ptrace

• System call and Kernel feature
• Tracer process is attached on tracee thread
• Tracer sends Signal to tracee: Tracee interrupts with context switch
• Now the tracer can inspect and manipulate the tracee's state
• Tracer lets tracee continue
• What could be done while interrupting?
• Check open file descriptors
• Read/Write register, virtual memory
• Run tracee's code stepwise (gdb)
• Basis for strace, ltrace, GNU Debugger (gdb)
• Problem (Bug): Overhead because of context switches and SysCalls

{s,l,x}trace

• strace: Inspect SysCalls for userspace applications
• Check accessed files (config files, read/write access)
• Why and where is the program stuck?
• Closed source software analysis
• ltrace: Inspect calls on shared libraries
• xtrace: like strace, ltrace
• Example: strace firefox

Tracepoints and Probes

Tracepoints

Probes