Domain: systrace.org
Stories and comments across the archive that link to systrace.org.
Comments · 9
-
Re:GREAT!
It always surprised me there is no Linux distro that has gone trough the trouble of wrapping systrace around the Flash plugin (or the entire browser?)
I would definitely like to have a Flash-enabled browser that runs in a sandbox, and has only access to some of its own files (to store cookies/settings/etc.) but does not have access to the rest of my homedir.
-
Systrace.org post on this alleged bughttp://www.systrace.org/index.php?/archives/14-Ev
a ding-System-Sandbox-Containment.htmlAt WOOT this year, Robert Watson presented a paper on how to evade popular system call interposition systems, including Systrace. For Systrace, Robert noticed that the arguments written to the stackgap could be replaced by a co-operating process after Systrace performed its policy check. The initial prototype of Systrace as described in the paper avoided this problem by using a look-aside buffer in the kernel. This imposes a slight performance penality but I hope that this obvious solution is going to be included in the OpenBSD and NetBSD kernel soon.
Also check the comment by the "Cambridge Researcher", kind of acknowledging it's nothing new. -
Re:Vmware?
Or, taking it a step further, use Systrace which eliminiates the need to run e.g. OpenNTP in a chroot. It even eliminates the need to run it as root to bind to *:123.
With Systrace, you can define what each application can do on the system call level and with pattern matching on their arguments. You could even run OpenNTP as user nobody and provide an exception in the policy that raises its uid to 0 for the duration of the bind() system call only.
Cool stuff. Wasn't really aware of it although it exists for years now. -
Re:IE 7 in Vista would have been safeSystrace makes possible far more complex scenarios than you've mentioned. A process can systrace it's children to have fewer privileges than it has. This isn't limited to file permissions, but extends to arbitrary restrictions on any system call, completely divorced from file ownership.
Does Windows have systrace?
I thought so.
-
Re:Dumber Article...
One of the points basically comes down to "write perfect code".
No, it comes down to "build a perfect design".Of course I fricking want to install it
But maybe you don't want it to connect to the network or touch the filesystem. -
Re:Loss of Credibility
On the same token though, any reputable person in the field would agree that a hardened version of Microsoft's OS is not any less secure than a hardened version of Linux.
Yes they would. There are heavily stripped versions of the Linux kernel in use. The remaining code has been analysed for vulnerabilities or extensively modified with in-kernel security features. Please show me where you can get a Microsoft kernel with the same features as systrace. There are tons of other useable kernel patches which demonstrate other impressive security features, not available on the windows platform.
Have you reviewed the paper? My guess is not. Before making straw man arguments make sure you have all the facts.
Yes I have read the paper. Try not to make spurious assumptions next time. -
Re:You don't need binaries.
If you *need* secure systems you use old code that has been heavily audited, and I would actually recommend OpenBSD.
Speaking of OpenBSD, they're heavily into systrace these days, which gives you some leeway to work with software from less audited sources.Currently, Systrace is integrated in NetBSD and OpenBSD, with a Linux port also being maintained. Similar functionality is available in the Okena (now Cisco) Security Agent for MS-Windows and Solaris, for $$$$.
And by buffer overflows being *easier* I meant more likely to escape detection. A shell being bound to a listening port is something that should *obviously* not be happening in most programs.
Under systrace, I can take an X application binary which is intended to display a slideshow, and without any access to source, inspect the "normal" execution profile, and build a systrace profile that forbids the application from opening a listening port or exec'ing /bin/sh.A real world example: I use systrace to run Opera. I cannot get source code for Opera, but by running it under a restricted profile, I can still have assurance as to the system calls which it can successfully make.
-
Re:Fast User Switching Rules...How do you "test" a file to make sure it doesn't do anything bad? Other than just running it once and saying "yup, I didn't notice any files being deleted" how can you tell if it's safe?
You can use systrace. There is even a GUI frontend that works on Mac OS.
-
Beyond AV: Application Behavior EnforcementApplication behavior enforcement for Microsoft Windows was capable of preventing the various MS-RPC exploits, before they were discovered, by preventing the RPC listener from doing any system calls that did not fit the "model" of what the service should do in normal circumstances.
The next step beyond simple pattern-matching virus scanners is mechanisms to to model the good behavior of processes, and terminate a process if it goes outside those bounds. ...even those running AV software won't be protected from a super-fast-moving virus...On OpenBSD and other Unix-like operating systems there is the free Systrace.
Windows and Solaris users can pay Cisco around $800 per server for "Cisco Security Agent" (Formerly Okena), which does the same thing as systrace, but with a nicer GUI and some packet filtering (I do not work for Cisco, I do not sell software.)
Workstation licenses were around $35 per seat.
When I tried to convince a Fortune 500 corporation of the value of deploying this type of security, the answer I received was "But this doesn't protect against SQL injection or Cross Site Scripting!"
So yes, Clueless people deserve it...