Systrace

The call for papers for the 3rd USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET '10) Botnets, Spyware, Worms, and More just went out. It will be held on April 27, 2010 in San Jose, CA.

LEET '10 will be co-located with the 7th USENIX Symposium on Networked Systems Design and Implementation (NSDI '10), which will take place April 28–30, 2010.

Important Dates

• Submissions due: Thursday, February 25, 2010, 11:59 p.m. PST
• Notification of acceptance: Wednesday, March 24, 2010
• Final papers due: Monday, April 5, 2010

Workshop Organizers
Program Chair

• Michael Bailey, University of Michigan

Program Committee

• Dan Boneh, Stanford University
• Nick Feamster, Georgia Institute of Technology
• Jaeyeon Jung, Intel Labs, Seattle
• Christian Kreibich, International Computer Science Institute
• Patrick McDaniel, Pennsylvania State University
• Fabian Monrose, University of North Carolina, Chapel Hill
• Jose Nazario, Arbor Networks, Inc.
• Stefan Savage, University of California, San Diego
• Matt Williamson, AVG Technologies
• Yinglian Xie, Microsoft Research
• Vinod Yegneswaran, SRI International

Go submit your work!

WOOT is the Workshop on Offensive Technologies. This year, it's being held for the third time and the call for papers just came out. Submissions are solicited for a variety of interesting topics including:

• Vulnerability research (software auditing, reverse engineering)
• Exploit techniques and automation
• Malware design and implementation (rootkits, viruses, bots, worms)

The last two years were a lot of fun and this years organizers are an eclectic bunch of well known folks. If you have anything in the works, go submit it and we will see you at the workshop.

This release contains a number of small bug fixes:

- 32-bit compilation has been fixed
- 32-bit policies are no longer created as Linux64 with running on a 64-bit system

The source code can be downloaded here [sig].

A new version of Systrace that supports 64-bit Linux installations can be downloaded from here. The major changes are support of 64-bit Linux with ptrace as well as 32-bit binaries under a 64-bit system. Let me know if you run into any issues with this.

The CfP for the 2nd USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET '09): Botnets, Spyware, Worms, and More is up at:

http://www.usenix.org/event/leet09/cfp/.

LEET '09 will be held on April 21, 2009 in Boston, MA immediately before the 6th USENIX Symposium on Networked Systems Design and Implementation (NSDI '09), which will take place April 22–24, 2009.

Important Dates

• Submissions due: January 16, 2009, 11:59 p.m. EST
• Notification of acceptance: March 2, 2009
• Electronic files due: March 30, 2009

This will be the second edition of LEET, which had evolved from the combination of two other successful workshops, the ACM Workshop on Recurring Malcode (WORM) and the USENIX Workshop on Hot Topics in Understanding Botnets (HotBots). These two workshops have each dealt with aspects of this problem. However, while papers relating to both worms and botnets are explicitly solicited, LEET has a broader charter than its predecessors. We encourage submissions of papers that focus on any aspect of the underlying mechanisms used to compromise and control hosts, the large-scale "applications" being perpetrated upon this framework, or the social and economic networks driving these threats.

I often use Tor for anonymous web browsing; mostly when investigating malware distribution sites. Most people configure their browser so that it proxies HTTP via Privoxy to the Tor network. At that point, Tor is doing your DNS resolutions and also hides your TCP connections from preying eyes. Or at least, so one would think. There are many ways in which an adversary can trivially circumvent this setup. For example, if we configure the browser to proxy only HTTP, a malicious web page can easily open an HTTPS connection and reveal your IP address. Things get much worse when scripting languages such as Javascript, Flash or Java come into play. Flash can open raw sockets and learn a lot about your local environment.

To prevent information leakage, we ideally would run a virtual machine that tunnels all traffic via Tor, such as the VirtualPrivacyMachine. However, if you do not want to go through all that trouble, Systrace can come to the rescue. For investigations, I run Firefox under Systrace with a systrace policy that allows connections only to Privoxy. All other connections attempts are denied and logged. It is interesting to see how many connections Firefox tries to do all by itself that do not go via the proxy. There are update pings, and all kinds of other connections.

In this case, Systrace is not being used against an adversary but rather against an untrusted application. It works quite nicely at that, too.

This release addresses a number of correctness and reliability problems with the ptrace backend. Tavis Ormandy provided fixes for the following problems: a potential escape of socket aliases and double free and a problem with fork and ptrace (CVE-2007-4773). The tar ball for Systrace 1.6e can be downloaded here. Just keep in mind that ptrace has not been designed as a security primitive and while the ptrace backend can restrict the behavior of programs in non-adversarial settings, there are many ways to circumvent it.

At WOOT this year, Robert Watson presented a paper on how to evade popular system call interposition systems, including Systrace. For Systrace, Robert noticed that the arguments written to the stackgap could be replaced by a co-operating process after Systrace performed its policy check. The initial prototype of Systrace as described in the paper avoided this problem by using a look-aside buffer in the kernel. This imposes a slight performance penalty but I hope that this obvious solution is going to be included in the OpenBSD and NetBSD kernel soon.

Chris Evans from Google Security discovered an integer overflow in the Systrace kernel code. If an adversary can open "/dev/systrace", the bug can be leveraged to gain root access. Both OpenBSD and NetBSD current have been patched. Please, update your systems.

This new release of Systrace adds translations for a number of new system calls and should also take care of zombies accumulating for users of the Linux ptrace backend. Systrace now allows waitpid to execute in more cases which should hopefully reap the reparented children. Download it here. A debian package is available, too.

Last October, I (Marius Eriksen) updated the Linux-kernel patches for systrace. Get it here. A pre-built Debian package is available here.

Watch this space for updates in a week or two as I will be bringing the diffs up to date.

Systrace does not provide translations for all system calls. But it has been designed to make adding new translations very easy. Many people have noticed that they no longer see the IP address that nslookup connects to for DNS queries after updating to a newer version of Bind. The reason is that Systrace did not provide a translation for sendmsg.

Here is what you have to do add the necessary translation.

1. Provide a translator for sendmsg by adding the following code to the end of intercept-translate.c:

Continue reading "HowTo: Translating a New System Call"

It turned out that emulating waitpid for threads was more complicated then I initially assumed. Some older Linux kernels also exhibited strange behaviors in which the cloned child could execute before the parent did. This and a bunch of other fixes went into Systrace 1.6c which is now also available as Debian package. I tested this on various 2.4 kernels and distributions and was able to use the ptrace backend to run complicated applications like FireFox and X-Chat. Things look good.

After over three years of quiet life, Systrace 1.6: Phoenix Release is available. This release allows Systrace to run on Linux without requiring kernel changes. The regular Systrace backend has been emulated with ptrace and supports most Systrace features. Emulation of threading and signal mask computation are not implemented yet. The Phoenix image is from Eric Newport.

A bug in systrace_exit() on NetBSD-current can be exploited to get local root privileges. Update your kernel if you are are running NetBSD-current.