Skip to content



execve - This system call causes the program referred to by pathname to be executed in a new process using the given parameters and environment.


execve is used to start new processes. It takes a pathname and two arrays - argv and envp - as parameters and executes the program found at the given pathname. The argv array is a collection of NULL-terminated strings of command-line options to be passed to the new process, while the envp array is a collection of NULL-terminated strings that defines the environment of the new process. execve overwrites the current process image with a new process image, which is created based on the given parameters and environment.

When execve is executed, it is important to keep in mind that the new process image is created but not executed yet. This means that the process might still need to allocate memory for itself, load code and initialize data before it can start executing. This can be vulnerable to Time Of Check, Time Of Use (TOCTOU) attacks, where the process checks the validity of a file at one point in time, and then later uses the file itself assuming the validity of it.


  • pathname:const char* - Pathname of the program to be executed.
  • argv:const char*const* [K] - Array of null-terminated strings that contain the arguments to be passed to the new process.
  • envp:const char*const* [K] - Array of null-terminated strings that contain the environment variables of the new process.

Available Tags

  • K - Originated from kernel-space.
  • U - Originated from user space (for example, pointer to user space memory used to get it)
  • TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
  • OPT - Optional argument - might not always be available (passed with null value)






Hooking sys_execve enables tracing of all processes executed on the system, including the process arguments and environment variables.

Example Use Case

Tracing an access control matrix to make sure sensitive programs are not executed without permission.


execve is vulnerable to TOCTOU attacks, so checks should be done when using the execve call.

  • fork - To create a new process before executing it.
  • sigaction - To set the signal handling function of the new process.

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.