Niels Provos - Systrace

LEET '10 Call for Papers

nospam@example.com (Niels Provos) — Sat, 29 Aug 2009 12:35:46 -0700

The call for papers for the 3rd USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET '10) Botnets, Spyware, Worms, and More just went out. It will be held on April 27, 2010 in San Jose, CA.

LEET '10 will be co-located with the 7th USENIX Symposium on Networked Systems Design and Implementation (NSDI '10), which will take place April 28–30, 2010.

Important Dates

Submissions due: Thursday, February 25, 2010, 11:59 p.m. PST
Notification of acceptance: Wednesday, March 24, 2010
Final papers due: Monday, April 5, 2010

Workshop Organizers
Program Chair

Michael Bailey, University of Michigan

Program Committee

Dan Boneh, Stanford University
Nick Feamster, Georgia Institute of Technology
Jaeyeon Jung, Intel Labs, Seattle
Christian Kreibich, International Computer Science Institute
Patrick McDaniel, Pennsylvania State University
Fabian Monrose, University of North Carolina, Chapel Hill
Jose Nazario, Arbor Networks, Inc.
Stefan Savage, University of California, San Diego
Matt Williamson, AVG Technologies
Yinglian Xie, Microsoft Research
Vinod Yegneswaran, SRI International

Go submit your work!

WOOT'09 Call For Papers

nospam@example.com (Niels Provos) — Thu, 26 Mar 2009 23:36:13 -0700

WOOT is the Workshop on Offensive Technologies. This year, it's being held for the third time and the call for papers just came out. Submissions are solicited for a variety of interesting topics including:

Vulnerability research (software auditing, reverse engineering)
Exploit techniques and automation
Malware design and implementation (rootkits, viruses, bots, worms)

The last two years were a lot of fun and this years organizers are an eclectic bunch of well known folks. If you have anything in the works, go submit it and we will see you at the workshop.

Systrace 1.6g released

nospam@example.com (Niels Provos) — Sun, 15 Mar 2009 17:25:54 -0700

This release contains a number of small bug fixes:

- 32-bit compilation has been fixed
- 32-bit policies are no longer created as Linux64 with running on a 64-bit system

The source code can be downloaded here [sig].

Systrace 1.6f with 64-bit Linux ptrace support

nospam@example.com (Niels Provos) — Tue, 06 Jan 2009 19:38:18 -0800

A new version of Systrace that supports 64-bit Linux installations can be downloaded from here. The major changes are support of 64-bit Linux with ptrace as well as 32-bit binaries under a 64-bit system. Let me know if you run into any issues with this.

LEET '09 Call for Papers

nospam@example.com (Niels Provos) — Wed, 12 Nov 2008 18:48:12 -0800

The CfP for the 2nd USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET '09): Botnets, Spyware, Worms, and More is up at:

http://www.usenix.org/event/leet09/cfp/.

LEET '09 will be held on April 21, 2009 in Boston, MA immediately before the 6th USENIX Symposium on Networked Systems Design and Implementation (NSDI '09), which will take place April 22–24, 2009.

Important Dates

Submissions due: January 16, 2009, 11:59 p.m. EST
Notification of acceptance: March 2, 2009
Electronic files due: March 30, 2009

This will be the second edition of LEET, which had evolved from the combination of two other successful workshops, the ACM Workshop on Recurring Malcode (WORM) and the USENIX Workshop on Hot Topics in Understanding Botnets (HotBots). These two workshops have each dealt with aspects of this problem. However, while papers relating to both worms and botnets are explicitly solicited, LEET has a broader charter than its predecessors. We encourage submissions of papers that focus on any aspect of the underlying mechanisms used to compromise and control hosts, the large-scale "applications" being perpetrated upon this framework, or the social and economic networks driving these threats.

Anonymity, Tor and Your Browser

nospam@example.com (Niels Provos) — Tue, 08 Jul 2008 20:55:34 -0700

I often use Tor for anonymous web browsing; mostly when investigating malware distribution sites. Most people configure their browser so that it proxies HTTP via Privoxy to the Tor network. At that point, Tor is doing your DNS resolutions and also hides your TCP connections from preying eyes. Or at least, so one would think. There are many ways in which an adversary can trivially circumvent this setup. For example, if we configure the browser to proxy only HTTP, a malicious web page can easily open an HTTPS connection and reveal your IP address. Things get much worse when scripting languages such as Javascript, Flash or Java come into play. Flash can open raw sockets and learn a lot about your local environment.

