process Libs / Conf kvm K-Container Process Libs / Conf Detour
VM Process Libs / Conf Guest Kernel Container Side Note: For better performance Isolation++ Performance++ Process Libs / Conf kvm HyperV Container Process Libs / Conf Windows Server 10 Thin Kernel
Where?
Possible Use Cases ● Experimental module/patch test bed ● Environment for other OSes ● Educational purpose
FreeBSD binary on Linux 01000110011100100110010101100101010000100101001101000100
Why it is not possible: Scene 1 Kernel mov 0x1, %rax syscall (translate: I want to exit)
Why it is not possible: Scene 2 Kernel ...you want to write? nothing specialsys_write()
Why it is not possible: Scene 3 Kernel (Eventually) SIGSEGV End of life but no exit ...what’s wrong with this process?
Kernel Recall: Kernel Detouring detour.ko (namespace- aware) Kernel Space User Space Normal Process Container func() func()
Why it IS possible now: Scene 1 Kernel mov 0x1, %rax syscall (translate: I want to exit) Container
Container Why it IS possible now: Scene 2 Kernel detour.ko (namespace- aware) system call table system call table for FreeBSD #1 is sys_write, so … ...wait, this is a FreeBSD container!
Container Why it IS possible now: Scene 3 Kernel detour.ko (namespace- aware)sys_exit() system call table for FreeBSD
Specific Challenges ( FreeBSD ) ● Corresponding system calls – Flag numbers are not portable – different calling/exiting conventions ● Unique system calls – Re-implementation
General Challenges ● Insufficient isolation ● Limitation of development – live patching should only be a temp. solution
Other Binary Compatibility Work ● Wine – Special loader for PEs/DLLs ● FreeBSD, Windows 10 – Kernel built-in compatibility layer for Linux binary – System call remapping/re-implementation
How?
Step 0: Setup ● Environment ( x86_64 machine ) – Linux 4.6.2 – FreeBSD 10.2 ● Tools – kpatch: A tool for kernel livepatch – docker
Step 1: From LivePatching to Detouring kernel/livepatch/core.c.orig:klp_ftrace_handler klp_arch_set_pc(regs, (unsigned long)func->new_func); kernel/livepatch/core.c:klp_ftrace_handler klp_arch_set_pc(regs, (is_freebsd_container()) ? (unsigned long)func->new_func : (unsigned long)ip+5);
Ftrace in LivePatching old_func() 0x1230 call __fentry__ 0x1235 push %rbp 0x1236 mov %rsp, %rbp 0x1239 push %r15 ... new_func() 0x2230 call __fentry__ 0x2235 push %rbp 0x2236 mov %rsp, %rbp 0x2239 push %r14 ... ftrace handler IP func->new_func
Ftrace in Detouring old_func() 0x1230 call __fentry__ 0x1235 push %rbp 0x1236 mov %rsp, %rbp 0x1239 push %r15 ... new_func() 0x2230 call __fentry__ 0x2235 push %rbp 0x2236 mov %rsp, %rbp 0x2239 push %r14 ... ftrace handler IP IP+5 func->new_func
Step 2: Detour-able Entry Point arch/x86/entry/entry_64.S.orig: ENTRY(entry_SYSCALL_64) … call *sys_call_table(, %rax, 8) void detour_entry() { … asm("jmp *sys_call_table(, %rax, 8)"); } arch/x86/entry/entry_64.S: ENTRY(entry_SYSCALL_64) … call detour_entry Assembly file is NOT detour-able! In some C source file
Step 3: Detoured Entry Point void detour_entry() ... asm("jmp *sys_call_table(, %rax, 8)"); void detour_entry() ... asm("mov fbd_table(, %rax, 8), %rax"); asm("jmp *sys_call_table(, %rax, 8)"); asmlinkage const long long fbd_table[] = {0,60,57,...}; EXPORT_SYMBOL(fbd_table); remapping syscall#
The work flow 1. Launch a normal container 2. Run a init script 1. which enables the specific detour modules 3. A FreeBSD environment in the container 4. On exit 1. disable detour modules
DEMO!
Conclusion ● The kernel detouring demo attempts to indicate the possibility of the development of OS containers – as a proof-of-concept – kpatch as a temp. solution ● Future direction – Make more fun
Q & A
Behind the scenes ● How to implement the is_freebsd_container() function? ● How was the ContainerCon Japan?

