Skip to content

Libevent 1.4.4-stable released

I am happy to announce the release of libevent 1.4.4-stable. You can download the source here:

There have been a few bug fixes since 1.4.3-stable. Here's a brief summary:

  • Epoll fixes
    • Correctly handle timeouts larger than 35 minutes for older Linux kernels

  • Tagging fixes:
    • Fixes a potential stack corruption on 64-bit architectures

  • Bufferevent changes:
    • Fixes a corner cases for read watermarks

    • Expose the watermark functionality in bufferevent

  • HTTP changes:
    • Fix a bug where it was not possible to accept on multiple sockets

    • Expose the evhttp_accept_socket() functionality which allows the HTTP server to listen on an already created socket

  • Portability fixes:
    • Fix functionality and compile problems on Windows and IRIX

    • Provide a timercmp function that works on all platforms

See the changelog for full details.

We would like to thank the people who have reported bugs including Matt Domsch, Forest Wilkinson, Jon and several anonymous reporters. To report a bug, make a feature request, or submit code, you can use our sourceforge interface.
Categories: Libevent
Defined tags for this entry: ,

Systrace 1.6e

This release addresses a number of correctness and reliability problems with the ptrace backend. Tavis Ormandy provided fixes for the following problems: a potential escape of socket aliases and double free and a problem with fork and ptrace (CVE-2007-4773). The tar ball for Systrace 1.6e can be downloaded here. Just keep in mind that ptrace has not been designed as a security primitive and while the ptrace backend can restrict the behavior of programs in non-adversarial settings, there are many ways to circumvent it.
Categories: Systrace
Defined tags for this entry: ,

Evading System Sandbox Containment

At WOOT this year, Robert Watson presented a paper on how to evade popular system call interposition systems, including Systrace. For Systrace, Robert noticed that the arguments written to the stackgap could be replaced by a co-operating process after Systrace performed its policy check. The initial prototype of Systrace as described in the paper avoided this problem by using a look-aside buffer in the kernel. This imposes a slight performance penalty but I hope that this obvious solution is going to be included in the OpenBSD and NetBSD kernel soon.
Categories: Systrace
Defined tags for this entry: ,

Virtual Honeypots book is published

When I got home from traveling at around 3am last night, I found a box with 10 books on the table. Although, Virtual Honeypots covers primarily honeypots, it also features a small section on SpyBye that is part of a larger chapter on client honeypots. Other topics that we cover relating to this are on analyzing malware and tracking botnets. I am very pleased with the book in general and it will be interesting to see how it is going to do over the next few months.
Categories: SpyBye
Defined tags for this entry: , ,

SpyBye source code on public repository

The SpyBye source code is now available via You can access it with subversion and more importantly, you can also send patches for feature improvements. In addition to that, the code hosting supports bug tracking and other nifty features. Enjoy!
Categories: SpyBye
Defined tags for this entry: ,

SpyBye 0.3 released

SpyBye 0.3 adds an interesting twist to SpyBye. Previously, you would have to enter a URL into the form field and wait for the analysis to complete. SpyBye 0.3 adds a proxy mode in which you use SpyBye as a regular proxy for your web browsing. There is no need to enter any URLs into any form fields, instead SpyBye analyzes all downloads in the background and provides you with a warning notification whenever it encounters content that is potentially malicious. At that point, you can click on the link in the notification and receive a more detailed analysis of the web page.

The image on the left provides one such example. When you click on the link in the red warning box, you see a popup that shows all the implicit HTTP resources loaded into your browser and an analysis of the danger level. In fact, in proxy mode, you could just do all of your web browsing through SpyBye and be protected from bad content in return.

Let me know how you like it.
Categories: SpyBye