break
¶
Intro¶
break
- allows a process to set memory protection for a given address range.
Description¶
The break
system call is used by a process to set specific memory protection of a given address range within its virtual address space. It can be used to mark memory as non-executable, readable, writable, or any combination of the three. The changes in protection are done atomically and, as a result, are always performed as a whole. It is an essential part of modern operating system memory protection and is used to ensure the memory integrity of running processes.
The break
system call may have the following drawbacks or edge cases:
* It must be called with the start and end boundaries of the region to be altered, so it can be difficult to use this system call with regions that span multiple memory pages.
* If an area of memory is marked as non-executable, the processor will try and verify that this isn't the case for all instructions within the region; if it is, the instruction will be disallowed.
* It does not differentiate between memory pages, so shared and private memory can be affected by a single call to break
.
Arguments¶
addr
:void *
- start address of the region to be set.len
:unsigned long
- the number of bytes in the memory area to be changed.type
:int
[K | U | TOCTOU | OPT] - the type of memory protection to be implemented. The possible types arePROT_READ = 1
,PROT_WRITE = 2
PROT_EXEC = 4
PROT_NONE = 0
or any combination of these.
Available Tags¶
- K - Originated from kernel-space.
- U - Originated from user space (for example, pointer to user space memory used to get it)
- TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
- OPT - Optional argument - might not always be available (passed with null value)
Hooks¶
do_mremap()¶
Type¶
Kprobe
Purpose¶
To detect calls to break
to change the memory protection of a given region.
Example Use Case¶
The break
system call can be used to mark memory as non-executable to prevent malicious code injection or execution of unsigned code.
Issues¶
The break
system call is vulnerable to TOCTOU (time of check, time of use), as the memory may be changed after the call to the break
system call and before the protection can be applied.
Related Events¶
mmap
, mprotect
, mremap
This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.