More Related Content

PDF
Library Operating System for Linux #netdev01
Hajime Tazaki
 
PDF
Virtualization which isn't: LXC (Linux Containers)
Dobrica Pavlinušić
 
PPTX
grsecurity and PaX
Kernel TLV
 
PDF
Make Your Containers Faster: Linux Container Performance Tools
Kernel TLV
 
PDF
Fun with Network Interfaces
Kernel TLV
 
PDF
FreeBSD and Drivers
Kernel TLV
 
PDF
Linux Containers From Scratch
joshuasoundcloud
 
PDF
Introduction to eBPF and XDP
lcplcp1
 
Library Operating System for Linux #netdev01
Hajime Tazaki
 
Virtualization which isn't: LXC (Linux Containers)
Dobrica Pavlinušić
 
grsecurity and PaX
Kernel TLV
 
Make Your Containers Faster: Linux Container Performance Tools
Kernel TLV
 
Fun with Network Interfaces
Kernel TLV
 
FreeBSD and Drivers
Kernel TLV
 
Linux Containers From Scratch
joshuasoundcloud
 
Introduction to eBPF and XDP
lcplcp1
 

What's hot (20)

PDF
Fun with FUSE
Kernel TLV
 
PDF
Staging driver sins
Stephen Hemminger
 
PDF
Lxc- Linux Containers
samof76
 
PDF
The Linux Block Layer - Built for Fast Storage
Kernel TLV
 
PDF
Linux Containers From Scratch: Makfile MicroVPS
joshuasoundcloud
 
PDF
NUSE (Network Stack in Userspace) at #osio
Hajime Tazaki
 
PPTX
Realizing Linux Containers (LXC)
Boden Russell
 
PPTX
Lecture 3 Perl & FreeBSD administration
Mohammed Farrag
 
PPTX
Containers are the future of the Cloud
Pavel Odintsov
 
PDF
Lxc- Introduction
Luís Eduardo
 
PPTX
The Silence of the Canaries
Kernel TLV
 
PDF
Containers and Namespaces in the Linux Kernel
OpenVZ
 
PDF
Kqueue : Generic Event notification
Mahendra M
 
PDF
Let's trace Linux Lernel with KGDB @ COSCUP 2021
Jian-Hong Pan
 
PDF
Linuxcon Barcelon 2012: LXC Best Practices
christophm
 
PDF
Semtex.c [CVE-2013-2094] - A Linux Privelege Escalation
Kernel TLV
 
PDF
Linux cgroups and namespaces
Locaweb
 
PDF
Lecture 6 Kernel Debugging + Ports Development
Mohammed Farrag
 
PDF
Emerging Persistent Memory Hardware and ZUFS - PM-based File Systems in User ...
Kernel TLV
 
PDF
Advanced Namespaces and cgroups
Kernel TLV
 
Fun with FUSE
Kernel TLV
 
Staging driver sins
Stephen Hemminger
 
Lxc- Linux Containers
samof76
 
The Linux Block Layer - Built for Fast Storage
Kernel TLV
 
Linux Containers From Scratch: Makfile MicroVPS
joshuasoundcloud
 
NUSE (Network Stack in Userspace) at #osio
Hajime Tazaki
 
Realizing Linux Containers (LXC)
Boden Russell
 
Lecture 3 Perl & FreeBSD administration
Mohammed Farrag
 
Containers are the future of the Cloud
Pavel Odintsov
 
Lxc- Introduction
Luís Eduardo
 
The Silence of the Canaries
Kernel TLV
 
Containers and Namespaces in the Linux Kernel
OpenVZ
 
Kqueue : Generic Event notification
Mahendra M
 
Let's trace Linux Lernel with KGDB @ COSCUP 2021
Jian-Hong Pan
 
Linuxcon Barcelon 2012: LXC Best Practices
christophm
 
Semtex.c [CVE-2013-2094] - A Linux Privelege Escalation
Kernel TLV
 
Linux cgroups and namespaces
Locaweb
 
Lecture 6 Kernel Debugging + Ports Development
Mohammed Farrag
 
Emerging Persistent Memory Hardware and ZUFS - PM-based File Systems in User ...
Kernel TLV
 
Advanced Namespaces and cgroups
Kernel TLV
 
Ad

Viewers also liked (6)

PPTX
Vuls×deep security
一輝 長澤
 
PPTX
Bsd presentation
Majda Allani
 
PDF
CONTINUOUS INTEGRATION WITH JENKINS AND GIT
Benjamin Lutaaya
 
PDF
FreeBSD: Dev to Prod
Sean Chittenden
 
PDF
Advanced Docker Developer Workflows on MacOS X and Windows
Anil Madhavapeddy
 
PPT
Msu free bsd
vipul08591
 
Vuls×deep security
一輝 長澤
 
Bsd presentation
Majda Allani
 
CONTINUOUS INTEGRATION WITH JENKINS AND GIT
Benjamin Lutaaya
 
FreeBSD: Dev to Prod
Sean Chittenden
 
Advanced Docker Developer Workflows on MacOS X and Windows
Anil Madhavapeddy
 
Msu free bsd
vipul08591
 
Ad

Similar to Talk 160920 @ Cat System Workshop (20)

PDF
Kernel Configuration and Compilation
Bud Siddhisena
 
PDF
Hardware Detection Tool
Anne Nicolas
 
PDF
Containers with systemd-nspawn
Gábor Nyers
 
PDF
Kernel Configuration
dinusha4010
 
PDF
Hacking the Linux Kernel - An Introduction
Levente Kurusa
 
PDF
Development platform virtualization using qemu
Premjith Achemveettil
 
PDF
Linux kernel-rootkit-dev - Wonokaerun
idsecconf
 
PDF
Introduction to Linux Kernel Development
Levente Kurusa
 
PDF
MIPS-X
Zoltan Balazs
 
PDF
OSインストーラーの自作方法
LINE Corporation
 
PDF
CODE BLUE 2014 : BadXNU, A rotten apple! by PEDRO VILAÇA
CODE BLUE
 
PPTX
First steps on CentOs7
Marc Cortinas Val
 
PDF
Snapshots, Replication, and Boot-Environments by Kris Moore
eurobsdcon
 
PDF
Lpreservereurobsd2014
krispcbsd
 
PPTX
Linux kernel debugging
Hao-Ran Liu
 
PDF
kpatch.kgraft
Udo Seidel
 
PDF
Asiabsdcon2013
krispcbsd
 
PDF
Introduction To Linux Kernel Modules
dibyajyotig
 
PPT
Basic Linux Internals
mukul bhardwaj
 
PDF
Linux advanced concepts - Part 1
NAILBITER
 
Kernel Configuration and Compilation
Bud Siddhisena
 
Hardware Detection Tool
Anne Nicolas
 
Containers with systemd-nspawn
Gábor Nyers
 
Kernel Configuration
dinusha4010
 
Hacking the Linux Kernel - An Introduction
Levente Kurusa
 
Development platform virtualization using qemu
Premjith Achemveettil
 
Linux kernel-rootkit-dev - Wonokaerun
idsecconf
 
Introduction to Linux Kernel Development
Levente Kurusa
 
MIPS-X
Zoltan Balazs
 
OSインストーラーの自作方法
LINE Corporation
 
CODE BLUE 2014 : BadXNU, A rotten apple! by PEDRO VILAÇA
CODE BLUE
 
First steps on CentOs7
Marc Cortinas Val
 
Snapshots, Replication, and Boot-Environments by Kris Moore
eurobsdcon
 
Lpreservereurobsd2014
krispcbsd
 
Linux kernel debugging
Hao-Ran Liu
 
kpatch.kgraft
Udo Seidel
 
Asiabsdcon2013
krispcbsd
 
Introduction To Linux Kernel Modules
dibyajyotig
 
Basic Linux Internals
mukul bhardwaj
 
Linux advanced concepts - Part 1
NAILBITER
 

Recently uploaded (20)

