Re: Detecting abnormal behaviour

[Martin Mačok <martin.macok () underground cz>]

On Sun, Mar 23, 2003 at 05:20:47PM -0500, Jose Nazario wrote:

> have a look at systrace. you can block or log with pass arbitrary syscalls
> tied to program names.
>
>       http://www.citi.umich.edu/u/provos/systrace/linux.html
>
> for reference, various people have looked at the idea of tracking syscall
> paths as a method to detect anomalies. systrace is currently stateless,
> but with some work it could be made stateful. its just hard to express a
> directed graph of syscalls.

Or try subterfugue:

It uses ptrace(2) to do the job and it's written (mostly) in Python.
It is a framework for syscall tracking modules (Tricks) which can be
written in Python in a very simple way (a class with callbefore(pid,
call, args...) and callafter(pid, call, args) methods). More Tricks can
be load at a time and work in FI-FO order around syscalls (LI-FO). It
can do anything with it's args or with the result of the call
(including killing it of course and (experimental?) support for
syscall inserting and restarting syscalls).

Works in Linux 2.2.x and 2.4.x (better), Python 2.1 and lower (Debian
has 2.2+ port?)

Written by Mike Coleman and Pavel Machek. It's free (GPL).

For more, see:
http://subterfugue.org/

I have made stateful tracking Trick to subterfugue recently.

It's in current CVS, not much tested and whole subterfugue itself
seems a bit experimental still (and has some unresolved issues), but
for some tasks seems to work pretty good.

StateTrick provides different syscall restrictions/environment in
different parts of the process execution history. Those parts (states)
are defined through stateful automaton working with (syscall,args). It
can also load other Tricks and enable them in different states. It's
currently not much documented and well tested, but can be downloaded
from current CVS.

$ sf -h -t State
This is subterfugue.  It is used to play various specified tricks on a command.

usage: sf [OPTIONS]... [<COMMAND> [<COMMAND-OPTIONS>...]]

-t, --trick=TRICK[:OPTIONS]     use TRICK with OPTIONS
-o, --output=FILE               direct sf output to FILE
-o, --output=N                  direct sf output to file descriptor N
-d, --debug                     show debugging output
-n, --failnice                  allow kids to live on if sf aborts
-h, --help                      output help, including for TRICKs, and exit
-V, --version                   output version information and exit

--waitchannelhack               enable kludge (required for unpatched
                                2.3.99-2.4.0test9)
--slowmainloop                  disable fast C loop (for debugging)
--nowall                        run w/o wait __WALL flag (bogus 2.2 support)

        StateTrick can change program's execution restrictions dynamically
        according to program's execution history. It can also load other tricks
        and disable/enable them at runtime. When program calls syscall that
        is not allowed in current state, it is killed and the state and
        call(args) are reported.

        options:
            config = filename       ... state machine configuration file
            verbose = <n>           ... verbosity, default = 0
        
        example:
            $ sf -t State:'config = State.conf' naughty_app
        
        Configuration file syntax: <mandatory> [voluntary]
        # comment
        IGNORE <syscall_name> [<syscall_name2> [...]]
        WATCH <syscall_name> [<syscall_name2> [...]]
        DEFINE <trick_name> <trick>
        STATE <state_name>
        TRICKS <trick_name> [<trick_name2> [...]]
        <syscall_name>([args]) [-> <new_state_name> [-> <fork_child_state>]]

        Configuration file example:
        ---------------------------
        # define Tricks
        DEFINE TRACE Trace
        DEFINE TRACEFS Trace:call=["open", "close", "read", "fstat64"]
        DEFINE COUNT Count
        
        # ignore those calls (allowed, won't change states)
        # IGNORE brk fstat64
        
        # define state, 'START' is implicit
        STATE START
        # those tricks will be enabled (active) in this state
        TRICKS TRACE COUNT
        # define calls allowed in this state
        uname()
        # regexp ([a-z] works), but '*' means '[^/]*' and '.' means '\.'
        open(/etc/ld.so.*,0,)
        open(/lib/libc*,0,)
        mmap(-1073749156)
        # munmap will change program's state to state 'FORKING'
        munmap() -> FORKING
        # other syscalls than those defined above are not allowed in START
        # (IGNORED and not WATCHED are allowed too)

        # define new state, no tricks enabled here
        STATE FORKING
        # parent will go to state FORKED, child goes to state CHILD
        fork() -> FORKED -> CHILD

        STATE FORKED
        mmap()
        wait4()
        munmap() -> FINISH
        
        STATE CHILD
        TRICKS TRACEFS
        mmap()
        write()
        munmap() -> FINISH
        
        STATE FINISH
        _exit()
        ----------------------------
        TODO: more documentation

-- 
         Martin Mačok                 http://underground.cz/
   martin.macok () underground cz        http://Xtrmntr.org/ORBman/