external policy enforcement [Re: Apache httpd: vulnerability...]

From: Niels Provos (provosat_private)
Date: Tue Jun 18 2002 - 12:03:08 PDT

Next message: Jonathan Haase: "Re: malicious PHP source injection in phpBB"

Previous message: Chris Anley: "(more) Advanced SQL Injection"
In reply to: Mark J Cox: "Apache httpd: vulnerability with chunked encoding"
Next in thread: Niels Provos: "external policy enforcement [Re: Apache httpd: vulnerability...]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

external policy enforcement is a mechanism to prevent system
compromise due to exploitable vulnerabilities in complicated
applications like the Apache web server.

A separate process enforces what kind of access an application has to
the system.  For a simple Apache configuration that might include
binding to port 80, reading documents in the document root and writing
to log files, but nothing else.

Previously, policy configuration has been very difficult.  However, I
just released a subsystem called systrace that provides fine-grained
confinement of multiple applications with multiple policies.

One of its main features is a mode to interactively generate policies
for applications using a graphical dialog.  A policy can be generated
in a few minutes.  An administrator can also use systrace's automatic
policy generation mode and tailor the resulting policy to her need.

Systrace provides

  - confinement of complex or untrusted binary applications.
  - interactive policy generation with graphical user interface.
  - support for different emulations:
       GNU/Linux, BSDI, etc..
  - non-interactive policy enforcement.
  - remote monitoring and intrusion detection.
  - automatic policy generation.

With a correctly configured policy the impact of programming errors in
system daemons can be constrained significantly.

Monkey.org is currently running systrace for over 200 users including
system daemons like Apache.

I have been running all my third-party applications under systrace
with automatic policy enforcement.  Policy violations are logged
to syslog.  For example, when adding a new user to GAIM, systrace
discovered the following bug:

 Jun 18 13:45:14 schwartau systrace: user: provos, prog:
 /usr/local/bin/gaim, pid: 7107(0), policy: /usr/local/bin/gaim,
 filters: 92, syscall: native-chmod(15), filename:
 /usr/home/provos/presentations/m 1 g CITI b lakrimi:lk ... , mode: 600

Gaim attempts to chmod the buddy list but uses its content as filename
instead.

In OpenBSD, we take a very pro-active approach to security and have
integrated systrace into the base system.  It has recently been
integrated into NetBSD, as well.
 
You can find more information at

  http://www.citi.umich.edu/u/provos/systrace/

Regards,
  Niels Provos.

Next message: Jonathan Haase: "Re: malicious PHP source injection in phpBB"
Previous message: Chris Anley: "(more) Advanced SQL Injection"
In reply to: Mark J Cox: "Apache httpd: vulnerability with chunked encoding"
Next in thread: Niels Provos: "external policy enforcement [Re: Apache httpd: vulnerability...]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jun 18 2002 - 14:30:44 PDT