DataHook: An Efficient and Lightweight System Call Hooking Technique without Instruction Modification
System calls serve as the primary interface for interaction between user-space programs and the operating system (OS) kernel. By hooking system calls, it is possible to analyze and modify the behavior of user-space programs. This paper proposes DataHook, an efficient and lightweight system call hooking technique for 32-bit programs. Compared to existing system call hooking techniques, DataHook achieves hooking with extremely low hook overhead by modifying only a few data elements without altering any program instructions. This unique characteristic not only avoids the multithreading conflicts associated with binary rewriting but also provides support for programs to apply more efficient user-space OS subsystems. However, existing system call hooking techniques struggle to meet these goals simultaneously. While techniques like syscall user dispatch (SUD) and \texttt{ptrace} do not require rewriting process instructions, they introduce significant hook overhead. On the other hand, low-overhead techniques typically involve binary rewriting of multiple bytes or instructions, which introduces its own set of challenges. DataHook cleverly addresses these issues by leveraging the specific behavior of 32-bit programs during system calls. In short, unlike 64-bit programs, 32-bit programs use an indirect call instruction to jump to the function executing the \texttt{syscall}/\texttt{sysenter} when making a system call. This paper achieves system call hooking by manipulating the data dependencies involved in the indirect call process. This characteristic is present in 32-bit programs on glibc-based Linux systems, whether running on x86 or x86-64 architectures. Therefore, DataHook can be deployed on these systems. Experimental results demonstrate that DataHook reduces hook overhead by $5.4$ to $1,429.0$ times compared to existing techniques. When DataHook was applied to a server program to make it use the user-space network stack, the server performance was improved by approximately $4.3$ times. Additionally, when applied to Redis, DataHook resulted in only a $4.0$% performance loss, compared to $8.0$% to $94.7$% with other techniques.
Thu 26 JunDisplayed time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change
16:00 - 17:15 | Decompilation and TracingResearch Papers at Cosmos 3B Chair(s): Philipp Straubinger University of Passau | ||
16:00 25mTalk | DecLLM: LLM-Augmented Recompilable Decompilation for Enabling Programmatic Use of Decompiled Code Research Papers WONG Wai Kin Hong Kong University of Science and Technology, Daoyuan Wu Hong Kong University of Science and Technology, Huaijin Wang Ohio State University, Li Zongjie Hong Kong University of Science and Technology, Zhibo Liu Hong Kong University of Science and Technology, Shuai Wang Hong Kong University of Science and Technology, Qiyi Tang Tencent Security Keen Lab, Sen Nie Tencent Security Keen Lab, Shi Wu Tencent Security Keen Lab DOI | ||
16:25 25mTalk | DataHook: An Efficient and Lightweight System Call Hooking Technique without Instruction Modification Research Papers Quan Hong Institute of Information Engineering, Chinese Academy of Sciences & School of Cyber Security, University of Chinese Academy of Sciences, Jiaqi Li Institute of Information Engineering, Chinese Academy of Sciences, Wen Zhang China Unicom Online Information Technology CO.,Ltd, Lidong Zhai Institute of Information Engineering, Chinese Academy of Sciences DOI | ||
16:50 25mTalk | Tracezip: Efficient Distributed Tracing via Trace Compression Research Papers Zhuangbin Chen Sun Yat-sen University, Junsong Pu Beijing University of Posts and Telecommunication, Zibin Zheng Sun Yat-sen University DOI | ||
Cosmos 3B is the second room in the Cosmos 3 wing.
When facing the main Cosmos Hall, access to the Cosmos 3 wing is on the left, close to the stairs. The area is accessed through a large door with the number “3”, which will stay open during the event.