vivarium 0.3.1 → 0.3.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 150b5b98d7555e1954b0002ca2224b1e445b799fa5d163ab4bbcbc8cac42ea74
-  data.tar.gz: 5984b875d3fab3600c86f9e1d961a0c1ab84945f1c1ea76e78e72248ec2fd9f7
+  metadata.gz: a0e7e80cef690342f163fde6c05fed6859c3ef81aa794fe532c87b00fbe11cd5
+  data.tar.gz: 4f2de93c9795fe93ecb0d8291f86a117ac0f595c8c12e2c7b41caabaae7c3273
 SHA512:
-  metadata.gz: 17847e5f3852628e8bc58f4a31fc4e934b0b06d35d7961ac811d27d34ffcb4a8f17fd9e9c7f61253b9e7d37db09ee9d06354be637f8953c4bd1827baf8d3e0e7
-  data.tar.gz: 1980ac521ccd83eadb68bbbb5b6cb6a6053f3737c2b8c7aaeded5b9ace3563b34666da472bfe133204caf5889a4e77febea2c9069900e4f040a728a6f609b75a
+  metadata.gz: 9a116f2c50b978a368a05cca351411f9724686746820085b651038d060c8452a8546170cb6e6ac885ab8a721aa20bcf42c5746639d32cbfea0ba8a9452b9687e
+  data.tar.gz: fb5b4b5307682fa84b77dcfaa2165a71a5e16deef8d7b7d21d6b3267e82b5a12ce1f73dee946193605e039a247d59613a9c2dffca15ef96ddb502a17c9ce742d

data/examples/dlopen_demo.rb

@@ -0,0 +1,50 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require "fiddle"
+require "vivarium"
+
+FILTER = {
+  include_events: %w[dlopen mmap_exec]
+}.freeze
+
+# Usage:
+#   1) In another shell (root): sudo bundle exec vivariumd
+#      (dlopen uprobe is attached automatically when libc is found)
+#   2) Run this script: bundle exec ruby examples/dlopen_demo.rb
+#
+# Expected output: "DL dlopen" and "DL mmap_exec" events for each
+# library loaded via Fiddle.dlopen.
+#
+# You can disable the dlopen uprobe with `sudo vivariumd --no-dlopen-trace`
+# or point at a specific libc with `sudo vivariumd --libc /lib/x86_64-linux-gnu/libc.so.6`.
+
+Vivarium.observe(filter: FILTER) do
+  # libm: math functions — almost universally available
+  begin
+    libm = Fiddle.dlopen("libm.so.6")
+    sin_fn = Fiddle::Function.new(libm["sin"], [Fiddle::TYPE_DOUBLE], Fiddle::TYPE_DOUBLE)
+    puts "[dlopen_demo] sin(PI/4) = #{sin_fn.call(Math::PI / 4).round(6)}"
+    libm.close
+  rescue Fiddle::DLError => e
+    warn "[dlopen_demo] libm: #{e.message}"
+  end
+
+  # libsqlite3: a common library that may not be loaded at startup
+  begin
+    libsqlite3 = Fiddle.dlopen("libsqlite3.so.0")
+    puts "[dlopen_demo] libsqlite3 loaded: version = #{Fiddle::Function.new(libsqlite3["sqlite3_libversion"], [], Fiddle::TYPE_VOIDP).call}"
+    libsqlite3.close
+  rescue Fiddle::DLError => e
+    warn "[dlopen_demo] libsqlite3: #{e.message}"
+  end
+
+  # Spawn a child process that also calls dlopen — its events should
+  # appear under a PROC node in the tree (descendant PID tracking).
+  # Unbundle so Bundler does not spawn anything.
+  Bundler.with_unbundled_env do
+    system("ruby -e 'require \"fiddle\"; Fiddle.dlopen(\"libm.so.6\").close'")
+  end
+end
+
+puts "[dlopen_demo] done"

