AOH :: HP Unsorted S :: B06-1222.HTM

Systrace 1.6: phoenix release



Systrace 1.6: Phoenix Release
Systrace 1.6: Phoenix Release



It's been a while since my last post to Bugtraq and it's been over
three years since I first announced Systrace.  Here is:

Systrace 1.6: Phoenix Release
---------------------------------------

You all know that Systrace ships by default with OpenBSD and NetBSD. 
However, Linux adoption has been hindered due to our inability of
getting our system call interposition interface integrated into the
kernel.  To make at least some of Systrace available to users who do
not want to patch their kernel, I recently took some time to implement
a Ptrace-based backend.  It's not complete yet but does not require
any kernel changes and many applications work just fine with it.

A quick reminder of what Systrace provides

  - confinement of complex or untrusted binary applications.
  - interactive policy generation with graphical user interface.
  - support for different emulations:
       GNU/Linux, BSDI, etc..
  - non-interactive policy enforcement.
  - remote monitoring and intrusion detection.
  - automatic policy generation.
  - privilege elevation: no more suid binaries on your system

Just to be clear Systrace is not and does not want to be a MAC system.
 However, it works great for securing your honeypot, experimenting
with malware, removing suid binaries from your system, etc.

Here is what a ptrace-based backend cannot provide:
  - tight security: a clever attacker can escape some of the sandbox
by using cooperating threads to bypass the monitor.
  - performance: ptrace is very slow compared to native Systrace
support in the kernel
  - transparency: ptrace is very intrusive.  child status waiting,
process groups, signal masking, etc. need to be emulated in userland. 
Yuck.
  - privilege elevation: not possible with ptrace
  - running binaries under emulation

In any case, give Systrace a spin:

http://www.citi.umich.edu/u/provos/systrace/systrace-1.6.tar.gz - main sandbox 
http://www.citi.umich.edu/u/provos/systrace/gtk-systrace-2003-06-23.tar.gz 
- graphical frontend

You can find more information at

http://www.citi.umich.edu/u/provos/systrace/ 

If you like Systrace, install Marius Eriksen's excellent kernel
patches for Linux:

http://www.citi.umich.edu/u/provos/systrace/linux.html 

Regards,
  Niels Provos.

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.