tech-security: Re: oooh! neat new toy!!!

Subject: Re: oooh! neat new toy!!!
To: Steven M. Bellovin <smb@research.att.com>
From: Niels Provos <provos@citi.umich.edu>
List: tech-security
Date: 06/01/2002 01:35:37
On Fri, May 31, 2002 at 09:41:02PM +0000, Steven M. Bellovin wrote:
> Yes and no.  I'm very concerned about the false positive rate -- 
> programs do all sorts of different things, depending on minor 
> environmental changes.  For example, suppose you use nmh and you've 
> tweaked /usr/pkg/etc/nmh/mts.conf to add some smtp servers.  Most of 
> the time, you'll use the first one in the list -- but if it's down or 
> unreachable, you'll use the next one.  For that matter, resolving a 
> host name depends heavily on the structure of the DNS and on the 
> current cache characteristics.  I'm sure the rule base can handle all of
> those things; I'm also sure that getting the right ruleset for a given 
> program is going to take a lot more work than you think.

Policy generation is interactive.  In my experience, it converges very
fast to a policy that covers the normal program behaviour.  Generating
a completely new policy for an application takes a few minutes.

Systrace is very flexible.  If you use it to constrain untrusted
binaries, an interactive warning is generated for every system call
that is not covered by the exisiting policy.  At this point, you can
either refine your policy, deny the system call or kill the
application.

On the other hand, on monkey.org systrace runs in automatic mode
enforcing a global system policy.  Any system call not covered by the
policy is denied and logged via syslog allowing an administrator to
further refine the policy if necessary.

Currently, I am running screen, shells, irc and mail clients on
monkey.  All of them constrained by systrace policies. So do hundreds
of other users.  I think that you are more sceptical than is
warranted.

On my local desktop, all third-party software is constrained by
systrace, e.g. opera or gaim.  You just start systrace on an xterm,
and any application that you start from it is automatically sandboxed.
This includes network applications, etc.

The intrustion detection capability of systrace is only a small part
of the whole picture.  The interactive policy generation leads to many
novel uses, among them intrustion detection and remote monitoring of
system daemons.

Niels.