data/examples/drop_demo.rb

@@ -0,0 +1,78 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+# Standalone demo: shows what DROP warning nodes look like in the TreeRenderer
+# output. Does NOT require BPF or vivariumd — constructs RawEvent objects
+# directly and feeds them to TreeRenderer.
+#
+# Usage:
+#   ruby examples/drop_demo.rb
+
+$LOAD_PATH.unshift File.join(__dir__, "..", "lib")
+
+require "vivarium"
+require "vivarium/correlator"
+require "vivarium/tree_renderer"
+require "vivarium/display_filter"
+require "vivarium_usdt"
+
+t0        = 1_000_000_000  # base ktime_ns
+pid       = Process.pid
+tid       = Process.pid
+method_id = 0x0001_0001
+
+# span_start payload: method_id (8B) + file_id (8B) + lineno (8B)
+span_start_payload = [method_id, 0, 10].pack("q<q<q<")
+                                        .ljust(Vivarium::EVENT_PAYLOAD_SIZE, "\x00")
+
+events = [
+  Vivarium::Correlator::RawEvent.new(
+    ktime_ns: t0,
+    pid: pid, tid: tid,
+    event_name: "span_start",
+    payload: span_start_payload,
+    dropped_since_last: 0
+  ),
+  # This event carries drop info: 5 events were lost before it arrived
+  Vivarium::Correlator::RawEvent.new(
+    ktime_ns: t0 + 10_000_000,
+    pid: pid, tid: tid,
+    event_name: "path_open",
+    payload: "/etc/passwd\x00".b.ljust(Vivarium::EVENT_PAYLOAD_SIZE, "\x00"),
+    dropped_since_last: 5
+  ),
+  Vivarium::Correlator::RawEvent.new(
+    ktime_ns: t0 + 20_000_000,
+    pid: pid, tid: tid,
+    event_name: "dns_req",
+    payload: "\x06google\x03com\x00".b.ljust(Vivarium::EVENT_PAYLOAD_SIZE, "\x00"),
+    dropped_since_last: 0
+  ),
+  # Another burst: 12 events dropped just before this sock_connect
+  Vivarium::Correlator::RawEvent.new(
+    ktime_ns: t0 + 25_000_000,
+    pid: pid, tid: tid,
+    event_name: "sock_connect",
+    payload: [2, 443, 0x7f000001, 0].pack("S<nNN").ljust(Vivarium::EVENT_PAYLOAD_SIZE, "\x00"),
+    dropped_since_last: 12
+  ),
+  Vivarium::Correlator::RawEvent.new(
+    ktime_ns: t0 + 30_000_000,
+    pid: pid, tid: tid,
+    event_name: "span_stop",
+    payload: "\x00" * Vivarium::EVENT_PAYLOAD_SIZE,
+    dropped_since_last: 0
+  ),
+]
+
+Vivarium::TreeRenderer.new(
+  events: events,
+  method_table: { method_id => "MyClass#my_method" },
+  observer_pid: pid,
+  main_tid: tid,
+  session_start_iso: "2026-06-02T00:00:00.000Z",
+  session_start_ktime: t0,
+  session_stop_iso: "2026-06-02T00:00:00.030Z",
+  session_stop_ktime: t0 + 30_000_000,
+  dest: $stdout
+).render

data/lib/vivarium/correlator.rb

@@ -6,7 +6,7 @@ require "time"
 module Vivarium
   class Correlator
     RawEvent = Struct.new(
-      :ktime_ns, :pid, :tid, :event_name, :payload,
+      :ktime_ns, :pid, :tid, :event_name, :payload, :dropped_since_last,
       keyword_init: true
     )
 
@@ -17,6 +17,7 @@ module Vivarium
         u32 tid;
         char event_name[16];
         char payload[256];
+        u64 dropped_since_last;
       };
     C
 
@@ -104,11 +105,12 @@ module Vivarium
       bytes = data[0, size].to_s.b
       bytes = bytes.ljust(Vivarium::EVENT_STRUCT_SIZE, "\x00") if bytes.bytesize < Vivarium::EVENT_STRUCT_SIZE
 
