On Sun, Mar 23, 2003 at 05:20:47PM -0500, Jose Nazario wrote: > have a look at systrace. you can block or log with pass arbitrary syscalls > tied to program names. > > http://www.citi.umich.edu/u/provos/systrace/linux.html > > for reference, various people have looked at the idea of tracking syscall > paths as a method to detect anomalies. systrace is currently stateless, > but with some work it could be made stateful. its just hard to express a > directed graph of syscalls. Or try subterfugue: It uses ptrace(2) to do the job and it's written (mostly) in Python. It is a framework for syscall tracking modules (Tricks) which can be written in Python in a very simple way (a class with callbefore(pid, call, args...) and callafter(pid, call, args) methods). More Tricks can be load at a time and work in FI-FO order around syscalls (LI-FO). It can do anything with it's args or with the result of the call (including killing it of course and (experimental?) support for syscall inserting and restarting syscalls). Works in Linux 2.2.x and 2.4.x (better), Python 2.1 and lower (Debian has 2.2+ port?) Written by Mike Coleman and Pavel Machek. It's free (GPL). For more, see: http://subterfugue.org/ I have made stateful tracking Trick to subterfugue recently. It's in current CVS, not much tested and whole subterfugue itself seems a bit experimental still (and has some unresolved issues), but for some tasks seems to work pretty good. StateTrick provides different syscall restrictions/environment in different parts of the process execution history. Those parts (states) are defined through stateful automaton working with (syscall,args). It can also load other Tricks and enable them in different states. It's currently not much documented and well tested, but can be downloaded from current CVS. $ sf -h -t State This is subterfugue. It is used to play various specified tricks on a command. usage: sf [OPTIONS]... [<COMMAND> [<COMMAND-OPTIONS>...]] -t, --trick=TRICK[:OPTIONS] use TRICK with OPTIONS -o, --output=FILE direct sf output to FILE -o, --output=N direct sf output to file descriptor N -d, --debug show debugging output -n, --failnice allow kids to live on if sf aborts -h, --help output help, including for TRICKs, and exit -V, --version output version information and exit --waitchannelhack enable kludge (required for unpatched 2.3.99-2.4.0test9) --slowmainloop disable fast C loop (for debugging) --nowall run w/o wait __WALL flag (bogus 2.2 support) StateTrick can change program's execution restrictions dynamically according to program's execution history. It can also load other tricks and disable/enable them at runtime. When program calls syscall that is not allowed in current state, it is killed and the state and call(args) are reported. options: config = filename ... state machine configuration file verbose = <n> ... verbosity, default = 0 example: $ sf -t State:'config = State.conf' naughty_app Configuration file syntax: <mandatory> [voluntary] # comment IGNORE <syscall_name> [<syscall_name2> [...]] WATCH <syscall_name> [<syscall_name2> [...]] DEFINE <trick_name> <trick> STATE <state_name> TRICKS <trick_name> [<trick_name2> [...]] <syscall_name>([args]) [-> <new_state_name> [-> <fork_child_state>]] Configuration file example: --------------------------- # define Tricks DEFINE TRACE Trace DEFINE TRACEFS Trace:call=["open", "close", "read", "fstat64"] DEFINE COUNT Count # ignore those calls (allowed, won't change states) # IGNORE brk fstat64 # define state, 'START' is implicit STATE START # those tricks will be enabled (active) in this state TRICKS TRACE COUNT # define calls allowed in this state uname() # regexp ([a-z] works), but '*' means '[^/]*' and '.' means '\.' open(/etc/ld.so.*,0,) open(/lib/libc*,0,) mmap(-1073749156) # munmap will change program's state to state 'FORKING' munmap() -> FORKING # other syscalls than those defined above are not allowed in START # (IGNORED and not WATCHED are allowed too) # define new state, no tricks enabled here STATE FORKING # parent will go to state FORKED, child goes to state CHILD fork() -> FORKED -> CHILD STATE FORKED mmap() wait4() munmap() -> FINISH STATE CHILD TRICKS TRACEFS mmap() write() munmap() -> FINISH STATE FINISH _exit() ---------------------------- TODO: more documentation -- Martin Mačok http://underground.cz/ martin.macokat_private http://Xtrmntr.org/ORBman/
This archive was generated by hypermail 2b30 : Mon Mar 24 2003 - 10:11:21 PST