Translation: [ES] [IT]
   Center for Information Technology Integration   
Systrace - Interactive Policy Generation for System Calls
  
 

Check out the Systrace Blog.

Systrace - Interactive Policy Generation for System Calls

Systrace enforces system call policies for applications by constraining the application's access to the system. The policy is generated interactively. Operations not covered by the policy raise an alarm, allowing an user to refine the currently configured policy.

For complicated applications, it is difficult to know the correct policy before running them. Initially, Systrace notifies the user about all system calls that an application tries to execute. The user configures a policy for the specific system call that caused the warning. After a few minutes, a policy is generated that allows the application to run without any warnings. However, events that are not covered still generate a warning. Normally, that is an indication of a security problem. Systrace improves cyber security by providing intrusion prevention.

Alternatively, policies can be learned automatically. In many instances, the automatically learned policies can be used for sandboxing immediately. Sometimes, minimal manual post-processing is necessary.

With Systrace, untrusted binary applications can be sandboxed. Their access to the system can be restricted almost arbitrarily. Sandboxing applications that are available only as binaries is only sensible, as it is not possible to directly analyze what they are designed to do. However, constraining the system calls that large open-source applications are allowed to execute is useful too, as it is very difficult to determine their correctness.

System call arguments can be rewritten dynamically. This effects a virtual chroot for the sandboxed application. It also prevents race conditions in the argument evaluation.

[Answers to some frequently asked questions]

 

 Features

  • Confines untrusted binary applications.
  • Interactive Policy Generation with Graphical User Interface.
  • Supports different emulations:
    • GNU/Linux, BSDI, etc..
  • System Call Argument Rewriting.
  • Non-interactive Policy Enforcement.
  • Remote Monitoring and Intrusion Detection.
  • Privilege Elevation: Add-on capabilities.
 

Intrusion Detection

With Systrace, it is possible to monitor daemons on remote machines and generate warnings at a central location. As these warnings indicate operations not covered by existing policy, it is possible to detect intrusions and prevent them from succeeding. For example, a web server or ftp server can be monitored that way.

Non-Interactive Policy Enforcement

Once a policy has been generated, Systrace can enforce it automatically without user interaction. System calls not covered by the existing policy are denied. For example, a shell provider can enforce policy of user shells and executed commands with Systrace.

Privilege Elevation

Using the privilege elevation feature of Systrace, it is possible to completely remove the need of setuid or setgid binaries.

Instead, Systrace executes the application without privileges and only elevates them to the desired level when required. For example,

        native-socket: sockdom eq "AF_INET" and socktype eq "SOCK_RAW" then permit as root
        native-bind: sockaddr eq "inet-[0.0.0.0]:22" then permit as root
	native-fsread: filename eq "/dev/kmem" then permit as :kmem

Systrace elevates the privileges precisely for the operations that require them. As a result, we get as fine-grained capabilities as possible and the privileged code path is reduced extremely. In combination with dynamic predicates, it is possible to allow an unprivileged application to bind to a reserved port exactly once, etc.

Policy Example

The following example illustrates a simple policy for the ls binary. If ls attempts to list files in /etc, Systrace disallows the access and /etc does not seem to exist. Listing the contents of /tmp works normally, but trying to ls /var generates a warning.
Policy: /bin/ls, Emulation: native
        native-munmap: permit
[...]
        native-stat: permit
        native-fsread: filename match "/usr/*" then permit
        native-fsread: filename eq "/tmp" then permit
        native-fsread: filename eq "/etc" then deny[enotdir]
        native-fchdir: permit
        native-fstat: permit
        native-fcntl: permit
[...]
        native-close: permit
        native-write: permit
        native-exit: permit

Systrace supports multiple applications with multiple policies. Policies can be switched on execve.

Screenshots

A web browser tries to access the password database. Monitoring the system calls in a web browser is reasonable, as it is exposed to potentially hostile web pages that try to exploit programming errors in the browser.   Systrace may also be used to prevent damage from trojaned software distributions. In this example, Systrace detects a Trojan in the configure script contained in a malicious fragroute distribution.
 
   

Download

Systrace is distributed under a BSD-style license and has been integrated into NetBSD, OpenBSD and OpenDarwin. NetBSD-current contains the most recent Systrace source code. You can use AnonCVS to access it. At the moment, systrace supports native and Linux binaries.

Ports

  • GNU/Linux port is finished and kernel patch is maintained actively by Marius Eriksen. Can be run without kernel changes using the ptrace backend.
  • Mac OS X port is almost complete; currently unmaintained due to lack of hardware.
  • FreeBSD port by Rich Murphey; in progress.

Source Code

  • systrace-1.6f.tar.gz [gpg sig] - 2009-01-05
    • prevent a 32-bit program from mapping in 64-bit system calls; from Chris Evans
    • support 64-bit Linux on ptrace
  • systrace-1.6e.tar.gz - 2007-12-18
    • potential escape of socket aliases and double free; from Tavis Ormandy
    • fixed a problem with fork and ptrace; from Tavis Ormandy (CVE-2007-4773)
  • systrace-1.6d.tar.gz [gpg sig] [i386 deb] - 2006-04-23
    • more system call translations.
    • ptrace: fixed issues with zombies sticking around.
  • systrace-1.6c.tar.gz [gpg sig] [i386 deb] - 2006-04-08
    • Ptrace: some more work for older 2.4 kernels.
    • added translations for chflags, mmap and mprotect.
  • systrace-1.6b.tar.gz [gpg sig] - 2006-04-06
    • Ptrace: make it work on older 2.4 kernels.
    • Ptrace: Detect when headers and kernel are out of sync.
  • systrace-1.6a.tar.gz [gpg sig] - 2006-03-26
    • Ptrace: support for multi-threading.
    • Ptrace: small performance improvement.
    • Ptrace: avoid crashing kernels due to ptrace kernel bug.
  • systrace-1.6.tar.gz [gpg sig] - 2006-03-24
    • Ptrace option for Linux to run without kernel changes.
  • usr-systrace-2004-01-26 [gpg sig] - Snapshot of systrace userland. (Darwin, Linux, NetBSD, OpenBSD) - 2004-01-26
    • Bunch of features including complete policy updates.
  • usr-systrace-2003-06-23 - Snapshot of systrace userland. (Darwin, Linux, NetBSD, OpenBSD) - 2003-06-23
    • UI detaching and multiplexing.
    • Allows for escaping of special characters.
    • Support for prompt directive.
    • Freeing of old policies, requires kernel patch for OpenBSD.
  • gtk-systrace-2003-06-23 [i386 deb] - GTK Systrace front end invoked by systrace. Install it as /usr/X11R6/bin/xsystrace
  • systrace templates - Templates for NetBSD/OpenBSD to facilitate policy generation. - 2002-11-22
 
You need to install the systrace userland. The gtk frontend is required only for graphical policy generation.

References

Sample Policies

  • httpd - Apache Web Server
  • gaim - GTK AOL Instant Messenger
  • konq-e - Konquerer Embedded
  • mplayer - Movie Player

Links

Systrace in the Press

Acknowledgements

Thanks to Dug Song and Perry Metzger for helpful discussions and suggestions.

 

 

Questions and Comments:
Niels Provos
Last modified: Mon Jan 5 17:27:24 PST 2009
  You can keep me happy while hacking by reducing my Wishlists: Books, Music
[Get Opera!]