Geek Answers Handbook

How to prevent a system call from using ptrace

I am working on a similar Ideone system where unreliable user code should work in isolated mode.

For this, I was looking for ptrace features for the first level of protection. However, after several experiments, it seems that:

  • I can intercept a system call before it is called and the input arguments are changed.
  • I can intercept the system call after it is called and change the return value.
  • However, there seems to be no way to prevent calls from happening at all (other than killing the entire application).

I want to intercept some system calls and return a fake result code without actually calling. Is there any way to implement this?

+7
source share
2 answers

Please keep in mind that your sandbox can only be secure if the code it runs is not multi-threaded. You will also need to be very careful to prevent sand code from warping.

See, for example, the following discussion of an article by Robert Watson:

Exploiting races in wrapper system calls

The document is linked to this article, but I also offer a link here:

Using Concurrency Vulnerabilities in System Call Fairings

The best approach still seems to be the same as Watson recommends: fully integrate the security framework into the kernel and take care of its use to avoid Concurrency issues. Linux and NetBSD and Mac OS X and other security-oriented systems already provide such structures, and therefore all that is needed when using these systems is to implement your policies within existing infrastructures. That is, do not even try to implement your security policies in system call shells or other system call interpolation mechanisms.

+2
source

you can execute the command making the system call by increasing the IP address (instruction pointer), so the call will not be completed, and you can set the return value as usual.

Edit:

There is a ptrace shell called pinktrace here , which should facilitate your work, as well as additional information:

https://security.stackexchange.com/questions/8484/wrapping-system-call-in-reliable-and-secure-way

+1
source

More articles:


All Articles