Systrace - Frequently Asked Questions

Center for Information Technology Integration Systrace - Frequently Asked Questions

Systrace - Frequently Asked Questions The following questions often arise in the context of Systrace and system call interposition/interception. Frequent Arguments Against System Call Interposition Previous research argues against the use of system call interposition because of inherent limitations. The most frequently cited paper to back up this argument is: Spencer R., Smalley S., Loscocco P., Hibler M., Andersen D., and Lepreau J., "The Flask Security Architecture: System Support for Diverse Security Policies", In Proc. of the Eighth USENIX Security Symposium, pages 123--139, July 1999. It mentions the following problems: Issues of aliasing, multi-component lookups, and preserving the tranquility of the name-to-object mapping from the time-of-check to the time-of-use. In practice, aliasing means that different filenames map to the same file in the filesystem. In Unix, this is possible with symbolic or hard links. Hard links have the restriction that they may not cross mount points. Systrace address this problem with argument normalization. Every filename gets resolved in such a way that the filename is absolute and does not contain symbolic links. The time-of-check is not the time-of-use argument can be addressed in a similar fashion. After normalization and policy decision, an adversary may try to change a component of the normalized filename to a symbolic link to change the name-to-file mapping. This could cause the kernel to take a different action than authorized by policy. Because Systrace passes a filename to the kernel that is assumed to be free of symbolic links, we instruct the operating system to forbid monitored applications to follow symbolic links altogether. [Back]

Questions and Comments:

Last modified: Sat Mar 29 01:38:23 EST 2003

You can keep me happy while hacking by reducing my Wishlists: Books, Music