It's been a while since my last post to Bugtraq and it's been over
three years since I first announced Systrace. Here is:
Systrace 1.6: Phoenix Release
You all know that Systrace ships by default with OpenBSD and NetBSD.
However, Linux adoption has been hindered due to our inability of
getting our system call interposition interface integrated into the
kernel. To make at least some of Systrace available to users who do
not want to patch their kernel, I recently took some time to implement
a Ptrace-based backend. It's not complete yet but does not require
any kernel changes and many applications work just fine with it.
A quick reminder of what Systrace provides
- confinement of complex or untrusted binary applications.
- interactive policy generation with graphical user interface.
- support for different emulations:
GNU/Linux, BSDI, etc..
- non-interactive policy enforcement.
- remote monitoring and intrusion detection.
- automatic policy generation.
- privilege elevation: no more suid binaries on your system
Just to be clear Systrace is not and does not want to be a MAC system.
However, it works great for securing your honeypot, experimenting
with malware, removing suid binaries from your system, etc.
Here is what a ptrace-based backend cannot provide:
- tight security: a clever attacker can escape some of the sandbox
by using cooperating threads to bypass the monitor.
- performance: ptrace is very slow compared to native Systrace
support in the kernel
- transparency: ptrace is very intrusive. child status waiting,
process groups, signal masking, etc. need to be emulated in userland.
- privilege elevation: not possible with ptrace
- running binaries under emulation
In any case, give Systrace a spin:
http://www.citi.umich.edu/u/provos/systrace/systrace-1.6.tar.gz - main sandbox
- graphical frontend
You can find more information at
If you like Systrace, install Marius Eriksen's excellent kernel
patches for Linux: