Constable support of code forcing The code forcing feature of Medusa exploits the fact that the Linux kernel handles signals via the stacks of user-space processes. A signal handler thus executes in user context like the process itself. Medusa places forced code on the stack, too, and simulates handling of a signal. This operation executes forced code in the context of the current process. Constable loads a statically linked relocatable ELF object file, relocates it and sends it to the kernel with the entry point set at symbol "main". To make creating these object files easier, mlibc (stands for Medusa or Mini libc) was written. It is a small library of the most used standard functions and all syscall wrappers. A header file provides declarations of these and also declarations of many standard structures, constants and macros. They are listed in header file itself. Mlibc with some examples can be found in Constable/Mlibc. When writing force code, just include fc_std.h (which contains declarations of some symbols needed for linking) and mlibc.h, and you can relatively easily write the code. Then you need to compile the source and mlibc.c with "gcc -c" and link them together with "ld -r", or you can edit the Makefile and change test to your program. Example: #include "fc_std.h" #include "mlibc.h" void main(int argc, int *argv) { printf("Hello world\n"); if (argc > 0) printf("%d\n", argv[0]); } You can compile this with: gcc -O2 -c mlib.c -o mlibc.o gcc -O2 -c program.c -o program.o ld -r -o program program.o mlibc.o Of course, you have to declare main() in your program. You can declare it with parameters as main(int argc, int *argv) and pass some numeric parameters to your code this way. Of the unsolved problems, the most notable are that Constable cannot initialize all global variables (so you have to do it yourself) and that the forced code cannot return a value directly to the Constable. (This can be worked around using some syscalls, which the Constable traces [see trace_on] and calling it from the forced code). Look at the example files in the directory Mlibc. They are well commented, and, as we all know, one good example is better than 100 pages of manual. I recommend you start with f_exit.c. Here is a short description of a few examples: * f_exit.c: force exit() to the application. * f_showargs.c: show the force arguments. * f_secure_unlink.c: overwrite a file with zeros and 0xff's on delete. * f_getpeername.c: grant/revoke permissions to the application which uses some network connection, depending on the IP address of the remote end Note that Constable uses different prototype for `main()' function, than the usual int main(int argc, char * argv[]). This may cause harmless warning at the compile time. Also note that mlibc is not a complete rewrite of libc or any other libraries. It is only a small subset of their routines.