This release contains a number of small bug fixes:
- 32-bit compilation has been fixed
- 32-bit policies are no longer created as Linux64 with running on a 64-bit system
The source code can be downloaded here
A new version of Systrace that supports 64-bit Linux installations can be downloaded from here
. The major changes are support of 64-bit Linux with ptrace as well as 32-bit binaries under a 64-bit system. Let me know if you run into any issues with this.
I often use Tor
for anonymous web browsing; mostly when investigating malware distribution sites. Most people configure their browser so that it proxies HTTP via Privoxy
To prevent information leakage, we ideally would run a virtual machine that tunnels all traffic via Tor, such as the VirtualPrivacyMachine
. However, if you do not want to go through all that trouble, Systrace can come to the rescue. For investigations, I run Firefox under Systrace with a systrace policy that allows connections only to Privoxy. All other connections attempts are denied and logged. It is interesting to see how many connections Firefox tries to do all by itself that do not go via the proxy. There are update pings, and all kinds of other connections.
In this case, Systrace is not being used against an adversary but rather against an untrusted application. It works quite nicely at that, too.
This release addresses a number of correctness and reliability problems with the ptrace backend. Tavis Ormandy provided fixes for the following problems: a potential escape of socket aliases and double free and a problem with fork and ptrace (CVE-2007-4773). The tar ball for Systrace 1.6e can be downloaded here
. Just keep in mind that ptrace has not been designed as a security primitive and while the ptrace backend can restrict the behavior of programs in non-adversarial settings, there are many ways to circumvent it.
this year, Robert Watson presented a paper on how to evade popular system call interposition systems, including Systrace. For Systrace, Robert noticed that the arguments written to the stackgap could be replaced by a co-operating process after Systrace performed its policy check. The initial prototype of Systrace as described in the paper
avoided this problem by using a look-aside buffer in the kernel. This imposes a slight performance penalty but I hope that this obvious solution is going to be included in the OpenBSD and NetBSD kernel soon.
Chris Evans from Google Security discovered an integer overflow in the Systrace kernel code. If an adversary can open "/dev/systrace", the bug can be leveraged to gain root access. Both OpenBSD and NetBSD current have been patched. Please, update your systems.