break - allows a process to set memory protection for a given address range.
break system call is used by a process to set specific memory protection of a given address range within its virtual address space. It can be used to mark memory as non-executable, readable, writable, or any combination of the three. The changes in protection are done atomically and, as a result, are always performed as a whole. It is an essential part of modern operating system memory protection and is used to ensure the memory integrity of running processes.
break system call may have the following drawbacks or edge cases:
* It must be called with the start and end boundaries of the region to be altered, so it can be difficult to use this system call with regions that span multiple memory pages.
* If an area of memory is marked as non-executable, the processor will try and verify that this isn't the case for all instructions within the region; if it is, the instruction will be disallowed.
* It does not differentiate between memory pages, so shared and private memory can be affected by a single call to
void *- start address of the region to be set.
unsigned long- the number of bytes in the memory area to be changed.
int[K | U | TOCTOU | OPT] - the type of memory protection to be implemented. The possible types are
PROT_READ = 1,
PROT_WRITE = 2
PROT_EXEC = 4
PROT_NONE = 0or any combination of these.
- K - Originated from kernel-space.
- U - Originated from user space (for example, pointer to user space memory used to get it)
- TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
- OPT - Optional argument - might not always be available (passed with null value)
To detect calls to
break to change the memory protection of a given region.
Example Use Case¶
break system call can be used to mark memory as non-executable to prevent malicious code injection or execution of unsigned code.
break system call is vulnerable to TOCTOU (time of check, time of use), as the memory may be changed after the call to the
break system call and before the protection can be applied.
This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.