OpenSolaris equivalent of systrace?

[DraconianTimes]

I've recently installed OpenSolaris 2008.11 and was wondering what the nearest equivalent functionality to systrace is?
I've seen the FGAP sub-project (which looks almost spot on), bu this is still under development. Is there a combination of OSol tools which will give me some/all of systrace's functionality?

Ta.

[vermaden]

dtrace? ;p

[Oko]

Quote:

Originally Posted by vermaden

dtrace? ;p

I think that it is really not possible to compare dtrace and systrace.
Dtrace is in very simplified terms a tool which enables you to monitor your system in real time for let say bottle necks and add hardware or relocate resources if needed.

Systrace was originally conceived as a very radical security tool which will enable you to do things like preventing applications from making certain system calls without explicit authorization from system admin in real time.

Ideally one would want to have both tools available on the system. The problem is that large parts of DTrace are patented and released under CDDL license or even more restrictive licenses so one would have to write loadable kernel modules. Obviously FreeBSD doesn't care much for licenses so they imported DTrace into kernel.


Systrace on the another hand is in some sense obsolete as there is a major security problem with the tool pointed by Dr. Rober Watson member of FreeBSD core team in one of his research papers. As the main developer of Systrace have parted ways
with OpenBSD project due to the disagreement with Theo de Raadt there has been no work on systrace in past 3-4 years. It is still part of the kernel of OpenBSD but has very specific uses which are not in line with original design goals of Systrace project. Systrace is probably fixable and there is some chance that OpenBSD will get DTrace in the form of loadable kernel modules. That would be really FANTASTIC!!!

[jggimi]

Quote:

Originally Posted by Oko

...there has been no work on systrace in past 3-4 years.

2.5 years. Integration of systrace 1.6d occured July '06. (1.6f was announced this month).

The developer, Niels Provos, stated in response to security questions

Quote:

Just keep in mind that ptrace has not been designed as a security primitive and while the ptrace backend can restrict the behavior of programs in non-adversarial settings, there are many ways to circumvent it.

Systrace was indeed an interesting application security management tool; but with the demise of the Hairy Eyeball project, general-purpose interest waned.

It's still used within OpenBSD, particularly for port development. I wouldn't develop a port, or submit one for the tree unless the port build was protected and tested with USE_SYSTRACE=Yes.

[DraconianTimes]

OK, thanks for the replies. Looks like I'm going to have to wait patiently for FGAP...

[Oko]

Quote:

Originally Posted by DraconianTimes

OK, thanks for the replies. Looks like I'm going to have to wait patiently for FGAP...

I read the link you posted.

Quote:

* only allow binding to port 80/tcp

* only allow read access to file foo

* only allow write access under $HOME/.mozilla

That is lame. Can't you do last to things just withe permissions? Even with
the root access the last two goals can be easily accomplished in BSD world with flags and
kernel security levels. First one looks to me could be easily done with PF.

Systrace is far more serious tool as originally designed.

[DraconianTimes]

Quote:

Originally Posted by Oko

That is lame. Can't you do last to things just withe permissions? Even with
the root access the last two goals can be easily accomplished in BSD world with flags and
kernel security levels. First one looks to me could be easily done with PF.

Regarding your first point, PF can control access to 80/tcp, but that is system wide - It won't let me tie it down to a specific application.
As for security levels, IIRC the OpenBSD team had actually dismissed them. I haven't got the link to hand, but there were a couple of interviews with senior devs who had said the concept was flawed.

I'll try to dig out the links when I get home tonight.

Cheers.

UPDATE 2009-01-27 2205Z

Here's the link regarding secure levels: http://www.theregister.co.uk/2006/01...evel_bsd_unix/

[Randux]

Interesting the Register is calling deRadt a "vendor". Last time I looked, OpenBSD was being given away (as in free) and distributed under the freeest of terms (BSD license: don't say you wrote this).

Amazing how all the whiners expect something for nothing. Entitlement is a very sick idea

[DraconianTimes]

Quote:

Originally Posted by Randux

Interesting the Register is calling deRadt a "vendor". Last time I looked, OpenBSD was being given away (as in free) and distributed under the freeest of terms (BSD license: don't say you wrote this).

Amazing how all the whiners expect something for nothing. Entitlement is a very sick idea

Indeed, it's like the idiots who come onto misc@ being abusive about the lack of x, y or z. I suppose that the Register struggles with terminology to describe roles in FOSS, especially when comparing against the more traditional commercial offerings...

[Oko]

I read the article. It is very superficial. To me it looks like it is written by a guy with lack of technical knowledge about the matter he is trying to talk about but great sense of humor.

Quote:

One of the best things about OpenBSD is that it's a great operating system for new users to Unix.

I am going to use this every time I am annoyed by an Ubuntu user.

Joking aside, if you carefully read my post above I said that it looks to me that I could use combination of flags and security levels to accomplish 2 and 3.
I have never said that kernel security level alone can do any good.
Without detailed knowledge about objectives of cited Open Solaris projects it is just my guessing what is the problem they are trying to fix.