OpenBSD Journal
Home : : Add Story : : Archives : : About : : Create Account : : Login :
Vulnerabilities in systrace
Contributed by merdely on Thu Aug 9 20:12:21 2007 (GMT)
from the falacious-race dept.

At the First USENIX Workshop on Offensive Technologies, Robert Watson gave a presentation outlining vulnerabilities in systrace which he summarizes in this blog post:

A paper on the topic of compromising system call interposition-based protection systems, such as COTS virus scanners, OpenBSD and NetBSD's Systrace, the TIS Generic Software Wrappers Toolkit (GSWTK), and CerbNG. The key insight here is that the historic assumption of "atomicity" of system calls is falacious, and that on both uniprocessor and multiprocessing systems, it is trivial to construct a race between system call wrappers and malicious user processes to bypass protections.

I demonstrated sample exploit code against the Sysjail policy on Systrace, and IDwrappers on GSWTK, but the paper includes a more extensive discussion including vulnerabilities in sudo's Systrace monitor mode.

The moral, for those unwilling to read the paper, is that system call wrappers are a bad idea, unless of course, you're willing to rewrite the OS to be message-passing. Systems like the TrustedBSD MAC Framework on FreeBSD and Mac OS X Leopard, Linux Security Modules (LSM), Apple's (and now also NetBSD's) kauth(9), and other tightly integrated kernel security frameworks offer specific solutions to these concurrency problems. There's plenty more to be done in that area.

Todd Miller (millert@) clarifies the impact with sudo:

"The sudo systrace support is part of an experimental feature ("monitor mode") not present in any of the real sudo releases (though the code is available via anonymous cvs). Given the deficiencies of systrace (and ptrace) it is unlikely that this feature will be present in any future sudo release."

The Sysjail project is recommending against using sysjail:

"Due to handling semantics of user/kernel memory in concurrent environments, the sysjail tools, in inheriting from systrace(4), are vulnerable to exploitation. Details available here. Many thanks to Robert Watson for discovering these issues! Until these problems have been addressed, we do not recommend using sysjail (or any systrace(4) tools, including systrace(1)). All versions are vulnerable on all architectures.

Specifically, the bind(2) and sysctl(3) (and possibly other) functions may have their arguments re-written after being examined by the sysjail. This, in effect, leads to a total bypass of the prison."

It should be noted that systrace "has been integrated into NetBSD, OpenBSD and OpenDarwin" and has been ported to GNU/Linux, Mac OS X and FreeBSD.

To protect yourself from the shortcomings of systrace, know and understand what it does for you and make sure that systrace is not your only line of defense.

Just so it is clear, systrace is just a tool included in the distribution. It is not used by anything in the base system by default but be wary of using this tool as it stands. There has been long-standing skepticism around the effectiveness of systrace, including the difficulty in writing effective policies (Theo: "Establishing solid policies for daemons is not actually trivial.") and the unpredictable consequences of changing the semantics of the Unix privilege model (Marc Espie). Since 2002, the systrace(1) man page included a warning in the BUGS section about the possibility of escaping the policy enforcement because of the behavior of certain system calls.

Robert's paper and presentation are available on his site.

[topicsecurity]

<< SitesCollide #12 - OpenBSD Road Warrior - Felix Kronlage | Reply | Flattened | Expanded | OpenBSD Playtesters Wanted >>

Threshold: Help

Related Links
more by merdely


  Re: Vulnerabilities in systrace (mod -5/39)
by Anonymous Coward (137.71.23.54) on Thu Aug 9 20:56:19 2007 (GMT)
  The sky is falling mos def
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  Re: Vulnerabilities in systrace (mod 12/42)
by Anonymous Coward (12.205.149.225) on Thu Aug 9 21:43:55 2007 (GMT)
  What did de Raadt and Provos disagree about?
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  Robert Watson (mod 5/33)
by Anonymous Coward (128.171.90.200) on Sat Aug 11 01:39:35 2007 (GMT)
  Wasn't it Robert Watson who developed TrustedBSD MAC Framework and FreeBSD's Jails ?
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  Re: Vulnerabilities in systrace (mod -4/40)
by Anonymous Coward (85.178.127.11) on Sat Aug 11 02:03:46 2007 (GMT)
  So what's the OpenBSD Team gonna do?
Nothing but recommenting to NOT use it? Then they could drop it from the Base System... :-/

It would be great if either a Patch or another Solution would get provided for OpenBSD 4.2.

I seriously don't know how to ensure the security at my systems right now. Chroots ok.. but "Jails" (notfBSD, Sysjail) always looked far better...

So.. what's the OpenBSD Team gonna do?
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  Re: Vulnerabilities in systrace (mod -24/52)
by Anonymous Coward (195.92.253.2) on Sun Aug 12 15:02:20 2007 (GMT)
  The fact Robert points to something like Kauth in NetBSD as being the right way to do these things you have to wonder.
We pay for what is suppose to be a secure OS when it is nothing more than a one man sandbox.
Great ideas are not copied, but instead are laughed at. All in the name of making things "secure"
but in the end it all falls short. Atleast djb offers $$ to back up his claims.
And he does not even charge for his software...
Elitism based on a false sense of security. "Because Theo says so"
A lot of good work has been done, but in the end Theo just says no.
Do cults charge for their propoganda?
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  What's going on with cvs.openbsd.org? and openbsd.org? (mod -3/33)
by Brynet (Brynet) on Mon Aug 13 16:36:54 2007 (GMT)
  Does anyone know what's going on? CVS commits at marc.info have been quite for 2 days.. http://openbsd.org fails to connect..

Can a developer please clarify the situation? is it at all related to this? if not.. please explain what the heck is going on already by posting a new undeadly topic???

Please! - This situation needs clarity.. someone speak up..
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  Remember, systrace is still useful for some privelege escalation (mod -1/29)
by Arach (195.112.252.102) on Sat Aug 25 08:45:11 2007 (GMT)
  Remember, systrace is still useful for some privelege escalation (consider "as user/group" when probably all your "prison-bypassing" trick is about to get *less* privileges :). And the rule sets for privelege escalation can be really simple and short. Nothing is perfect, but that doesn't mean everything is totally useless. ;) For example, consider Samba's smbd as non-root without losing its functionality. With systrace, it Just Works (well, a little bit of port redirection is required to avoid privileged bind()s via systrace's "as root").
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  Re: Vulnerabilities in systrace (mod 0/0)
by mxffiles (218.11.246.179) on Tue Feb 7 06:33:57 2017 (GMT)
  This is a very good post which I really enjoy reading. It is not every day that I have the possibility to see something like this. Software mxf Software mxf converter free download to convert HD camcorder files. ts converter convert ts video files to avi, mp4, wmv, mov mts to avi mp4 mov mkv iMovie, FCP/FCE with mts converter, so to convert mts files for your PC and mobiles. mod converter and convert tod files just free download mod video converter. m2ts
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  Re: Vulnerabilities in systrace (mod 0/0)
by William (39.42.38.32) (junaidshah@yopmail.com) on Wed Feb 8 13:22:52 2017 (GMT)
  Actions and gestures of the individuals are studied with the help of the individuals and humans for the fundamental parts of the fascinating life the overall positives of the people to write my term paper are considered and ensured for the fluctuated terms for the individual and humans for the flow of the information.
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

[ Home | Add Story | Archives | Polls | About ]

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. Some icons from slashdot.org used with permission from Kathleen. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. Search engine is ht://Dig. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]