Honeypots mailing list archives
Systrace 1.6: Phoenix Release
From: "Niels Provos" <provos () citi umich edu>
Date: Thu, 23 Mar 2006 23:06:12 -0800
If you are running a honeypot on Linux, this is something that might be of interest to you. Systrace on Linux without requiring kernel changes. ---------- Forwarded message ---------- From: Niels Provos <provos () citi umich edu> Date: Mar 23, 2006 11:03 PM Subject: Systrace 1.6: Phoenix Release To: systrace () systrace org Hi, It has been over three years since I originally released Systrace and I am happy to announce Systrace 1.6: Phoenix Release. Although, Systrace has been integrated into OpenBSD and NetBSD, adoption by Linux has been hindered due to difficulties of getting our system call interposition interface integrated into the kernel. I recently took some time to implement a Ptrace-based backend for Systrace to make at least some of its features available to Linux users who do not want to patch their kernel. Although it's not complete yet, many applications work fine with it. Systrace enforces system call policies for applications by constraining the application's access to the system. Policy is generated interactively, automatically or magically. Systrace is not a MAC-system. It's purpose is to allow users to run untrusted applications like the latest malware collected by your honeypot. A quick reminder of what Systrace provides - confinement of complex or untrusted binary applications. - interactive policy generation with graphical user interface. - support for different emulations: GNU/Linux, BSDI, etc.. - non-interactive policy enforcement. - remote monitoring and intrusion detection. - automatic policy generation. Here is what a ptrace-based backend cannot provide: - tight security: a clever attacker can escape some of the sandbox by using cooperating threads to bypass the monitor. - performance: ptrace is very slow compared to native Systrace support in the kernel - transparency: ptrace is very intrusive. child status waiting, process groups, signal masking, etc. need to be emulated in userland. Yuck. - privilege elevation: not possible with ptrace - running binaries under emulation In any case, give Systrace a spin. If you like it, install Marius Eriksen's excellent kernel patches for Linux. You can find more information at http://www.citi.umich.edu/u/provos/systrace/ http://www.citi.umich.edu/u/provos/systrace/linux.html Regards, Niels Provos.
Current thread:
- Systrace 1.6: Phoenix Release Niels Provos (Mar 24)