PPTX
bas. eng. economics group 4 presentation 1.pptx
kiribakimoses1993
 
PPT
Project quality management in manufacturing
BarMusaTetik
 
PPTX
Foundation to blockchain - A guide to Blockchain Tech
Davies Chacko
 
PDF
July 2025 - Top 10 Read Articles in International Journal of Software Enginee...
sebastianku31
 
PDF
Operating System & Kernel Study Guide-1 - converted.pdf
mranoninvisib16
 
PPTX
CARTOGRAPHY AND GEOINFORMATION VISUALIZATION chapter1 NPTE (2).pptx
abhi1361yadav
 
PDF
Mitigating Risks through Effective Management for Enhancing Organizational Pe...
IJAEMSJORNAL
 
PPTX
Internet of Things (IOT) - A guide to understanding
Davies Chacko
 
PDF
Structs to JSON How Go Powers REST APIs.pdf
Emily Achieng
 
PDF
PRIZ Academy - 9 Windows Thinking Where to Invest Today to Win Tomorrow.pdf
PRIZ Guru
 
PDF
Digital Logic Computer Design lecture notes
CHINNASUNKAIAH1
 
PPTX
web development for engineering and engineering
keshriji700
 
PPTX
Lesson 3_Tessellation.pptx finite Mathematics
quakeplayz54
 
PDF
Embodied AI: Ushering in the Next Era of Intelligent Systems
Yu Huang
 
PPTX
OOP with Java - Java Introduction (Basics)
Rashmi T V
 
PDF
Arduino robotics embedded978-1-4302-3184-4.pdf
AbdullahEmam4
 
PDF
BMEC211 - INTRODUCTION TO MECHATRONICS-1.pdf
ryankakungu
 
PPTX
IOT PPTs Week 10 Lecture Material.pptx of NPTEL Smart Cities contd
ssusera400e8
 
PPTX
M Tech Sem 1 Civil Engineering Environmental Sciences.pptx
ShriNRPrasad
 
DOCX
573137875-Attendance-Management-System-original
AYUSHMANAV
 
bas. eng. economics group 4 presentation 1.pptx
kiribakimoses1993
 
Project quality management in manufacturing
BarMusaTetik
 
Foundation to blockchain - A guide to Blockchain Tech
Davies Chacko
 
July 2025 - Top 10 Read Articles in International Journal of Software Enginee...
sebastianku31
 
Operating System & Kernel Study Guide-1 - converted.pdf
mranoninvisib16
 
CARTOGRAPHY AND GEOINFORMATION VISUALIZATION chapter1 NPTE (2).pptx
abhi1361yadav
 
Mitigating Risks through Effective Management for Enhancing Organizational Pe...
IJAEMSJORNAL
 
Internet of Things (IOT) - A guide to understanding
Davies Chacko
 
Structs to JSON How Go Powers REST APIs.pdf
Emily Achieng
 
PRIZ Academy - 9 Windows Thinking Where to Invest Today to Win Tomorrow.pdf
PRIZ Guru
 
