EPIC: uprobe

[tamemo99]

Schwierigkeit: methoden finden
bpfdroid paper lesen: .oat and .so files, pages 7-9

Edit by @fhilgers:

As a PO I want to trace arbitrary function calls from programs running on the device.

Acceptance criteria:

• Retrieving memory addresses to attach uprobe ebpf programs

Further tickets:

• Writing uprobe ebpf programs that export information
• Loading and configuring them via the daemon

[fhilgers]

We definitely have to split this task up a lot.

For research:

• Read the pages in the paper
• Read the code from the paper

Then the actual implementation are multiple parts as well:

1. Getting the right symbols this happens outside of ebpf)
2. Actually tracing those (inside ebpf)

The implementation of the paper gets symbols from shared libraries (.so) files and .oat files.

• Find a list of shared libraries on the system
• getting oat files from zygote

The bpfroid repository (from the paper) has shell scripts:

• Get the scripts to work as sanity check (https://github.com/yanivagman/BPFroid/tree/main/utils)

Afterwards we have to decide whether we want to offer the capabilities for finding available uprobe entries while the loader is running, or whether that happens as part of generating a configuration.

I suggest:

1. Find methods via script outside of the actual process via adb and make them available to the daemon via a config or settings file
2. Call external programs which are on android devices in our loader for retrieving methods (oatdump).
3. Write a library to the the methods without external program calls

We should start with 1 and defer 2 and 3 to new tickets.

[der-whity]

In the BPFroid repo the mentioned scripts for searching symbols are implemented in go in the tracee.go file (https://github.com/yanivagman/BPFroid/tree/main/tracee/tracee.go) in the function initLibBases.
We could follow that. It works as follows:

1. find the zygote-process so you can later calculate the symbols' memory-addresses via a offset from that zygote-base-adress
2. search for .so and .oat files included in the zygote (and therefore in all applications) via /proc/$ZYGOTE_PID/maps
3. calculate the correct addresses and extract the symbols

But with that code - afaik - BPFroid only traces standard-lib methods, which are included in every process. So if we wanted to trace arbitrary methods which aren't included by default, we would have to search every $PID in /proc/$PID/maps

[fhilgers]

We should just start with standard-lib methods and get that working. Afterward we expand to more, but as part of new tickets, so the work is better split up and we have continuous progress.

[tamemo99]

This issue was split in multiple issues:

• Uprobe Analysis: Setup #115
• Uprobe Analysis: Finding Symbols from shared libraries #116
• Uprobe Analysis: Finding Symbols from Dex/Oat #117
• Uprobe Analysis: Setup ebpf uprobes #118
• Uprobe Analysis: Setup ebpf uprobes #118
• Uprobe Analysis: Collect Uprobe events #119
• Uprobe Analysis: Config #120
• Uprobe Analysis: Frontend Show Symbols #121
• Uprobe Analysis: Frontend Show Uprobe Events #122