-      ktime_ns = bytes[Vivarium::EVENT_TS_OFFSET, Vivarium::EVENT_TS_SIZE].unpack1("Q<")
-      pid = bytes[Vivarium::EVENT_PID_OFFSET, 4].unpack1("L<")
-      tid = bytes[Vivarium::EVENT_TID_OFFSET, 4].unpack1("L<")
-      event_name = Vivarium.c_string(bytes[Vivarium::EVENT_NAME_OFFSET, Vivarium::EVENT_NAME_SIZE])
-      payload = bytes[Vivarium::EVENT_PAYLOAD_OFFSET, Vivarium::EVENT_PAYLOAD_SIZE].to_s.b
+      ktime_ns           = bytes[Vivarium::EVENT_TS_OFFSET,      Vivarium::EVENT_TS_SIZE].unpack1("Q<")
+      pid                = bytes[Vivarium::EVENT_PID_OFFSET,     4].unpack1("L<")
+      tid                = bytes[Vivarium::EVENT_TID_OFFSET,     4].unpack1("L<")
+      event_name         = Vivarium.c_string(bytes[Vivarium::EVENT_NAME_OFFSET, Vivarium::EVENT_NAME_SIZE])
+      payload            = bytes[Vivarium::EVENT_PAYLOAD_OFFSET, Vivarium::EVENT_PAYLOAD_SIZE].to_s.b
+      dropped_since_last = bytes[Vivarium::EVENT_DROPPED_OFFSET, 8].unpack1("Q<")
 
       @events_mutex.synchronize do
         @events << RawEvent.new(
@@ -116,7 +118,8 @@ module Vivarium
           pid: pid,
           tid: tid,
           event_name: event_name,
-          payload: payload
+          payload: payload,
+          dropped_since_last: dropped_since_last
         )
       end
     rescue StandardError => e

data/lib/vivarium/tree_renderer.rb

@@ -22,6 +22,7 @@ module Vivarium
     ].to_set.freeze
 
     UPROBE_EVENT_NAMES = %w[ssl_write].to_set.freeze
+    DL_EVENT_NAMES = %w[dlopen mmap_exec].to_set.freeze
 
     SYNTHETIC_SPAN_NAME = "<no-span>"
     UNRESOLVED_METHOD_PREFIX = "<method_id="
@@ -324,6 +325,7 @@ module Vivarium
     def build_span_children(span)
       proc_node_by_pid = {}
       root_children = []
+      prev_event_ktime = span.start_ktime
 
       span.events.each do |ev|
         target_text = nil
@@ -353,6 +355,7 @@ module Vivarium
           )
 
           parent_container = container_for_pid(ev.pid, span, proc_node_by_pid, root_children)
+          maybe_inject_drop_node(parent_container, ev, span, prev_event_ktime)
           append_event(parent_container, ev_node)
         else
           ev_node = EventNode.new(
@@ -363,12 +366,11 @@ module Vivarium
             child_proc: nil
           )
 
-          if ev.pid == @observer_pid && ev.tid == span.tid
-            append_event(root_children, ev_node)
+          container = if ev.pid == @observer_pid && ev.tid == span.tid
+            root_children
           elsif (node = proc_node_by_pid[ev.pid])
-            append_event(node.children, ev_node)
+            node.children
           else
-            # event from a descendant pid we haven't materialized — synthesize a stub PROC node
             stub = ProcNode.new(
               pid: ev.pid,
               comm: @pid_comm[ev.pid] || "?",
@@ -376,14 +378,19 @@ module Vivarium
               children: []
             )
             proc_node_by_pid[ev.pid] = stub
-            append_event(stub.children, ev_node)
             root_children << stub
+            stub.children
           end
 
+          maybe_inject_drop_node(container, ev, span, prev_event_ktime)
+          append_event(container, ev_node)
+
           if ev.event_name == EXEC_EVENT_NAME && (node = proc_node_by_pid[ev.pid])
             node.comm = @pid_comm[ev.pid] || node.comm
           end
         end
+
+        prev_event_ktime = ev.ktime_ns
       end
 
       # Interleave child spans by start time among the event/proc nodes
@@ -429,6 +436,23 @@ module Vivarium
       container << ev_node
     end
 
+    def maybe_inject_drop_node(container, ev, span, prev_event_ktime = nil)
+      n = ev.dropped_since_last.to_i
+      return if n.zero?
+
+      # Show the start of the drop window (= time of last good event).
+      # The end is implicitly ev.ktime_ns (shown on the following event line).
+      drop_start_ns = prev_event_ktime ? (prev_event_ktime - span.start_ktime) : nil
+
+      container << EventNode.new(
+        kind: "DROP",
+        name: "dropped_events",
+        target: "#{n} event(s) lost (ringbuf overflow)",
+        offset_ns: drop_start_ns,
+        child_proc: nil
+      )
+    end
+
     def print_nodes(nodes, prefix)
       visible_nodes = nodes.select do |node|
         !node.is_a?(Span) || span_visible?(node)
@@ -491,6 +515,7 @@ module Vivarium
       return "EXCP" if ev.event_name == "span_raise"
       return "USDT" if SPAN_EVENT_NAMES.include?(ev.event_name)
       return "SSL" if ev.event_name == SSL_WRITE_EVENT_NAME
+      return "DL" if DL_EVENT_NAMES.include?(ev.event_name)
       return "LSM" if LSM_EVENT_NAMES.include?(ev.event_name)
       return "TP" if TP_EVENT_NAMES.include?(ev.event_name)
 

data/lib/vivarium/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Vivarium
-  VERSION = "0.3.1"
+  VERSION = "0.3.2"
 end

data/lib/vivarium.rb

@@ -24,12 +24,13 @@ module Vivarium
   EVENT_TS_SIZE = 8
   PROC_EXEC_SLOT_SIZE = 64
   PROC_EXEC_SLOT_COUNT = 4
-  EVENT_STRUCT_SIZE = 288
+  EVENT_STRUCT_SIZE = 296
   EVENT_TS_OFFSET = 0
   EVENT_PID_OFFSET = 8
   EVENT_TID_OFFSET = 12
   EVENT_NAME_OFFSET = 16
   EVENT_PAYLOAD_OFFSET = 32
+  EVENT_DROPPED_OFFSET = 288
   EVENTS_RINGBUF_PAGES = 256
 
   SSL_WRITE_PAYLOAD_DATA_LEN_OFFSET = 0
@@ -52,6 +53,16 @@ module Vivarium
     "/usr/lib/libssl.so.1.1"
   ].freeze
 
+  LIBC_SEARCH_PATHS = [
+    "/lib/x86_64-linux-gnu/libc.so.6",
+    "/lib/aarch64-linux-gnu/libc.so.6",
+    "/usr/lib/x86_64-linux-gnu/libc.so.6",
+    "/usr/lib/aarch64-linux-gnu/libc.so.6",
+    "/lib64/libc.so.6",
+    "/usr/lib64/libc.so.6",
+    "/lib/libc.so.6",
+  ].freeze
+
   SPAN_ALLOWCLASSES = [
     Socket,
     BasicSocket,
@@ -79,6 +90,7 @@ module Vivarium
   EVENT_SEVERITY_HIGH = %w[
     capable_check bprm_creds setid_change task_kill
     ptrace_check sb_mount kernel_read_file
+    dlopen
   ].freeze
 
   CAPABILITY_NAMES = {
@@ -463,6 +475,8 @@ module Vivarium
     when "ssl_write"
       decoded = decode_ssl_write_payload(event.payload)
       "data_len=#{decoded[:data_len]} cap_len=#{decoded[:cap_len]}"
+    when "dlopen", "mmap_exec"
+      strip_to_first_null(event.payload).inspect
     else
       strip_to_first_null(event.payload).inspect
     end
@@ -619,12 +633,14 @@ module Vivarium
         u32 tid;
         char event_name[16];
         char payload[#{EVENT_PAYLOAD_SIZE}];
+        u64 dropped_since_last;
       };
 
       BPF_HASH(config_root_targets, u32, u8, 1024);
       BPF_HASH(config_spawned_targets, u32, u8, 8192);
       BPF_HASH(dns_connected_tids, u32, u8, 8192);
       BPF_RINGBUF_OUTPUT(events, #{EVENTS_RINGBUF_PAGES});
+      BPF_ARRAY(drop_counter, u64, 1);
 
       static __always_inline int target_enabled(u32 pid, u32 tid)
       {
@@ -666,14 +682,27 @@ module Vivarium
 
       static __always_inline void submit_event(struct event_t *src)
       {
+        u32 key = 0;
+        u64 *cnt;
+
         struct event_t *ev = events.ringbuf_reserve(sizeof(struct event_t));
         if (!ev) {
+          cnt = drop_counter.lookup(&key);
+          if (cnt) {
+            __sync_fetch_and_add(cnt, 1);
+          }
           return;
         }
 
