Re: Process system call access list.

[Willy Tarreau <willy@w.ods.org>]

Hi,

On Sun, Jan 16, 2005 at 02:00:22PM -0500, Bill Pringlemeir wrote:
> 
> [please CC me.]
> 
> I was looking at phrack and many of the remote exploits rely on
> injecting some arbitrary code.  Generally is is something like
> 'exec("/bin/sh")' or something like that.
> 
> I was wondering if a section could be added to the link phase of a
> user application that would keep a list/bit mask of all kernel calls
> that the compiler had encountered in some section.
> 
> When the kernel loaded a process, it would keep a copy of the bit mask
> and perform a comparison to see if the process was intended to make
> the system call (perhaps only a sub-set of the entire system calls are
> needed).

A friend of mine worked on something a bit like this for kernel 2.2. He
had a module which accepted syscall-based sets of rules based on prog
name, pid, uid, argument size and values, etc... He could even execute
code before and after the syscall (he could use it to keep an image of
what 'make install' touches). The goal was to identify all syscalls
needed from opensource programs through code reviewing, and try to
identify them using strace for closed-source programs (or simply let
them be vulnerable). We found it useful to protect against some attacks
on network-only programs; For example, a reverse-proxy has no reason to
either fork, exec, mount, mknod, etc... We did not have time to port this
to 2.4. However, now that the syscall_table is unexported, this is history.

There are other programs which do more or less the same (systrace comes
to mind). But in your case where the compiler gives the syscall list itself,
I have no knowledge of any similar tool. But I fear that if the bitmask is
kept within an ELF section, the attacker would first have to rewrite the
mask before using syscalls again (or put it in an RO section ?).

Regards,
Willy