Timeless Debuggers

# whoami

• Aleksandr Sinyaev
• student of Saint-Petersburg State University of Aerospace Instrumentation
• sometimes I play CTF

Anatomy of a bug

• The process of debugging is the process of reasoning backwards through the cause and effect chain from the bug's symptom to its origin.

What the pentester knows

What the pentester wants to know

Traditional debugging

Nondeterminism

• signals sent to the program by the operating system: SIGINT, SIGSEGV, ...
• interactions with the file system: read(fd, buf, size), …
• system calls like getrandom(buf, size, flags)
• timing: rdtsc, ...
• device-specific input/output operations

Timeless debugging

Timeless debugging

• record nondeterministic failure once, debug deterministically forever
• go backwards in time
• debuggers: QIRA, rr, RevPDB, REVEN-Axion

rr

• Mozilla's project, initial focus on Firefox
• lightweight recording: rr records only the nondeterministic parts
• usage: rr record prog --args →saves recording rr replay →replay of most recent recording
• x86 CPU and UNIX only :(
• no GUI(gdb)

QEMU Interactive Runtime Analyser(QIRA)

• geohot's project, competitor to strace and gdb
• nice GUI
• x86, powerpc, arm, mips IDA Integration
• high runtime overload => not for realworld

rr vs QIRA

rr vs QIRA

DEMO

END