Honeypots mailing list archives

Previous By Date Next
Previous By Thread Next

Systrace 1.6: Phoenix Release

From: "Niels Provos" <provos () citi umich edu>
Date: Thu, 23 Mar 2006 23:06:12 -0800
If you are running a honeypot on Linux, this is something that might
be of interest to you.  Systrace on Linux without requiring kernel
changes.

---------- Forwarded message ----------
From: Niels Provos <provos () citi umich edu>
Date: Mar 23, 2006 11:03 PM
Subject: Systrace 1.6: Phoenix Release
To: systrace () systrace org


Hi,

It has been over three years since I originally released Systrace and
I am happy to announce Systrace 1.6: Phoenix Release.

Although, Systrace has been integrated into OpenBSD and NetBSD,
adoption by Linux has been hindered due to difficulties of getting our
system call interposition interface integrated into the kernel.  I
recently took some time to implement a Ptrace-based backend for
Systrace to make at least some of its features available to Linux
users who do not want to patch their kernel.  Although it's not
complete yet, many applications work fine with it.

Systrace enforces system call policies for applications by
constraining the application's access to the system.  Policy is
generated interactively, automatically or magically. Systrace is not a
MAC-system.  It's purpose is to allow users to run untrusted
applications like the latest malware collected by your honeypot.

A quick reminder of what Systrace provides

  - confinement of complex or untrusted binary applications.
  - interactive policy generation with graphical user interface.
  - support for different emulations:
       GNU/Linux, BSDI, etc..
  - non-interactive policy enforcement.
  - remote monitoring and intrusion detection.
  - automatic policy generation.

Here is what a ptrace-based backend cannot provide:
  - tight security: a clever attacker can escape some of the sandbox
    by using cooperating threads to bypass the monitor.
  - performance: ptrace is very slow compared to native Systrace support
    in the kernel
  - transparency: ptrace is very intrusive.  child status waiting, process
    groups, signal masking, etc. need to be emulated in userland.  Yuck.
  - privilege elevation: not possible with ptrace
  - running binaries under emulation

In any case, give Systrace a spin.  If you like it, install Marius
Eriksen's excellent kernel patches for Linux.

You can find more information at

  http://www.citi.umich.edu/u/provos/systrace/
  http://www.citi.umich.edu/u/provos/systrace/linux.html

Regards,
  Niels Provos.
Previous By Date Next
Previous By Thread Next

Current thread: