10 October 2002
"Niels Provos: What ever the heck he wants to talk about." Systrace and its uses in security. There are no guaranees ... no real measurements Assume every system as some exploitable bugs Prevent malicius parties from gaining elevated privileges. Layers of different security mechanisms Network level: Firewall Normalizing gateway Application level: Compiler-based stack protection Previlege separation: OpenSSH Operating system level: Non-executeable stack or heap Application confinement, sandboxing: Systrace Running untrusted or complex applications may cause security compromise Evil web pages may cause browser to send or delete files Bugs in an irc client can be used to install back doors In unix, system calls are the cateway to privileged operations A successful system compromise possible only via system calls Confinement or sandboxing to restrict the system calls an application may perform Goldberg and Wagner's janus. Drawbacks: Policy difficutle to define ... Systrace offers fine-grained confinement for multiple applications with multiple policies Systrace intercepts system calls Pernits or denies their execution ... Interactive policy generation Quick and easy generation of policy during ... Policy is specified iteratively Policy config is human readable and editable Very simple language Intrusion detection. Once policy has been generated, any operation not covered policy indicates a security problem Automatic Policy Generation Records all system calls an application executes and generates policy to cover them Automatic policy Enforcement Enforces the configured policies Denies and logs policy violations to syslog Kernal part small and simple: Plicies for system calls are deny, permit, or ask Information exported via /dev/systrace Deny and permit are handled in the kernel. Fast path -- no need to ask userland Several requests supported (via ioctl) If systrace process dies, all monotored processes receive a SIGKILL from the kernel Userland handles more complicate policies and ... [... and then the slides started moving faster than I could possibly type ...] System call aliasing prevents policy duplication by grouping "like" systems calls under one alias (e.g. stat, open, read) See http://www.citi.umich.edu/u/provos/systrace/ for more info.