Systrace
Encyclopedia
Computer security
Computer security is a branch of computer technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to...
utility which limits an application's access to the system by enforcing access policies for system call
System call
In computing, a system call is how a program requests a service from an operating system's kernel. This may include hardware related services , creating and executing new processes, and communicating with integral kernel services...
s. This can mitigate the effects of buffer overflow
Buffer overflow
In computer security and programming, a buffer overflow, or buffer overrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory. This is a special case of violation of memory safety....
s and other security vulnerabilities. It was developed by Niels Provos
Niels Provos
Niels Provos is a researcher in the areas of secure systems, malware and cryptography. He is currently a Principal Software Engineer at Google. He received his PhD in Computer Science from the University of Michigan....
and runs on various Unix-like
Unix-like
A Unix-like operating system is one that behaves in a manner similar to a Unix system, while not necessarily conforming to or being certified to any version of the Single UNIX Specification....
operating system
Operating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
s.
Systrace is particularly useful when running untrusted or binary-only applications and provides facilities for privilege elevation on a system call basis, helping to eliminate the need for potentially dangerous setuid
Setuid
setuid and setgid are Unix access rights flags that allow users to run an executable with the permissions of the executable's owner or group...
programs. It also includes interactive and automatic policy generation features, to assist in the creation of a base policy for an application.
, systrace is integrated into OpenBSD
OpenBSD
OpenBSD is a Unix-like computer operating system descended from Berkeley Software Distribution , a Unix derivative developed at the University of California, Berkeley. It was forked from NetBSD by project leader Theo de Raadt in late 1995...
. It is also available for Linux
Linux
Linux is a Unix-like computer operating system assembled under the model of free and open source software development and distribution. The defining component of any Linux system is the Linux kernel, an operating system kernel first released October 5, 1991 by Linus Torvalds...
and Mac OS X
Mac OS X
Mac OS X is a series of Unix-based operating systems and graphical user interfaces developed, marketed, and sold by Apple Inc. Since 2002, has been included with all new Macintosh computer systems...
, although the OS X port is currently unmaintained. It was removed from NetBSD
NetBSD
NetBSD is a freely available open source version of the Berkeley Software Distribution Unix operating system. It was the second open source BSD descendant to be formally released, after 386BSD, and continues to be actively developed. The NetBSD project is primarily focused on high quality design,...
at the end of 2007 due to several unfixed implementation issues. As of version 1.6f Systrace supports 64-bit Linux.
Features
Systrace supports the following features:- Confines untrusted binary applications: An application is allowed to make only those system calls specified as permitted in the policy. If the application attempts to execute a system call that is not explicitly permitted an alarm gets raised.
- Interactive policy generation with graphical user interface: Policies can be generate interactively via a graphical frontend to Systrace. The frontend shows system calls and their parameters not currently covered by policy and allows the user to refine the policy until it works as expected.
- Supports different emulations: GNU/Linux, BSDI, etc..
- Non-interactive policy enforcement: Once a policy has been trained, automatic policy enforcement can be used to deny all system calls not covered by the current policy. All violations are logged to Syslog. This mode is useful when protecting system services like a web server.
- Remote monitoring and intrusion detection: Systrace supports multiple frontends by using a frontend that makes use of the network, very advanced features are possible.
- Privilege elevation: Using Systrace's privilege elevation mode, it's possible to get rid of setuidSetuidsetuid and setgid are Unix access rights flags that allow users to run an executable with the permissions of the executable's owner or group...
binaries. A special policy statement allows selected system calls to run with higher privileges, for example, creating a raw socketRaw socketIn computer networking, a raw socket is a socket that allows direct sending and receiving of network packets by applications, bypassing all encapsulation in the networking software of the operating system. Most socket application programming interfaces , especially those based on Berkeley sockets,...
.
Vulnerability history
Systrace is still under development, and has had some vulnerabilities in the past, including:
- Exploiting Concurrency Vulnerabilities in System Call Wrappers Paper by Robert Watson (computer scientist) from the First USENIX Workshop On Offensive Technologies (WOOT07) analyzing system call wrapper races across several wrapper platforms including systrace
- Google Security discovers local privilege escalation in Systrace
- Local root exploit on NetBSD
- Vulnerabilities in systrace