Forgot your password?
typodupeerror
Security Businesses Apple

Systrace for Mac OS X 23

Posted by pudge
from the monkeying-around dept.
Niels Provos writes in that he has added Mac OS X support for Systrace, a sandboxing/application confinement tool that can be used to increase application and service security. It installs a new kernel to support /dev/systrace and the Systrace application, and a Cocoa frontend.
This discussion has been archived. No new comments can be posted.

Systrace for Mac OS X

Comments Filter:
  • by Kplusplus (617856) on Friday December 20, 2002 @07:19AM (#4928710) Homepage
    My only qualm is where is this kernel coming from and why is there no other way to run this then with a specially built kernel. Im sorry to say, but I can't just trust anything that replaces my kernel, no matter who it comes from when that person isn't my OS vendor.

    Is it impossible to get teh same thing done with a kernel extension?
    • by LizardKing (5245) on Friday December 20, 2002 @08:57AM (#4928923)

      My only qualm is where is this kernel coming from and why is there no other way to run this then with a specially built kernel

      The patch is there for you to peruse, along with the Darwin kernel source. So if your feeling a little paranoid then go for it. As to why this couldn't be a module of some sort, does the Darwin version of the BSD kernel support lkm's? And even if it does, systrace operates at a much lower level than say a device driver (which is where kernel modules really come into their own).

      Chris

  • Kernel vendors (Score:4, Insightful)

    by m0rph3us0 (549631) on Friday December 20, 2002 @08:12AM (#4928804)
    Yeah, because if your vendor made it then it must be secure.....

    Why not just take a look at the source... its more readily available than the source for Mac OS X.
    • Yeah, because if your vendor made it then it must be secure.....

      Unlike MS, Apple doesn't make inferior products that have new security holes to be discovered every week. So I really have no reason not to trust Apple's stuff.

      As to the source of Mac OS X: Why do you need it? Thier source being open will in no way help Mac OS X, perhaps it may help other *nix distros but not Apple's since they are heavily optimized regularly and provide a layer of operability higher than those of say systrace.
      • Yes, apple has never made inferior products, sort of like Mac OS 9 which had no support for virtual memory (i dont mean a swap file btw) and about as much support for users as DOS. Apple does make products that suck and do have security flaws. How about being able to login to a default OS X machine with out being prompted for a password. Personally I think that SUCKS and it is definately a SECURITY FLAW. Software Update is another example of Apple products with security flaws. Having the source available means finding security flaws sooner rather than later. The faster vulnerabilities are found and patched the less exposure your system recieves to them. How do I know that no where strcpy() or a similarly known insecure function is being used inappropriately in the source for their APIs.
    • Re:Kernel vendors (Score:4, Informative)

      by jimmu (227057) on Friday December 20, 2002 @07:44PM (#4933281) Homepage
      http://www.opensource.apple.com/projects/darwin/6. 0/projects.html

      What's this? why, it looks like links to download the source for darwin. And whats that? why, it appears that you can peruse just about everything, save for Quartz.

      Note the obfuscated URL. truly, apple is going to great links to hide the source for OS X.

      I won't even mention the CVS server.
  • you can set up something far far more powerful than a chroot'ed area with user-mode-linux [sourceforge.net]

    So if anyone is knowlegdeable about the apple part, could you compare the two.
    • UML creates a new complete kernel running inside your machine, with it's own /sbin/init process, and the whole schebang. If you want to have apache in here, that's possible, you just need to copy all it's files into the UML's filesystem, set up your host machine to relay the packets in, and other similar setup. Takes a while, but totally doable.

      Systrace on the other hand lives inside your normal kernel - you don't run any virtual machines at all. However systrace can decide what system calls a program can use, and if desired limit how they can be called. For example you could say Apache is allowed to create a bound socket to port 80, but no other port. You can say allow it to read files in /var/www/htdocs but nothing else. This means that should some user make a symlink to /etc/passwd, it can't be read. Should someone get Apache to run shellcode, it can't run /bin/sh or open a new network socket for inbound access.

      The configuration to do this is rather extensive, but anything that will be expicit must be. See the sample apache config [umich.edu] for example.

      Systrace works similarly to other kernel hardening patches, such as GRSecurity or LIDS. LIDS for example can lock down access to the filesystem (read/write/nada) and to root permissions (allow root to read non-root files, dissallow socket binding, etc) but this is different in that the systemcalls themselves have been hooked, not just some common access methods.

  • On a somewhat related note, I think it is stupid that Apple ships kernels without support for system call tracing tools like "strace" or "truss". System call tracing should be part of the standard install of OS X; it is particularly important on non-development machines. (How is this related? It sounds to me like you could use systrace to implement strace, and (less efficiently) vice versa.)

    In any case, I thought that one of the promises of Mach was that these kinds of changes should be doable via plug-ins, without creating a new kernel. Why does this require a "new kernel"?

    • I would very much like to see OSX ship with truss; in particular, I would like it to be the Solaris-style truss that can trace descendents of processes, etc. (The FreeBSD version is only a pale shadow of this.) Anyone who agrees with this wish might want to send a note to devbugs@apple.com, supporting Problem ID #3121601.

Mathemeticians stand on each other's shoulders while computer scientists stand on each other's toes. -- Richard Hamming

Working...