To prevent information leakage, we ideally would run a virtual machine that tunnels all traffic via Tor, such as the VirtualPrivacyMachine. However, if you do not want to go through all that trouble, Systrace can come to the rescue. For investigations, I run Firefox under Systrace with a systrace policy that allows connections only to Privoxy. All other connections attempts are denied and logged. It is interesting to see how many connections Firefox tries to do all by itself that do not go via the proxy. There are update pings, and all kinds of other connections.

In this case, Systrace is not being used against an adversary but rather against an untrusted application. It works quite nicely at that, too.

Systrace 1.6e

nospam@example.com (Niels Provos) — Tue, 18 Dec 2007 21:42:37 -0800

This release addresses a number of correctness and reliability problems with the ptrace backend. Tavis Ormandy provided fixes for the following problems: a potential escape of socket aliases and double free and a problem with fork and ptrace (CVE-2007-4773). The tar ball for Systrace 1.6e can be downloaded here. Just keep in mind that ptrace has not been designed as a security primitive and while the ptrace backend can restrict the behavior of programs in non-adversarial settings, there are many ways to circumvent it.

Evading System Sandbox Containment

nospam@example.com (Niels Provos) — Thu, 09 Aug 2007 14:51:52 -0700

At WOOT this year, Robert Watson presented a paper on how to evade popular system call interposition systems, including Systrace. For Systrace, Robert noticed that the arguments written to the stackgap could be replaced by a co-operating process after Systrace performed its policy check. The initial prototype of Systrace as described in the paper avoided this problem by using a look-aside buffer in the kernel. This imposes a slight performance penalty but I hope that this obvious solution is going to be included in the OpenBSD and NetBSD kernel soon.

Local Privilege Escalation

nospam@example.com (Niels Provos) — Mon, 09 Oct 2006 10:42:30 -0700

Chris Evans from Google Security discovered an integer overflow in the Systrace kernel code. If an adversary can open "/dev/systrace", the bug can be leveraged to gain root access. Both OpenBSD and NetBSD current have been patched. Please, update your systems.

Systrace 1.6d

nospam@example.com (Niels Provos) — Sun, 23 Apr 2006 22:52:44 -0700

This new release of Systrace adds translations for a number of new system calls and should also take care of zombies accumulating for users of the Linux ptrace backend. Systrace now allows waitpid to execute in more cases which should hopefully reap the reparented children. Download it here. A debian package is available, too.

Linux kernel systrace patch set

nospam@example.com (Niels Provos) — Thu, 13 Apr 2006 22:20:30 -0700

Last October, I (Marius Eriksen) updated the Linux-kernel patches for systrace. Get it here. A pre-built Debian package is available here.

Watch this space for updates in a week or two as I will be bringing the diffs up to date.

HowTo: Translating a New System Call

nospam@example.com (Niels Provos) — Sun, 09 Apr 2006 18:36:52 -0700

Systrace does not provide translations for all system calls. But it has been designed to make adding new translations very easy. Many people have noticed that they no longer see the IP address that nslookup connects to for DNS queries after updating to a newer version of Bind. The reason is that Systrace did not provide a translation for sendmsg.

Here is what you have to do add the necessary translation.

1. Provide a translator for sendmsg by adding the following code to the end of intercept-translate.c:

Continue reading "HowTo: Translating a New System Call"

More Linux Ptrace fixes

nospam@example.com (Niels Provos) — Sun, 09 Apr 2006 02:21:11 -0700

It turned out that emulating waitpid for threads was more complicated then I initially assumed. Some older Linux kernels also exhibited strange behaviors in which the cloned child could execute before the parent did. This and a bunch of other fixes went into Systrace 1.6c which is now also available as Debian package. I tested this on various 2.4 kernels and distributions and was able to use the ptrace backend to run complicated applications like FireFox and X-Chat. Things look good.

Systrace 1.6: Phoenix Release

nospam@example.com (Niels Provos) — Fri, 24 Mar 2006 17:05:00 -0800

After over three years of quiet life, Systrace 1.6: Phoenix Release is available. This release allows Systrace to run on Linux without requiring kernel changes. The regular Systrace backend has been emulated with ptrace and supports most Systrace features. Emulation of threading and signal mask computation are not implemented yet. The Phoenix image is from Eric Newport.

Local Root Exploit on NetBSD

nospam@example.com (Niels Provos) — Thu, 13 May 2004 12:46:00 -0700

A bug in systrace_exit() on NetBSD-current can be exploited to get local root privileges. Update your kernel if you are are running NetBSD-current.