tree: 9213c59d2215dfd4c4383c47bc7d0e71f4f6e6e2 [path history] [tgz]
  1. BUILD.gn
  2. collect_frame_cookies.cc
  3. collect_frame_cookies.h
  4. collect_frame_cookies_unittest.cc
  5. collect_system_info.cc
  6. collect_system_info.h
  7. collect_system_info_unittest.cc
  8. collect_timeline_events.cc
  9. collect_timeline_events.h
  10. collect_timeline_events_unittest.cc
  11. filter_ftrace_using_allowlist_integrationtest.cc
  12. filter_ftrace_using_allowlist_unittest.cc
  13. filter_packet_using_allowlist.cc
  14. filter_packet_using_allowlist.h
  15. filter_packet_using_allowlist_unittest.cc
  16. filter_sched_waking_events_integrationtest.cc
  17. filter_sched_waking_events_unittest.cc
  18. filter_task_rename_integrationtest.cc
  19. find_package_uid.cc
  20. find_package_uid.h
  21. find_package_uid_unittest.cc
  22. frame_cookie.h
  23. main.cc
  24. modify_process_trees.cc
  25. modify_process_trees.h
  26. populate_allow_lists.cc
  27. populate_allow_lists.h
  28. process_thread_timeline.cc
  29. process_thread_timeline.h
  30. process_thread_timeline_integrationtest.cc
  31. process_thread_timeline_unittest.cc
  32. proto_util.cc
  33. proto_util.h
  34. proto_util_unittest.cc
  35. prune_package_list.cc
  36. prune_package_list.h
  37. prune_package_list_integrationtest.cc
  38. prune_package_list_unittest.cc
  39. README.md
  40. redact_ftrace_events.cc
  41. redact_ftrace_events.h
  42. redact_process_events.cc
  43. redact_process_events.h
  44. redact_process_events_unittest.cc
  45. redact_process_trees.cc
  46. redact_process_trees.h
  47. redact_process_trees_integrationtest.cc
  48. redact_sched_events.cc
  49. redact_sched_events.h
  50. redact_sched_events_integrationtest.cc
  51. redact_sched_events_unittest.cc
  52. scrub_ftrace_events_integrationtest.cc
  53. scrub_process_stats.cc
  54. scrub_process_stats.h
  55. scrub_process_stats_integrationtest.cc
  56. scrub_trace_packet.cc
  57. scrub_trace_packet.h
  58. suspend_resume_unittest.cc
  59. trace_redaction_framework.cc
  60. trace_redaction_framework.h
  61. trace_redaction_integration_fixture.cc
  62. trace_redaction_integration_fixture.h
  63. trace_redactor.cc
  64. trace_redactor.h
  65. verify_integrity.cc
  66. verify_integrity.h
  67. verify_integrity_integrationtest.cc
  68. verify_integrity_unittest.cc
src/trace_redaction/README.md

Trace Redaction

Timeline

Intro

The timeline is at the center of the redaction system. It provides an efficient method to find which package a thread/process belongs to.

The timeline allows queries to be connected to time. Without this, there‘s a significant privacy conern because a pid can be recycled. Just because the pid is excluded from redaction before time T, doesn’t mean it should be redacted after time T.

General Structure

The timeline uses an event-based pattern using two events:

  • Open Event: Marks the begining of a pid's new lifespan.
  • Close Event: Marks the end of a pids's lifespan.

An event-based structure (compared to a span-based structure) is used as it is better suited to handle errors/issues in the underlying data. For example, if a pid doesn't explictly ends before being reused (e.g. two back-to-back open events), the event-based structure “just works”.

Open events contain the thread‘s full state. The close event only contains the information needed to reference the thread’s previous event.

struct Open {
    uint64_t ts;
    int32_t  pid;
    int32_t  ppid;
    uint64_t uid;
};

struct Close {
    uint64_t ts;
    int32_t  pid;
};

The vast majory of threads will have one event, an open event provided by the ProcessTree. For some threads, they will have multiple open (ProcessTree, NewTask) and close events (ProcFree) in alternating order.

Query

struct Slice {
    int32_t  pid;
    uint64_t uid;
};

class Timeline {
  Slice Query(uint64_t ts, int32_t pid) const;
};

Events, regardless of type, are stored in contiguous memory and are ordered first by pid and second by time. This is done to allow events to be found via a binary search.

The vast majory of threads will have one event, the open event. Some threads may have close and re-open events.

To handle a query,

  1. Use a binary search to find the lower bound for pid (the first instance of pid)
  2. Scan forward to find the last event before ts (for pid)

If an event was found:

if (e.type == kOpen && uid != 0)
  return Slice(pid, e.uid);

// The pid is active, check the parent for a uid.
if (e.type == kOpen && uid == 0)
  return Query(ts, e.ppid);

return Slice(pid, kNoPackage);

If pid does not have an immediate package (uid), the parent must be searched. The parent-child tree is short, so the recursive search will be relatively short. To minimize this even more, a union-find operation is applied because any queries can be made.

Simple runtime overview:

Initialization:

  • $sort + union\ find$

  • $nlogn + mlogn$

    • where $n=events$
    • and $m=approx\ average\ depth$

Query:

  • $P(p) = m_p * (logn + e_p)$

    • where $m_p=\ distance\ from\ pid\ to\ uid$
    • and $n=events$
    • and $e_p=number\ of\ events\ for\ process\ p$
  • Because of the union-find in initialization, $m_p \to 0$

To further reduce the runtime, the search domain is reduces by remove all open events for $pids$ that don't connect to a target $uid$. By removing open events, and close events, there are two advantages:

  1. Removing open events are safe and simple. By removing open events, those pids can never be marked by active. Keeping the close events effectively reminds the system that the pid is not active.

  2. The number of open events exceeds the number of close events. Removing open events will have a greater effect on the number of events.

Example:

NameValueNotes
tids3666Total number of threads.
freed threads5Number of threads that were freed.
reused threads0No threads were used more than one time.
process tids64Total number of threads connected to the target process.

After initialization, there would only be 64 open events and 5 close events. This means that every uid lookup would be $logn\ |\ n=64 = 6$. Finding the uid given a pid is one of the most common operations during redaction because uid determines if something needs to be redacted.

Scrub Task Rename Spec

Background

task_rename are generated when a thread renames itself. This often happens after (but not limited to) a task_newtask event. The task_rename event exposes the threads old name and the threads new name.

Protobuf Message(s)

New task event:

event {
  timestamp: 6702094133317685
  pid: 6167
  task_newtask {
    pid: 7972
    comm: "adbd"
    clone_flags: 4001536
    oom_score_adj: -1000
  }
}

Task rename event:

event {
  timestamp: 6702094133665498
  pid: 7972
  task_rename {
    pid: 7972
    oldcomm: "adbd"
    newcomm: "shell svc 7971"
    oom_score_adj: -1000
  }
}

Method

A task_rename should be redacted when event.pid does not belong to that target package (context.package_uid). Since the pid's naming information will be removed everywhere, and naming information is effectively metadata, the whole event can be dropped without effecting the integrity of the trace.