OpenSSL Tracer: a real-life example

Tracing text encryption

OpenSSL ships with a command-line tool named openssl. We can use it to encrypt some text by issuing the following command:

$ echo some text | openssl enc -aes-256-cbc -k secret -base64
U2FsdGVkX181z6PWd25ZnqNUqhVXGiy+ka7bwSu1tqE=

Since the openssl command line tool uses libcrypto in this case, the OpenSSL tracer component to choose is evp_tracer.so. To obtain the trace corresponding to the execution of this command, the LD_PRELOAD environment variable needs to be set to the path of the tracer. For example, in an interactive shell session, the previous command line would be changed to become:

$ echo some text | LD_PRELOAD=/path/to/evp_tracer.so openssl enc -aes-256-cbc -k secret -base64
U2FsdGVkX1++v8mvWpXbogGGWV8NrE4LxWuQ/+0E/yw=

The encrypted text is still printed on the standard output. This also creates a cs-trace-evp-PID_TIMESTAMP.cst trace file under /tmp, where PID is the Process ID.

Configuring where traces are stored

It is possible to configure where traces are stored using the CS_TRACE_DIR environment variable:

$ mkdir cs-tracer
$ export CS_TRACE_DIR=cs-tracer
$ echo some text | LD_PRELOAD=/path/to/evp_tracer.so openssl enc -aes-256-cbc -k secret -base64
U2FsdGVkX1+Gwdr9Zs0OyteehJdK40UBJSwQ+BWrq3w=
$ ls cs-tracer
cs-trace-evp-944387_2022-06-14-13-56-53.cst

Combining trace files

Since every run of the program creates a different trace file, you may eventually end up with a large number of trace files. It is possible to concatenate these files together before submitting them to the SandboxAQ Security Suite Analyzer web application:

$ ls cs-tracer
 cs-trace-evp-944387_2022-06-14-13-56-53.cst
 cs-trace-evp-947560_2022-06-14-14-44-49.cst
 cs-trace-evp-947609_2022-06-14-14-44-50.cst
 cs-trace-evp-947654_2022-06-14-14-44-51.cst
 cs-trace-evp-947699_2022-06-14-14-44-53.cst
 cs-trace-evp-947744_2022-06-14-14-44-54.cst
$ cat cs-trace-evp-*.cst > cryptosense-evp-joined.cst