Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

Memory access tracing [poug17]

1 139 vues

Publié le

Tracking userspace memory access (data) of an oracle database :
-Memory address
-Function name
-Instruction address-
-Memory content
-Memory access mode (read/write)

  • Soyez le premier à commenter

Memory access tracing [poug17]

  1. 1. MEMORY ACCESS TRACING/PROFILING HATEM MAHMOUD HTTPS://MAHMOUDHATEM.WORDPRESS.COM HIGH FIVE POUG
  2. 2. 2 WHO AM I Oracle DBA Oracle experience: 6 years Located in TUNISIA Oracle Certified Master Oracle geek https://mahmoudhatem.wordpress.com
  3. 3. 3 WHAT THIS PRESENTATION IS NOT ABOUT
  4. 4. 4 WHAT THIS PRESENTATION IS ABOUT It’s not about : Studying memory access patterns/Latency/Data locality problem (memory hierarchy)/Cache Optimization/Reducing memory stall cycle. It’about :Tracking userspace memory access (data) of an oracle database  Memory address  Function name  Instruction address  Memory content  Memory access mode (read/write)
  5. 5. 5 FOR WHAT PURPOSE ?  Reverse engineering :  Building performance monitoring/auditing tools (interfacing with the oracle database),  Security analysis (ex: Asseting the security of the db link password stored in « sys.link$ »),  Etc  Researching oracle internal (Beyond C function call tracing): Useful for
  6. 6. 6 HIGHLIGHTS Virtual memory Memory access tracing/profiling Use cases/Examples All the concepts , tools and examples described here are specific to Linux and the x86_64 architecture.
  7. 7. 7 VIRTUAL MEMORY
  8. 8. 8 VIRTUAL MEMORY Virtual memory is an abstraction of main memory. Each process run in its own large, linear and private address space, Virtual memory is made possible by support in both the processor and operating system. Virtual memory Process 2 Virtual memory Process 1
  9. 9. 9 PROCESS ADDRESS SPACE Linux organizes the virtual memory as a collection of areas (also called segments ).
  10. 10. 10 PROCESS ADDRESS SPACE (PIE DISABLED) [ASLR][PIE Disabled]
  11. 11. 11 PROCESS ADDRESS SPACE (PIE DISABLED) ≠ = PROCESS 2 PROCESS 1
  12. 12. 12 MEMORY ACCESS TRACING/PROFILING
  13. 13. 13 HARDWARE BREAKPOINT  Provide an elegant mechanism to monitor memory access.  Make use of dedicated registers and hence are limited in number. x86DebugRegister • Virtual memory address of the desired watchpointDR0 to DR3 • Obsolete synonyms for DR6 and DR7DR4 and DR5 • Status register information about the last breakpoint hitDR6 • Control register [local and global enables/memory access type/memory access length(1,2,4,8 bytes) ] DR7 https://en.wikipedia.org/wiki/X86_debug_register
  14. 14. 14  probe kernel.data(ADDRESS).write  probe kernel.data(ADDRESS).rw  probe kernel.data(ADDRESS).length(LEN).write  probe kernel.data(ADDRESS).length(LEN).rw  mem:<addr>[:access] [Hardware breakpoint] HARDWARE BREAKPOINT Systemtap syntax : Perf syntax :
  15. 15. 15 INTEL PIN Pin is a dynamic binary instrumentation (DBI) framework. PinTools are Programmable instrumentation tools (C, C++, assembly). Benefits :  Insert arbitrary code into working user program.  No change or recompilation of source code.  Attach to a running process.  Rich API that abstracts away the underlying instruction-set (instrument a class of instructions).
  16. 16. 16  Pin inject some dynamic libraries in the address space of the target application to gain control of the execution (relies on the ptrace system call).  Instrument binary code right before it runs. DYNAMIC TRACING MODE : JIT MODE
  17. 17. 17 PINATRACE.SO : TRACING MEMORY ACCESS The pin tool « pinatrace.so »  Generates a trace of all memory addresses referenced by a program.  Instrument instructions that read or write memory  Syntax :  pin -pid 9266 -t pinatrace.so
  18. 18. 18 PINATRACE.SO : TRACING MEMORY ACCESS
  19. 19. 19 PINATRACE ORACLE ANNOTATE TOOL Changing the functions addresses to function names, and the memory addresses to named memory locations whenever possible ! Pinatrace oracle annotate by Frits Hoogland ! https://fritshoogland.wordpress.com/2016/11/18/advanced-oracle-memory-profiling-using-pin-tool-pinatrace/
  20. 20. 20 EX1:TRACKING FUNCTIONS WHERE DATA OF INTEREST IS HANDLED Simple stupid c program « ./hello_world » that print « Hello, World! » when executed. How can we check in which function this happen ?
  21. 21. 21 EX1:TRACKING FUNCTIONS WHERE DATA OF INTEREST IS HANDLED Let’s track where this happen using intel pin tool « pinatrace.so »
  22. 22. 22 EX1:TRACKING FUNCTIONS WHERE DATA OF INTEREST IS HANDLED
