mailing list archives
external policy enforcement [Re: Apache httpd: vulnerability...]
From: Niels Provos <provos () citi umich edu>
Date: Tue, 18 Jun 2002 15:03:08 -0400
external policy enforcement is a mechanism to prevent system
compromise due to exploitable vulnerabilities in complicated
applications like the Apache web server.
A separate process enforces what kind of access an application has to
the system. For a simple Apache configuration that might include
binding to port 80, reading documents in the document root and writing
to log files, but nothing else.
Previously, policy configuration has been very difficult. However, I
just released a subsystem called systrace that provides fine-grained
confinement of multiple applications with multiple policies.
One of its main features is a mode to interactively generate policies
for applications using a graphical dialog. A policy can be generated
in a few minutes. An administrator can also use systrace's automatic
policy generation mode and tailor the resulting policy to her need.
- confinement of complex or untrusted binary applications.
- interactive policy generation with graphical user interface.
- support for different emulations:
GNU/Linux, BSDI, etc..
- non-interactive policy enforcement.
- remote monitoring and intrusion detection.
- automatic policy generation.
With a correctly configured policy the impact of programming errors in
system daemons can be constrained significantly.
Monkey.org is currently running systrace for over 200 users including
system daemons like Apache.
I have been running all my third-party applications under systrace
with automatic policy enforcement. Policy violations are logged
to syslog. For example, when adding a new user to GAIM, systrace
discovered the following bug:
Jun 18 13:45:14 schwartau systrace: user: provos, prog:
/usr/local/bin/gaim, pid: 7107(0), policy: /usr/local/bin/gaim,
filters: 92, syscall: native-chmod(15), filename:
/usr/home/provos/presentations/m 1 g CITI b lakrimi:lk ... , mode: 600
Gaim attempts to chmod the buddy list but uses its content as filename
In OpenBSD, we take a very pro-active approach to security and have
integrated systrace into the base system. It has recently been
integrated into NetBSD, as well.
You can find more information at