At WOOT this year, Robert Watson presented a paper on how to evade popular system call interposition systems, including Systrace. For Systrace, Robert noticed that the arguments written to the stackgap could be replaced by a co-operating process after Systrace performed its policy check. The initial prototype of Systrace as described in the paper avoided this problem by using a look-aside buffer in the kernel. This imposes a slight performance penalty but I hope that this obvious solution is going to be included in the OpenBSD and NetBSD kernel soon.