  23. 23. 23 EX2:TRACKING FUNCTIONS WHERE DATA OF INTEREST IS HANDLED « Client_pass » a C program that ask for a password to execute ! How can we hack the password? HINT : The password is stored in clear text
  24. 24. 24 EX2:TRACKING FUNCTIONS WHERE DATA OF INTEREST IS HANDLED Not enough ! Need the full call stack for deeper analyses !
  25. 25. 25 DEBUGTRACE.SO : TRACING MEMORY/CALL/INSTRUCTION The pin tool « debugtrace.so » designed to help debugging  Pin tools switches  call [default 1] Trace calls  instruction [default 0] Trace instructions  memory [default 0] Trace memory  symbols [default 1] Include symbol information
  26. 26. 26 Memory/call tracing :(debugtrace.so -memory) EX2:TRACKING FUNCTIONS WHERE DATA OF INTEREST IS HANDLED Memory/call/instruction tracing : (debugtrace.so -instruction -memory)
  27. 27. 27 EX2:TRACKING FUNCTIONS WHERE DATA OF INTEREST IS HANDLED
  28. 28. 28 EX2:TRACKING FUNCTIONS WHERE DATA OF INTEREST IS HANDLED Shared memory segment mapped at address : 0x0000000060001000
  29. 29. 29 ORACLE USE CASES NO ASSEMBLY CODE HERE ! I SWEAR ! (MORE DETAIL IN MY BLOG)
  30. 30. 30 I- LATCH MONITORING TOOLS LATCH CALL GRAPH EXTRACTING LATCH HOLDER INFO FROM SGA Test env : oracle 12.2.0.1/OEL6/UEK4
  31. 31. 31 LATCHES  Latches are very low-level locks.  Every latch is just a memory structure in SGA . There are dedicated functions related with latches in KSL (Ex: ksl_get_shared_latch). But Latches can also been acquired/released inside functions like kcbgtcr (consistent get) or kcbgcur (current get) without dedicated calls to ksl* functions.
  32. 32. 32 Watching Ultra fast Latch in action : (Cache buffer chain Latch) perf record -e mem: 0x000000009F668880:w -p 9154 LATCHES
  33. 33. 33 ˆNproc ˆX flag gets latch# (Shared latch memory layout ) Watching Ultra fast Latch in action : (Cache buffer chain latch) LATCHES
  34. 34. 34 Getting Latch holder info out of the state objects in SGA memory Based on the work of Andrey Nikolaev LATCHES V$LATCHHOLDER scans through the process state object array (V$PROCESS/X$KSUPR) and looks into a field there which points to the latch held by a process http://tech.e2sn.com/oracle/troubleshooting/latch-contention-troubleshooting Use intel pin tools (pintrace.so/ debugtrace.so) and gdb to analyze what’s going on under the hood
  35. 35. 35 THE TOOLS
  36. 36. 36 LATCH CALL GRAPH
  37. 37. 37 TROUBLESHOTING LATCH CONTENTION Latch call graph EXTRACT FROM LATCH CALL GRAPH AFTER A COMMIT WAS ISSUED
  38. 38. 38 EXTRACTING LATCH HOLDER INFO FROM SGA
  39. 39. 39 A C program that will extract latch holder info out of the state objects in SGA memory Can be enhanced to sample latch state object at high frequency and present a profile of latches held with extended info. EXTRACTING LATCH HOLDER INFO FROM SGA
  40. 40. 40 II- PASSWORD HACKING EXTRACTING DB_LINK PASSWORD EXTRACTING ANY USER PASSWORD REVERSE ENGINEERING DB LINK PASSWORD DECRYPTION IN PL/SQL Test env : oracle 12.1.0.2.6|12.2.0.1/OEL6/UEK4
  41. 41. 41 EXTRACTING DB_LINK PASSWORD Starting with version 11.2.0.4 and also in 12c it is no longer possible to supply the obfuscated password using a BY VALUES clause for creating a database link, this is only allowed from a datapump import. ORA-02153 : Invalid VALUES Password String When Creating a Database Link Using BY VALUES With Obfuscated Password After Upgrade To 11.2.0.4 (Doc ID 1905221.1).
  42. 42. 42 Extracting the database link password from function "r0_aes_cbc_loop_enc_x86_intel” EXTRACTING DB_LINK PASSWORD
  43. 43. 43 EXTRACTING ANY USER PASSWORD
  44. 44. 44 We will have to attach intel pin tools to the process just after it’s creation ! Suspending a newly forked oracle process. EXTRACTING ANY USER PASSWORD
  45. 45. 45 EXTRACTING ANY USER PASSWORD
  46. 46. 46 REVERSE ENGINEERING DB LINK PASSWORD DECRYPTION IN PL/SQL Password decrypted using r0_AES_CBC_loop_dec_x86_intel ((Advanced Encryption Standard ) in CBC encryption mode)
  47. 47. 47 REVERSE ENGINEERING DB LINK PASSWORD DECRYPTION IN PL/SQL To decrypt the password we need three parameters
  48. 48. 48 REVERSE ENGINEERING DB LINK PASSWORD DECRYPTION IN PL/SQL This parameters depend on :  “PASSWORDX” from “sys.link$”  Variable “ztcshpl_v6” (Database independent)  NO_USERID_VERIFIER_SALT from SYS.PROPS$ (Database dependent).
  49. 49. 49 REVERSE ENGINEERING DB LINK PASSWORD DECRYPTION IN PL/SQL
  50. 50. 50 REVERSE ENGINEERING DB LINK PASSWORD DECRYPTION IN PL/SQL The procedure “db_link_password_decrypt” take two parameters :  NO_USERID_VERIFIER_SALT of your database  Passwordx from sys.link$
  51. 51. 51 REVERSE ENGINEERING DB LINK PASSWORD DECRYPTION IN PL/SQL
  52. 52. 52 Thank you for your attention

×