hatrace - scripted
hatraceexecutable similar to
- Haskell library to write sophisticated scripts
- Get all syscalls in a list and process them programatically.
- Audit high-assurance software systems.
- Debug difficult bugs that occur only in certain rare situations.
- Change the results of system calls as seen by the traced program.
- Bug reproducers
- Demonstrate how a program fails when a given syscall returns certain data.
- Kill your build tool at the 3rd
write()syscall to an
.ofile, checking whether it will recover from that in the next run.
- Write test suites that assert how your code uses system calls, for correctness or performance.
- Mock syscalls to test how your program would behave in situations that are difficult to create in the real world.
- Implement anomaly test suites like
sqlitedoes, exhaustively testing whether your program can recover from a crash in any syscall.
- Insert garbage data into the program by changing syscall results or directly changing its memory contents.
- Speed up your fuzzing by having full insight into the fuzzed program's behaviour.
- Adding features to existing programs
- Add "magic" support for new file systems without modifying existing programs (like this paper shows).
- Add logging capabilities to programs that were designed without.
Work in progress
This software is work in progress.
hatrace executable is extremely basic and can't do much.
While syscall names are automatically generated, detail data needs to be implemented by hand and is done for only a few so far. Help to add more is appreciated.
However, the Haskell API to write scripts can already do a log. Take a look at the test suite for examples.
TODO list for contributors
If you find any of the below topics interesting give it a shot! It is recommended to file an issue when picking up one of the tasks to coordinate against doing duplicate work.
- Implement all the syscalls
- Remembering syscall arguments in a PID/TID map
- Support for
- reading tracee memory more efficiently (see how strace does it
- Helpers for modifying memory
- One real-world example each for the use cases on
- JSON output
- Coloured output
- special run modes tailored to specific tasks (e.g. execve tree)
- Show hanging syscalls
- Filter away GHC's spammy output around
- Support for setting options (for example enabling/disabling tracing into subprocesses, like
- Equivalent to
strace -y(tracking origin of file descriptors, printing paths)
- Equivalent to
strace -c(keeping counts, summary statistics)
- Something similar to
strace -ybut telling which PID is which executable from
- Extraction of
PTRACE_EVENTdetail information (see section
man 2 ptrace)
- Filtering based on string buffer contents
- PID remapping (e.g. to a range starting from 0) for better diffability of the output of multiple runs
- Handling of
exit()of the direct child (grand-child daemonisation)
- Don't die on
EIOwhen the tracee passes invalid memory to the kernel; instead, peek only what's possible and print some info. That makes it possible to correctly trace processes that rely on e.g.
- Re-using strace's test suite for per-syscall tests
- other TODOs in the code
- Use it to do specific investigations in other programs:
- investigate big GHC linker speed differences