Systrace

Infobox Software
name = Systrace



caption =
collapsible =
author = Niels Provos
developer =
released =
latest release version = 1.6e
latest release date = release date|2007|12|18
latest preview version =
latest preview date =
frequently updated =
programming language =
operating system = Unix-like
platform =
size =
language =
status =
genre = Computer security
license = BSD-like
website = http://www.systrace.org/s.

Systrace is particularly useful when running untrusted or binary-only applications and provides facilities for privilege elevation on a system call basis, helping to eliminate the need for potentially dangerous setuid programs. It also includes interactive and automatic policy generation features, to assist in the creation of a base policy for an application.

As of 2004, systrace is integrated into OpenBSD. It is also available for Linux and Mac OS X, although the OS X port is currently unmaintained. It was removed from NetBSD at the end of 2007 due to several unfixed implementation issues.

Features

Systrace supports the following features:
* Confines untrusted binary applications: An application is allowed to make only those system calls specified as permitted in the policy. If the application attempts to execute a system call that is not explicitly permitted an alarm gets raised.
* Interactive policy generation with graphical user interface: Policies can be generate interactively via a graphical frontend to Systrace. The frontend shows system calls and their parameters not currently covered by policy and allows the user to refine the policy until it works as expected.
* Supports different emulations: GNU/Linux, BSDI, etc..
* Non-interactive policy enforcement: Once a policy has been trained, automatic policy enforcement can be used to deny all system calls not covered by the current policy. All violations are logged to Syslog. This mode is useful when protecting system services like a web server.
* Remote monitoring and intrusion detection: Systrace supports multiple frontends by using a frontend that makes use of the network, very advanced features are possible.
* Privilege elevation: Using Systrace's privilege elevation mode, it's possible to get rid of setuid binaries. A special policy statement allows selected system calls to run with higher privileges, for example, creating a raw socket.

=Vulnerability history= Systrace is still under development, and has had some vulnerabilities in the past, including:
* [http://www.watson.org/~robert/2007woot/ Exploiting Concurrency Vulnerabilities in System Call Wrappers] Paper by Robert Watson (computer scientist) from the First USENIX Workshop On Offensive Technologies (WOOT07) analyzing system call wrapper races across several wrapper platforms including systrace
* [http://www.systrace.org/index.php?/archives/13-Local-Privilege-Escalation.html Google Security discovers local privilege escalation in Systrace]
* [http://www.systrace.org/index.php?/archives/4-Local-Root-Exploit-on-NetBSD.html Local root exploit on NetBSD]
* [http://undeadly.org/cgi?action=article&sid=20070809201304 Vulnerabilities in systrace]

ee also

*AppArmor
*SELinux
*Mandatory access control

External links

* [http://www.citi.umich.edu/u/provos/systrace/ Systrace Download Page]
* [http://www.systrace.org/ Systrace webpage]