Hi,
It has been over three years since I originally released Systrace and
I am happy to announce Systrace 1.6: Phoenix Release.
This is a special release for Linux users who do not want to patch
their kernel for Systrace's system call interposition interface. I
recently implemented a Ptrace-based backend for Systrace to make at
least some of its features available to a wider audience. Although
the ptrace backend is not complete yet, many applications work fine
with it.
Systrace enforces system call policies for applications by
constraining the application's access to the system. Policy is
generated interactively, automatically or magically. It's purpose is
to allow users to run untrusted applications like the latest malware
collected by your honeypot.
A quick reminder of what Systrace provides
- confinement of complex or untrusted binary applications.
- interactive policy generation with graphical user interface.
- support for different emulations:
GNU/Linux, BSDI, etc..
- non-interactive policy enforcement.
- remote monitoring and intrusion detection.
- automatic policy generation.
Here is what a ptrace-based backend cannot provide:
- tight security: a clever attacker can escape some of the sandbox
by using cooperating threads to bypass the monitor.
- performance: ptrace is very slow compared to native Systrace support
in the kernel
- transparency: ptrace is very intrusive. child status waiting, process
groups, signal masking, etc. need to be emulated in userland. Yuck.
- privilege elevation: not possible with ptrace
- running binaries under emulation
In any case, give Systrace a spin. If you like it, install Marius
Eriksen's excellent kernel patches for Linux.
You can find more information at
http://www.citi.umich.edu/u/provos/systrace/
http://www.citi.umich.edu/u/provos/systrace/linux.html
Regards,
Niels Provos.
