sigaltstack¶
Intro¶
sigaltstack - Sets or gets the signal stack context
Description¶
The sigaltstack
syscall can be used to set or get the signal stack context of a process. It sets a new signal stack for the process (or retrieves the previously set one) and specifies a sigaction
structure that determines what should be done when signals are delivered to that stack. This is useful for separating execution stacks for signal handlers and other asynchronous events, for example for dealing with asynchronous interrupts. The sigaltstack
syscall can also be used to enable or disable the alternate stack which can improve the performance of the process in receiving signals.
There are two main advantages of using sigaltstack
. Firstly, it allows users to control the stack used during signals to limit the amount of data that must be copied around. Secondly, it allows users to create a dedicated signal stack, enabling them to have a separate memory space for signal handlers that is independent of the current stack frame.
However, there are some drawbacks to consider when using sigaltstack:
- There is a limit on the size of the alternate stack. This means that some signals might not fit onto the stack and thus fail without their handler being executed.
- The
sigaltstack
syscall is potentially vulnerable to a TOCTOU attack. Furthermore, due to the alternate stack, access to certain parts of the program may be restricted while the signal is being processed.
Arguments¶
ss
:const stack_t*
[K,U] - Pointer to a stack_t structure containing the alternate stack data.old_ss
:stack_t*
[U] - Pointer to a stack_t structure where the currently active stack will be stored.
Available Tags¶
- K - Originated from kernel-space.
- U - Originated from user space (for example, pointer to user space memory used to get it)
- TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
- OPT - Optional argument - might not always be available (passed with null value)
Hooks¶
sys_sigaltstack¶
Type¶
Kprobe
Purpose¶
To disable the alternate stack before the sigaltstack syscall is executed and to enable it afterwards. This allows us to ensure that any signal handler is only using the alternate stack and not a user space stack.
user_sigaltstack¶
Type¶
Uprobe
Purpose¶
To trace any sigaltstack syscalls happening in a user space context. This allows us to track any attempted signals that might be generated as a result of the sigaltstack syscall.
Example Use Case¶
sigaltstack can be used to handle certain signals that cause program execution flow interruption, such as SIGSEGV and SIGINT. By setting an alternate stack and catching the interrupt-based signals, the program can be protected from crashing due to a segmentation fault.
Issues¶
The sigaltstack
syscall is vulnerable to TOCTOU (Time Of Check, Time Of Use) attacks, meaning that a malicious actor could potentially corrupt the signal stack pointer between the time when it is checked and the time it is used to stage the signal handler.
Related Events¶
- signal: Used to register signal handlers.
- sigaction: Used to define how a signal should be handled.
- sigsuspend: Used to pause the process until a signal is received.
This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.