Ptrace
Encyclopedia
ptrace is a system call
found in several Unix
and Unix-like
operating system
s. By using ptrace (the name is an abbreviation of "process trace") one process
can control another, enabling the controller to inspect and manipulate the internal state of its target. ptrace is used by debugger
s and other code-analysis tools, mostly as aids to software development.
and dbx), by tracing tools like strace
and ltrace
, and by code coverage
tools. ptrace is also used by specialised programs to patch running programs, to avoid unfixed bugs or to overcome security features.
By attaching to another process using the ptrace call, a tool has extensive control over the operation of its target. This includes manipulation of its file descriptor
s, memory, and registers
. It can single-step through the target's code, can observe system calls and their results, and can manipulate the target's signal
handlers and both receive and send signals on its behalf. The ability to write into the target's memory allows not only its data store to be changed, but also the applications own code segment
, allowing the controller to install breakpoint
s and patch the running code of the target.
As the ability to inspect and alter another process is very powerful, ptrace can attach only to processes that the owner can send signals to (typically only their own processes); the superuser
account can ptrace almost any process (except init
). In Linux systems that feature capabilities based security, the ability to ptrace is further limited by the CAP_SYS_PTRACE capability. In FreeBSD
, it's limited by FreeBSD jail
s and Mandatory Access Control
policies.
es per call); this is acutely inefficient when accessing large amounts of the target's memory, as this can only be done in word sized blocks (with a ptrace call for each word). For this reason the 8th edition of Unix introduced procfs
, which allows permitted processes direct access to the memory of another process - 4.4BSD followed, and the use of /proc for debugger support was inherited by Solaris, BSD, and AIX, and mostly copied by Linux. Some, such as Solaris, have removed ptrace as a system call altogether, retaining it as a library call that reinterprets calls to ptrace in terms of the platform's procfs. Such systems use ioctl
s on the file descriptor
of the opened /proc file to issue commands to the controlled process. FreeBSD
, on the other hand, extended ptrace to remove mentioned problems, and declared procfs
obsolete due to its inherent design problems.
ptrace only provides the most basic interface necessary to support debuggers and similar tools. Programs using it must have intimate knowledge of the specifics of the OS and architecture, including stack layout, application binary interface
, system call
mechanism, name mangling
, the format of any debug data
, and are responsible for understanding and disassembling machine code
themselves. Further, programs that inject executable code into the target process or (like gdb) allow the user to enter commands that are executed in the context of the target must generate and load that code themselves, generally without the help of the program loader
.
, and was present in both the SVr4 and 4.3BSD branches of Unix. ptrace is available as a system call on IRIX
, IBM AIX, NetBSD
, FreeBSD
, OpenBSD
, and Linux
. ptrace is implemented as a library call on Solaris, built on the Solaris kernel's procfs filesystem; Sun notes that ptrace on Solaris is intended for compatibility, and recommends that new implementations use the richer interface that proc supplies instead. UnixWare
also features a limited ptrace but like Sun, SCO recommends implementers use the underlying procfs features instead. HP-UX
supported ptrace until release 11i v3 (it was deprecated in favour of ttrace, a similar OS-specific call, in 11i v1). Starting in Ubuntu 10.10 ptrace is only allowed to be called on child processes.
Apple's Mac OS X
also implements ptrace as a system call. Apple's version adds a special option PT_DENY_ATTACH - if a process invokes this option on itself, subsequent attempts to ptrace the process will fail. Apple uses this feature to limit the use of debuggers on programs that manipulate DRM
-ed content, including iTunes
. PT_DENY_ATTACH on also disables DTrace
's ability to monitor the process. Debuggers on OS X typically use a combination of ptrace and the Mach
VM and thread APIs. ptrace (again with PT_DENY_ATTACH) is available to developers for the Apple iPhone
.
Linux also gives processes the ability to prevent other processes from attaching them. Processes can call the prctl syscall and clear their PR_SET_DUMPABLE flag; in later kernels this prevents non-root processes from ptracing the calling process; the OpenSSH
authentication agent uses this mechanism to prevent ssh session hijacking via ptrace. Later Ubuntu versions ship with a Linux kernel configured to prevent ptrace attaches from processes other than the traced process' parent; this allows gdb and strace to continue to work when running a target process, but prevents them from attaching to an unrelated running process. Control of this feature is performed via the /proc/sys/kernel/yama/ptrace_scope setting.