Digital Logic Computer Design lecture notes
CHINNASUNKAIAH1
 
web development for engineering and engineering
keshriji700
 
Lesson 3_Tessellation.pptx finite Mathematics
quakeplayz54
 
Embodied AI: Ushering in the Next Era of Intelligent Systems
Yu Huang
 
OOP with Java - Java Introduction (Basics)
Rashmi T V
 
Arduino robotics embedded978-1-4302-3184-4.pdf
AbdullahEmam4
 
BMEC211 - INTRODUCTION TO MECHATRONICS-1.pdf
ryankakungu
 
IOT PPTs Week 10 Lecture Material.pptx of NPTEL Smart Cities contd
ssusera400e8
 
M Tech Sem 1 Civil Engineering Environmental Sciences.pptx
ShriNRPrasad
 
573137875-Attendance-Management-System-original
AYUSHMANAV
 

Talk 160920 @ Cat System Workshop

  • 1. Dynamically Hacking the Kernel with Containers CAT System Workshop 2016.09.20 Quey-Liang Kao NTHUCS
  • 2. About Myself ● PhD Student – Adviser: Che-Rung Lee ● Research topics ➢ HPC (numerical), Heterogeneous computing ➢ High-end hardware virtulization (InfiniBand, GPGPU) ➢ Container technology
  • 3. About Myself - the other side ● Archoholic – Archwiki – AUR packager ● runc-git, openscap ● kpatch ● GNOME ● BICIB – https://github.com/NonerKao/BICIB
  • 6. Hack ... Computers. ● to modify (a computer program or electronic device) or write (a program) in a skillful or clever way. ● to circumvent security and break into (a network, computer, file, etc.), usually with malicious intent: Criminals hacked the bank's servers yesterday. http://www.dictionary.com/browse/hacking
  • 7. Hack ... Computers. ● to modify (a computer program or electronic device) or write (a program) in a skillful or clever way. ● to circumvent security and break into (a network, computer, file, etc.), usually with malicious intent: Criminals hacked the bank's servers yesterday. http://www.dictionary.com/browse/hacking
  • 8. Hacking the Kernel ... [ OK ] Dynamically ...
  • 9. 3 ways to modify the kernelspace Modules, Live patches, and Kernel detouring
  • 10. Kernel Module: Loading Kernel ext.ko Kernel Space User Space Process: insmod ext.ko syscall: init_module
  • 11. Kernel Module: Using some_ext.ko Kernel Space User Space Process: cat /dev/some_cdev syscall: read Kernel
  • 12. Kernel Live Patching: Building fix.ko Kernel Space User Space Process: build fix.patch syscall: init_module File: fix.patch Current kernel source Bug() Bug-fixed()
  • 13. Kernel Live Patching: Applying fix.ko Kernel Space User Space Process: insmod fix.ko syscall: init_module Bug() Bug-fixed()
  • 14. Kernel Live Patching: Applying fix.ko Kernel Space User Space Bug() Bug-fixed() ftrace Normal Process
  • 15. Kernel Kernel Detouring detour.ko Kernel Space User Space Normal Process Special Process func() func()
  • 16. Hacking the Kernel ... [ OK ] Dynamically ... [ OK ] with Containers ...
  • 17. Virtual Machines ( KVM ) Kernel User Space Kernel Space kvm.ko VM 2VM 1 Proc 1 Libs / Conf Guest Kernel Proc 3 Libs / Conf Guest Kernel Proc 2 hypercall
  • 19. Container 2Container 1 Containers Kernel Process 1 User Space Kernel Space Libs / Conf Process 2 Process 3 Libs / Conf Namespaces
  • 20. Kernel Kernel Detouring detour.ko (namespace- aware) Kernel Space User Space Normal Process Container func() func()
  • 21. Hacking the Kernel ... [ OK ] Dynamically ... [ OK ] with Containers ... [ OK ]
  • 22. Why?
  • 23. The short story -- Just for fun!
  • 24. The long story: 1. Impact http://alaskarobotics.com/2009/11/30/gallery-walk/ + =
  • 25. The long story: 2. Trend SaaS PaaS IaaS CaaS ?
  • 26. VM Process Libs / Conf Guest Kernel Container The long story: 3. Towards higher isolation Isolation++ Performance++ Process Libs / Conf kvm K-Container Process Libs / Conf Detour
  • 27. VM Process Libs / Conf Guest Kernel Container Side Note: For better performance Isolation++ Performance++ Process Libs / Conf kvm HyperV Container Process Libs / Conf Windows Server 10 Thin Kernel
