Systrace - Frequently Asked Questions
The following questions often arise in the context of Systrace
and system call interposition/interception.
Frequent Arguments Against System Call Interposition
Previous research argues against the use of system call interposition
because of inherent limitations. The most frequently cited paper to
back up this argument is:
It mentions the following problems:
Issues of aliasing,
multi-component lookups, and
preserving the tranquility of the name-to-object mapping from the
time-of-check to the time-of-use.
In practice, aliasing means that different filenames map to the same
file in the filesystem. In Unix, this is possible with symbolic or
hard links. Hard links have the restriction that they may not cross
mount points. Systrace address this problem with argument
normalization. Every filename gets resolved in such a way that the
filename is absolute and does not contain symbolic links.
The time-of-check is not the time-of-use argument can be addressed in
a similar fashion. After normalization and policy decision, an
adversary may try to change a component of the normalized filename to
a symbolic link to change the name-to-file mapping. This could cause
the kernel to take a different action than authorized by policy.
Because Systrace passes a filename to the kernel that is assumed to be
free of symbolic links, we instruct the operating system to forbid
monitored applications to follow symbolic links altogether.