System call
In computing, a system call is how a program requests a service from an operating system's kernel. This may include hardware related services , creating and executing new processes, and communicating with integral kernel services...
found in several Unix
Unix
Unix is a multitasking, multi-user computer operating system originally developed in 1969 by a group of AT&T employees at Bell Labs, including Ken Thompson, Dennis Ritchie, Brian Kernighan, Douglas McIlroy, and Joe Ossanna...
and Unix-like
Unix-like
A Unix-like operating system is one that behaves in a manner similar to a Unix system, while not necessarily conforming to or being certified to any version of the Single UNIX Specification....
operating system
Operating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
s. By using ptrace (the name is an abbreviation of "process trace") one process
Process (computing)
In computing, a process is an instance of a computer program that is being executed. It contains the program code and its current activity. Depending on the operating system , a process may be made up of multiple threads of execution that execute instructions concurrently.A computer program is a...
can control another, enabling the controller to inspect and manipulate the internal state of its target. ptrace is used by debugger
Debugger
A debugger or debugging tool is a computer program that is used to test and debug other programs . The code to be examined might alternatively be running on an instruction set simulator , a technique that allows great power in its ability to halt when specific conditions are encountered but which...
s and other code-analysis tools, mostly as aids to software development.
Uses
ptrace is used by debuggers (such as gdbGNU Debugger
The GNU Debugger, usually called just GDB and named gdb as an executable file, is the standard debugger for the GNU software system. It is a portable debugger that runs on many Unix-like systems and works for many programming languages, including Ada, C, C++, Objective-C, Free Pascal, Fortran, Java...
and dbx), by tracing tools like strace
Strace
strace is a debugging utility for Linux and some other Unix-like systems to monitor the system calls used by a program and all the signals it receives, similar to "truss" utility in other Unix systems...
and ltrace
Ltrace
ltrace is a debugging utility in Linux to monitor the library calls used by a program and all the signals it receives. It can also show system calls, used by a program.- See also :* strace - system call tracer for linux* ktrace - system call tracer for *BSD...
, and by code coverage
Code coverage
Code coverage is a measure used in software testing. It describes the degree to which the source code of a program has been tested. It is a form of testing that inspects the code directly and is therefore a form of white box testing....
tools. ptrace is also used by specialised programs to patch running programs, to avoid unfixed bugs or to overcome security features.
By attaching to another process using the ptrace call, a tool has extensive control over the operation of its target. This includes manipulation of its file descriptor
File descriptor
In computer programming, a file descriptor is an abstract indicator for accessing a file. The term is generally used in POSIX operating systems...
s, memory, and registers
Processor register
In computer architecture, a processor register is a small amount of storage available as part of a CPU or other digital processor. Such registers are addressed by mechanisms other than main memory and can be accessed more quickly...
. It can single-step through the target's code, can observe system calls and their results, and can manipulate the target's signal
Signal (computing)
A signal is a limited form of inter-process communication used in Unix, Unix-like, and other POSIX-compliant operating systems. Essentially it is an asynchronous notification sent to a process in order to notify it of an event that occurred. When a signal is sent to a process, the operating system...
handlers and both receive and send signals on its behalf. The ability to write into the target's memory allows not only its data store to be changed, but also the applications own code segment
Code segment
In computing, a code segment, also known as a text segment or simply as text, is one of the sections of a program in an object file or in memory, which contains executable instructions....
, allowing the controller to install breakpoint
Breakpoint
In software development, a breakpoint is an intentional stopping or pausing place in a program, put in place for debugging purposes. It is also sometimes simply referred to as a pause....
s and patch the running code of the target.
As the ability to inspect and alter another process is very powerful, ptrace can attach only to processes that the owner can send signals to (typically only their own processes); the superuser
Superuser
On many computer operating systems, the superuser is a special user account used for system administration. Depending on the operating system, the actual name of this account might be: root, administrator or supervisor....
account can ptrace almost any process (except init
Init
init is a program for Unix-based computer operating systems that spawns all other processes. It runs as a daemon and typically has PID 1. The boot loader starts the kernel and the kernel starts init...
). In Linux systems that feature capabilities based security, the ability to ptrace is further limited by the CAP_SYS_PTRACE capability. In FreeBSD
FreeBSD
FreeBSD is a free Unix-like operating system descended from AT&T UNIX via BSD UNIX. Although for legal reasons FreeBSD cannot be called “UNIX”, as the direct descendant of BSD UNIX , FreeBSD’s internals and system APIs are UNIX-compliant...
