[Qemu-devel] syscall filtering

[Qemu-devel] syscall filtering

[Magnus Damm]

Hello,

While Piotrek is thinking about securing the system emulator, I am more
interested in syscall filtering. I have not thought about it too much,
but the idea (if possible) would be to run qemu as a filter for certain
binaries on your machine. Basically, you run i386-user with filters on a
i386 machine.

fakeroot-replacement:
---------------------
fakeroot is nice, but is only working for dynamically linked binaries.
Using the qemu user emulator to filter syscalls would make it possible
to have a fakeroot that works for any binary. As long as the binary
doesn't try to do any root-activities in the kernel that is.

securing scripts:
-----------------
Trojans hiding in configure-scripts, how fun is that? Remember?
http://www.mavetju.org/unix/openssh-trojan.php
By executing the configure script (and all children) in an environment
that detects and disables network activity I would feel safe(r).

/ magnus

Re: [Qemu-devel] syscall filtering

[Paul Brook]

On Tuesday 23 November 2004 14:19, Magnus Damm wrote:
> Hello,
>
> While Piotrek is thinking about securing the system emulator, I am more
> interested in syscall filtering. I have not thought about it too much,
> but the idea (if possible) would be to run qemu as a filter for certain
> binaries on your machine. Basically, you run i386-user with filters on a
> i386 machine.

You would also need to add memory access protection. With the current user 
emulation it is possible for the emulated appliction to directly modify the 
emulator state.

Paul

Re: [Qemu-devel] syscall filtering

[J. Mayer]

On Tue, 2004-11-23 at 15:19, Magnus Damm wrote:
> Hello,
> 
> While Piotrek is thinking about securing the system emulator, I am more
> interested in syscall filtering. I have not thought about it too much,
> but the idea (if possible) would be to run qemu as a filter for certain
> binaries on your machine. Basically, you run i386-user with filters on a
> i386 machine.

What about systrace ?
http://www.citi.umich.edu/u/provos/systrace/index.html

You never need an emulator to filter syscalls on Unix: take a look to
ptrace syscall, especially PTRACE_SYSCALL request, all needed features
are already there...
-- 
J. Mayer <l_indien@magic.fr>
Never organized

[Qemu-devel] Re: syscall filtering

[Ben Pfaff]

"J. Mayer" <l_indien@magic.fr> writes:

> What about systrace ?
> http://www.citi.umich.edu/u/provos/systrace/index.html

Unless systrace has been improved recently it suffers from race
conditions:
        http://www.stanford.edu/~talg/papers/traps/traps-ndss03.pdf
        http://www.stanford.edu/~blp/papers/ostia.pdf
-- 
Ben Pfaff 
email: blp@cs.stanford.edu
web: http://benpfaff.org

Re: [Qemu-devel] syscall filtering

[Philipp Gühring]

[-- Attachment #1: Type: text/plain, Size: 366 bytes --]

Hi,

> You never need an emulator to filter syscalls on Unix: take a look to
> ptrace syscall, especially PTRACE_SYSCALL request, all needed features
> are already there...

The problem is that many applications are ptrace-resistant, so systrace does 
not work there. You need a complete emulator for those applications.

Many greetings,
Philipp Gühring

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]