         __builtin_memcpy(ev, src, sizeof(*ev));
         ev->ktime_ns = bpf_ktime_get_ns();
         ev->tid = (u32)bpf_get_current_pid_tgid();
+        ev->dropped_since_last = 0;
+
+        cnt = drop_counter.lookup(&key);
+        if (cnt && *cnt > 0) {
+          ev->dropped_since_last = __sync_lock_test_and_set(cnt, 0);
+        }
 
         events.ringbuf_submit(ev, 0);
       }
@@ -807,6 +836,39 @@ module Vivarium
         return 0;
       }
 
+      LSM_PROBE(mmap_file, struct file *file, unsigned long reqprot,
+                unsigned long prot, unsigned long flags)
+      {
+        if (!file) {
+          return 0;
+        }
+        if (!((prot | reqprot) & 0x04)) {   /* PROT_EXEC */
+          return 0;
+        }
+
+        u64 pid_tgid = bpf_get_current_pid_tgid();
+        u32 pid = pid_tgid >> 32;
+        u32 tid = (u32)pid_tgid;
+        if (!target_enabled(pid, tid)) {
+          return 0;
+        }
+
+        struct event_t ev = {};
+        int path_ret;
+        ev.pid = pid;
+        __builtin_memcpy(ev.event_name, "mmap_exec", 10);
+
+        path_ret = bpf_d_path(&file->f_path, ev.payload, sizeof(ev.payload));
+        if (path_ret < 0) {
+          if (ev.payload[0] == 0) {
+            __builtin_memcpy(ev.payload, "<path_error>", 13);
+          }
+        }
+
+        submit_event(&ev);
+        return 0;
+      }
+
       LSM_PROBE(socket_create, int family, int type, int protocol, int kern)
       {
         u64 pid_tgid = bpf_get_current_pid_tgid();
@@ -1412,6 +1474,32 @@ module Vivarium
         return 0;
       }
 
+      int on_dlopen(struct pt_regs *ctx)
+      {
+        u64 pid_tgid = bpf_get_current_pid_tgid();
+        u32 pid = pid_tgid >> 32;
+        u32 tid = (u32)pid_tgid;
+        if (!target_enabled(pid, tid)) {
+          return 0;
+        }
+
+        const char *filename = (const char *)PT_REGS_PARM1(ctx);
+        if (!filename) {
+          return 0;
+        }
+
+        struct event_t ev = {};
+        ev.pid = pid;
+        __builtin_memcpy(ev.event_name, "dlopen", 7);
+
+        if (bpf_probe_read_user_str(ev.payload, sizeof(ev.payload), filename) < 0) {
+          __builtin_memcpy(ev.payload, "<path_error>", 13);
+        }
+
+        submit_event(&ev);
+        return 0;
+      }
+
       int on_span_raise(struct pt_regs *ctx)
       {
         u64 pid_tgid = bpf_get_current_pid_tgid();
@@ -1443,10 +1531,13 @@ module Vivarium
       }
     CLANG
 
-    def initialize(pin_dir: Vivarium.bpf_pin_dir, ssl_trace: true, libssl_path: nil)
-      @pin_dir = pin_dir
-      @ssl_trace = ssl_trace
-      @libssl_path = libssl_path
+    def initialize(pin_dir: Vivarium.bpf_pin_dir, ssl_trace: true, libssl_path: nil,
+                   dlopen_trace: true, libc_path: nil)
+      @pin_dir      = pin_dir
+      @ssl_trace    = ssl_trace
+      @libssl_path  = libssl_path
+      @dlopen_trace = dlopen_trace
+      @libc_path    = libc_path
     end
 
     def run
@@ -1459,6 +1550,7 @@ module Vivarium
         .gsub("__VIVARIUM_F_PATH_OFFSET__", f_path_offset.to_s)
         .gsub("__VIVARIUM_DENTRY_D_NAME_OFFSET__", d_name_offset.to_s)
 