  • 29. Possible Use Cases ● Experimental module/patch test bed ● Environment for other OSes ● Educational purpose
  • 30. FreeBSD binary on Linux 01000110011100100110010101100101010000100101001101000100
  • 31. Why it is not possible: Scene 1 Kernel mov 0x1, %rax syscall (translate: I want to exit)
  • 32. Why it is not possible: Scene 2 Kernel ...you want to write? nothing specialsys_write()
  • 33. Why it is not possible: Scene 3 Kernel (Eventually) SIGSEGV End of life but no exit ...what’s wrong with this process?
  • 34. Kernel Recall: Kernel Detouring detour.ko (namespace- aware) Kernel Space User Space Normal Process Container func() func()
  • 35. Why it IS possible now: Scene 1 Kernel mov 0x1, %rax syscall (translate: I want to exit) Container
  • 36. Container Why it IS possible now: Scene 2 Kernel detour.ko (namespace- aware) system call table system call table for FreeBSD #1 is sys_write, so … ...wait, this is a FreeBSD container!
  • 37. Container Why it IS possible now: Scene 3 Kernel detour.ko (namespace- aware)sys_exit() system call table for FreeBSD
  • 38. Specific Challenges ( FreeBSD ) ● Corresponding system calls – Flag numbers are not portable – different calling/exiting conventions ● Unique system calls – Re-implementation
  • 39. General Challenges ● Insufficient isolation ● Limitation of development – live patching should only be a temp. solution
  • 40. Other Binary Compatibility Work ● Wine – Special loader for PEs/DLLs ● FreeBSD, Windows 10 – Kernel built-in compatibility layer for Linux binary – System call remapping/re-implementation
  • 41. How?
  • 42. Step 0: Setup ● Environment ( x86_64 machine ) – Linux 4.6.2 – FreeBSD 10.2 ● Tools – kpatch: A tool for kernel livepatch – docker
  • 43. Step 1: From LivePatching to Detouring kernel/livepatch/core.c.orig:klp_ftrace_handler klp_arch_set_pc(regs, (unsigned long)func->new_func); kernel/livepatch/core.c:klp_ftrace_handler klp_arch_set_pc(regs, (is_freebsd_container()) ? (unsigned long)func->new_func : (unsigned long)ip+5);
  • 44. Ftrace in LivePatching old_func() 0x1230 call __fentry__ 0x1235 push %rbp 0x1236 mov %rsp, %rbp 0x1239 push %r15 ... new_func() 0x2230 call __fentry__ 0x2235 push %rbp 0x2236 mov %rsp, %rbp 0x2239 push %r14 ... ftrace handler IP func->new_func
  • 45. Ftrace in Detouring old_func() 0x1230 call __fentry__ 0x1235 push %rbp 0x1236 mov %rsp, %rbp 0x1239 push %r15 ... new_func() 0x2230 call __fentry__ 0x2235 push %rbp 0x2236 mov %rsp, %rbp 0x2239 push %r14 ... ftrace handler IP IP+5 func->new_func
  • 46. Step 2: Detour-able Entry Point arch/x86/entry/entry_64.S.orig: ENTRY(entry_SYSCALL_64) … call *sys_call_table(, %rax, 8) void detour_entry() { … asm("jmp *sys_call_table(, %rax, 8)"); } arch/x86/entry/entry_64.S: ENTRY(entry_SYSCALL_64) … call detour_entry Assembly file is NOT detour-able! In some C source file
  • 47. Step 3: Detoured Entry Point void detour_entry() ... asm("jmp *sys_call_table(, %rax, 8)"); void detour_entry() ... asm("mov fbd_table(, %rax, 8), %rax"); asm("jmp *sys_call_table(, %rax, 8)"); asmlinkage const long long fbd_table[] = {0,60,57,...}; EXPORT_SYMBOL(fbd_table); remapping syscall#
  • 48. The work flow 1. Launch a normal container 2. Run a init script 1. which enables the specific detour modules 3. A FreeBSD environment in the container 4. On exit 1. disable detour modules
  • 49. DEMO!
  • 50. Conclusion ● The kernel detouring demo attempts to indicate the possibility of the development of OS containers – as a proof-of-concept – kpatch as a temp. solution ● Future direction – Make more fun
  • 51. Q & A
  • 52. Behind the scenes ● How to implement the is_freebsd_container() function? ● How was the ContainerCon Japan?