Systrace - Interactive Policy Generation for System Calls
Systrace enforces system call policies for applications by
constraining the application's access to the system. The policy is
generated interactively. Operations not covered by the policy raise an
alarm, allowing an user to refine the currently configured policy.
For complicated applications, it is difficult to know the correct
policy before running them. Initially, Systrace notifies the user
about all system calls that an application tries to execute. The
user configures a policy for the specific system call that caused the
warning. After a few minutes, a policy is generated that allows the
application to run without any warnings. However, events that are not
covered still generate a warning. Normally, that is an indication of
a security problem. Systrace improves cyber
security by providing intrusion prevention.
Alternatively, policies can be learned automatically. In many instances,
the automatically learned policies can be used for sandboxing immediately.
Sometimes, minimal manual post-processing is necessary.
With Systrace, untrusted binary applications can be sandboxed. Their
access to the system can be restricted almost arbitrarily. Sandboxing
applications that are available only as binaries is only sensible, as it is not
possible to directly analyze what they are designed to do. However,
constraining the system calls that large open-source applications are
allowed to execute is useful too, as it is very difficult to determine
System call arguments can be rewritten dynamically. This effects
a virtual chroot for the sandboxed application. It also
prevents race conditions in the argument evaluation.
[Answers to some frequently asked questions]
- Confines untrusted binary applications.
- Interactive Policy Generation with Graphical User Interface.
- Supports different emulations:
- System Call Argument Rewriting.
- Non-interactive Policy Enforcement.
- Remote Monitoring and Intrusion Detection.
- Privilege Elevation: Add-on capabilities.
With Systrace, it is possible to monitor daemons on remote machines and
generate warnings at a central location. As these warnings indicate
operations not covered by existing policy, it is possible to
detect intrusions and prevent them from succeeding. For example, a
web server or ftp server can be monitored that way.
Non-Interactive Policy Enforcement
Once a policy has been generated, Systrace can enforce it
automatically without user interaction. System calls not covered by
the existing policy are denied. For example, a shell provider can
enforce policy of user shells and executed commands with Systrace.
Using the privilege elevation feature of Systrace, it is possible
to completely remove the need of setuid or setgid
Instead, Systrace executes the application without privileges and
only elevates them to the desired level when required. For example,
native-socket: sockdom eq "AF_INET" and socktype eq "SOCK_RAW" then permit as root
native-bind: sockaddr eq "inet-[0.0.0.0]:22" then permit as root
native-fsread: filename eq "/dev/kmem" then permit as :kmem
Systrace elevates the privileges precisely for the operations that
require them. As a result, we get as fine-grained capabilities as
possible and the privileged code path is reduced extremely. In
combination with dynamic predicates, it is possible to allow
an unprivileged application to bind to a reserved port exactly once,
The following example illustrates a simple policy for the ls
binary. If ls attempts to list files in /etc,
Systrace disallows the access and /etc does not seem to
exist. Listing the contents of /tmp works normally, but trying
to ls /var generates a warning.
Policy: /bin/ls, Emulation: native
native-fsread: filename match "/usr/*" then permit
native-fsread: filename eq "/tmp" then permit
native-fsread: filename eq "/etc" then deny[enotdir]
Systrace supports multiple applications with multiple policies. Policies
can be switched on execve.
A web browser tries to access the password database. Monitoring
the system calls in a web browser is reasonable, as it is exposed
to potentially hostile web pages that try to exploit programming
errors in the browser.
Systrace may also be used to prevent damage from trojaned software
distributions. In this example, Systrace detects a Trojan in the
configure script contained in a malicious fragroute distribution.
Systrace is distributed under a BSD-style license and has been
integrated into NetBSD, OpenBSD and OpenDarwin. NetBSD-current
contains the most recent
Systrace source code.
You can use
AnonCVS to access it.
At the moment, systrace supports native and Linux binaries.
- GNU/Linux port is finished and kernel patch is maintained actively by Marius Eriksen. Can be run without kernel changes using the ptrace backend.
- Mac OS X port is almost complete; currently unmaintained due to lack of hardware.
- FreeBSD port by Rich Murphey; in progress.
You need to install the systrace userland. The gtk frontend is required only for graphical policy generation.
Systrace in the Press
- Creating Systrace Policies,
O'Reilly ONLamp.com, February 2003.
- Systrace - A tightly locked jail of legitimate system calls,
Linux Magazine, February 2003.
- Verrouillez les appels systemes avec systrace, Login, Nr. 101, December, 2002.
Enges Korsett - Systrace setzt Regeln für erlaubte Systemaufrufe durch, Linux-Magazin, December, 2002.
Thanks to Dug Song and Perry Metzger for helpful discussions and suggestions.