+      require "vivarium_usdt"
       usdt_so_path = ENV.fetch("VIVARIUM_USDT_SO_PATH") { Vivarium.locate_vivarium_usdt_so }
       usdt = RbBCC::USDT.new(path: usdt_so_path)
       usdt.enable_probe(probe: "start_probe", fn_name: "on_span_start")
@@ -1468,6 +1560,7 @@ module Vivarium
       bpf = RbBCC::BCC.new(text: program, usdt_contexts: [usdt])
 
       attach_ssl_write_uprobe(bpf) if @ssl_trace
+      attach_dlopen_uprobe(bpf) if @dlopen_trace
 
       config_root_targets = bpf["config_root_targets"]
       config_spawned_targets = bpf["config_spawned_targets"]
@@ -1526,6 +1619,39 @@ module Vivarium
       LIBSSL_SEARCH_PATHS.find { |p| File.exist?(p) }
     end
 
+    def attach_dlopen_uprobe(bpf)
+      path = resolve_libc_path
+      unless path
+        warn "[vivariumd] libc not found; dlopen uprobe disabled " \
+             "(set --libc PATH or VIVARIUM_LIBC_PATH to override)"
+        return
+      end
+
+      bpf.attach_uprobe(name: path, sym: "dlopen", fn_name: "on_dlopen")
+      puts "[vivariumd] dlopen uprobe attached via #{path}"
+    rescue StandardError => e
+      warn "[vivariumd] dlopen uprobe attach failed: #{e.class}: #{e.message}"
+    end
+
+    def resolve_libc_path
+      if @libc_path
+        return @libc_path if File.exist?(@libc_path)
+
+        warn "[vivariumd] --libc path does not exist: #{@libc_path}"
+        return nil
+      end
+
+      env_path = ENV["VIVARIUM_LIBC_PATH"]
+      if env_path && !env_path.empty?
+        return env_path if File.exist?(env_path)
+
+        warn "[vivariumd] VIVARIUM_LIBC_PATH does not exist: #{env_path}"
+        return nil
+      end
+
+      LIBC_SEARCH_PATHS.find { |p| File.exist?(p) }
+    end
+
     def ensure_root!
       return if Process.uid.zero?
 
@@ -1794,9 +1920,11 @@ module Vivarium
   end
 
   def self.run_daemon!(argv = ARGV)
-    options = { pin_dir: bpf_pin_dir, ssl_trace: true, libssl_path: nil }
+    options = { pin_dir: bpf_pin_dir, ssl_trace: true, libssl_path: nil,
+                dlopen_trace: true, libc_path: nil }
     OptionParser.new do |opts|
-      opts.banner = "Usage: vivariumd [--pin-dir PATH] [--no-ssl-trace] [--libssl PATH]"
+      opts.banner = "Usage: vivariumd [--pin-dir PATH] [--no-ssl-trace] [--libssl PATH] " \
+                    "[--no-dlopen-trace] [--libc PATH]"
       opts.on("--pin-dir PATH", "Pinned map directory") { |v| options[:pin_dir] = v }
       opts.on("--[no-]ssl-trace", "Attach OpenSSL SSL_write uprobe (default: enabled)") do |v|
         options[:ssl_trace] = v
@@ -1804,12 +1932,20 @@ module Vivarium
       opts.on("--libssl PATH", "Path to libssl.so to attach SSL_write to") do |v|
         options[:libssl_path] = v
       end
+      opts.on("--[no-]dlopen-trace", "Attach libc dlopen uprobe (default: enabled)") do |v|
+        options[:dlopen_trace] = v
+      end
+      opts.on("--libc PATH", "Path to libc.so for dlopen uprobe") do |v|
+        options[:libc_path] = v
+      end
     end.parse!(argv)
 
     Daemon.new(
       pin_dir: options[:pin_dir],
       ssl_trace: options[:ssl_trace],
-      libssl_path: options[:libssl_path]
+      libssl_path: options[:libssl_path],
+      dlopen_trace: options[:dlopen_trace],
+      libc_path: options[:libc_path]
     ).run
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: vivarium
 version: !ruby/object:Gem::Version
-  version: 0.3.1
+  version: 0.3.2
 platform: ruby
 authors:
 - Uchio Kondo
@@ -64,6 +64,8 @@ files:
 - CONTEXT.md
 - README.md
 - Rakefile
+- examples/dlopen_demo.rb
+- examples/drop_demo.rb
 - examples/execve_demo.rb
 - examples/file_operation_demo.rb
 - examples/network_client_demo.rb