, it's limited by FreeBSD jail
FreeBSD Jail
The FreeBSD jail mechanism is an implementation of operating system-level virtualization that allows administrators to partition a FreeBSD-based computer system into several independent mini-systems called jails....
s and Mandatory Access Control
Mandatory access control
In computer security, mandatory access control refers to a type of access control by which the operating system constrains the ability of a subject or initiator to access or generally perform some sort of operation on an object or target...
policies.
Limitations
Communications between the controller and target take place using repeated calls of ptrace, passing a small fixed-size block of memory between the two (necessitating two context switchContext switch
A context switch is the computing process of storing and restoring the state of a CPU so that execution can be resumed from the same point at a later time. This enables multiple processes to share a single CPU. The context switch is an essential feature of a multitasking operating system...
es per call); this is acutely inefficient when accessing large amounts of the target's memory, as this can only be done in word sized blocks (with a ptrace call for each word). For this reason the 8th edition of Unix introduced procfs
Procfs
procfs is a special filesystem in UNIX-like operating systems that presents information about processes and other system information in a hierarchical file-like structure, providing a more convenient and standardized method for dynamically accessing process data held in the kernel than traditional...
, which allows permitted processes direct access to the memory of another process - 4.4BSD followed, and the use of /proc for debugger support was inherited by Solaris, BSD, and AIX, and mostly copied by Linux. Some, such as Solaris, have removed ptrace as a system call altogether, retaining it as a library call that reinterprets calls to ptrace in terms of the platform's procfs. Such systems use ioctl
Ioctl
In computing, ioctl, short for input/output control, is a system call for device-specific operations and other operations which cannot be expressed by regular system calls. It takes a parameter specifying a request code; the effect of a call depends completely on the request code. Request codes are...
s on the file descriptor
File descriptor
In computer programming, a file descriptor is an abstract indicator for accessing a file. The term is generally used in POSIX operating systems...
of the opened /proc file to issue commands to the controlled process. FreeBSD
FreeBSD
FreeBSD is a free Unix-like operating system descended from AT&T UNIX via BSD UNIX. Although for legal reasons FreeBSD cannot be called “UNIX”, as the direct descendant of BSD UNIX , FreeBSD’s internals and system APIs are UNIX-compliant...
, on the other hand, extended ptrace to remove mentioned problems, and declared procfs
Procfs
procfs is a special filesystem in UNIX-like operating systems that presents information about processes and other system information in a hierarchical file-like structure, providing a more convenient and standardized method for dynamically accessing process data held in the kernel than traditional...
obsolete due to its inherent design problems.
ptrace only provides the most basic interface necessary to support debuggers and similar tools. Programs using it must have intimate knowledge of the specifics of the OS and architecture, including stack layout, application binary interface
Application binary interface
In computer software, an application binary interface describes the low-level interface between an application program and the operating system or another application.- Description :...
, system call
System call
In computing, a system call is how a program requests a service from an operating system's kernel. This may include hardware related services , creating and executing new processes, and communicating with integral kernel services...
mechanism, name mangling
Name mangling
In compiler construction, name mangling is a technique used to solve various problems caused by the need to resolve unique names for programming entities in many modern programming languages....
, the format of any debug data
Debugging data format
A debugging data format is a means of storing information about a compiled computer program for use by high-level debuggers. Modern debugging data formats store enough information to allow source-level debugging....
, and are responsible for understanding and disassembling machine code
Machine code
Machine code or machine language is a system of impartible instructions executed directly by a computer's central processing unit. Each instruction performs a very specific task, typically either an operation on a unit of data Machine code or machine language is a system of impartible instructions...
themselves. Further, programs that inject executable code into the target process or (like gdb) allow the user to enter commands that are executed in the context of the target must generate and load that code themselves, generally without the help of the program loader
Loader (computing)
In computing, a loader is the part of an operating system that is responsible for loading programs. It is one of the essential stages in the process of starting a program, as it places programs into memory and prepares them for execution...
.
Support
ptrace was first implemented in Seventh Edition UnixVersion 7 Unix
Seventh Edition Unix, also called Version 7 Unix, Version 7 or just V7, was an important early release of the Unix operating system. V7, released in 1979, was the last Bell Laboratories release to see widespread distribution before the commercialization of Unix by AT&T in the early 1980s...
, and was present in both the SVr4 and 4.3BSD branches of Unix. ptrace is available as a system call on IRIX
IRIX
IRIX is a computer operating system developed by Silicon Graphics, Inc. to run natively on their 32- and 64-bit MIPS architecture workstations and servers. It was based on UNIX System V with BSD extensions. IRIX was the first operating system to include the XFS file system.The last major version...
, IBM AIX, NetBSD
NetBSD
NetBSD is a freely available open source version of the Berkeley Software Distribution Unix operating system. It was the second open source BSD descendant to be formally released, after 386BSD, and continues to be actively developed. The NetBSD project is primarily focused on high quality design,...
, FreeBSD
FreeBSD
FreeBSD is a free Unix-like operating system descended from AT&T UNIX via BSD UNIX. Although for legal reasons FreeBSD cannot be called “UNIX”, as the direct descendant of BSD UNIX , FreeBSD’s internals and system APIs are UNIX-compliant...
, OpenBSD
OpenBSD
OpenBSD is a Unix-like computer operating system descended from Berkeley Software Distribution , a Unix derivative developed at the University of California, Berkeley. It was forked from NetBSD by project leader Theo de Raadt in late 1995...
, and Linux
Linux
Linux is a Unix-like computer operating system assembled under the model of free and open source software development and distribution. The defining component of any Linux system is the Linux kernel, an operating system kernel first released October 5, 1991 by Linus Torvalds...
. ptrace is implemented as a library call on Solaris, built on the Solaris kernel's procfs filesystem; Sun notes that ptrace on Solaris is intended for compatibility, and recommends that new implementations use the richer interface that proc supplies instead. UnixWare
UnixWare
UnixWare is a Unix operating system maintained by The SCO Group . UnixWare is typically deployed as a server rather than desktop. Binary distributions of UnixWare are available for x86 architecture computers. It was originally released by Univel, a jointly owned venture of AT&T's Unix System...
also features a limited ptrace but like Sun, SCO recommends implementers use the underlying procfs features instead. HP-UX
HP-UX
HP-UX is Hewlett-Packard's proprietary implementation of the Unix operating system, based on UNIX System V and first released in 1984...
supported ptrace until release 11i v3 (it was deprecated in favour of ttrace, a similar OS-specific call, in 11i v1). Starting in Ubuntu 10.10 ptrace is only allowed to be called on child processes.
Apple's Mac OS X
Mac OS X
Mac OS X is a series of Unix-based operating systems and graphical user interfaces developed, marketed, and sold by Apple Inc. Since 2002, has been included with all new Macintosh computer systems...
also implements ptrace as a system call. Apple's version adds a special option PT_DENY_ATTACH - if a process invokes this option on itself, subsequent attempts to ptrace the process will fail. Apple uses this feature to limit the use of debuggers on programs that manipulate DRM
Digital rights management
Digital rights management is a class of access control technologies that are used by hardware manufacturers, publishers, copyright holders and individuals with the intent to limit the use of digital content and devices after sale. DRM is any technology that inhibits uses of digital content that...
-ed content, including iTunes
ITunes
iTunes is a media player computer program, used for playing, downloading, and organizing digital music and video files on desktop computers. It can also manage contents on iPod, iPhone, iPod Touch and iPad....
. PT_DENY_ATTACH on also disables DTrace
DTrace
DTrace is a comprehensive dynamic tracing framework created by Sun Microsystems for troubleshooting kernel and application problems on production systems in real time...
's ability to monitor the process. Debuggers on OS X typically use a combination of ptrace and the Mach
Mach (kernel)
Mach is an operating system kernel developed at Carnegie Mellon University to support operating system research, primarily distributed and parallel computation. Although Mach is often mentioned as one of the earliest examples of a microkernel, not all versions of Mach are microkernels...
VM and thread APIs. ptrace (again with PT_DENY_ATTACH) is available to developers for the Apple iPhone
IPhone
The iPhone is a line of Internet and multimedia-enabled smartphones marketed by Apple Inc. The first iPhone was unveiled by Steve Jobs, then CEO of Apple, on January 9, 2007, and released on June 29, 2007...
.
Linux also gives processes the ability to prevent other processes from attaching them. Processes can call the prctl syscall and clear their PR_SET_DUMPABLE flag; in later kernels this prevents non-root processes from ptracing the calling process; the OpenSSH
OpenSSH
OpenSSH is a set of computer programs providing encrypted communication sessions over a computer network using the SSH protocol...
authentication agent uses this mechanism to prevent ssh session hijacking via ptrace. Later Ubuntu versions ship with a Linux kernel configured to prevent ptrace attaches from processes other than the traced process' parent; this allows gdb and strace to continue to work when running a target process, but prevents them from attaching to an unrelated running process. Control of this feature is performed via the /proc/sys/kernel/yama/ptrace_scope setting.