On Fri, May 31, 2002 at 05:41:02PM -0400, Steven M. Bellovin wrote:

> Yes and no.  I'm very concerned about the false positive rate --
> programs do all sorts of different things, depending on minor
> environmental changes.

user/program behaviour at the syscall level is surprisingly regular.
maybe our users are just boring and predictable people? :-)

> For example, suppose you use nmh and you've tweaked
> /usr/pkg/etc/nmh/mts.conf to add some smtp servers.  Most of the
> time, you'll use the first one in the list -- but if it's down or
> unreachable, you'll use the next one.

a single rule can cover this:

	native-connect: sockaddr match "*:25" then permit

in conjunction with the uid/gid-based rules in OpenBSD pf, this is
very powerful. it would be nice to have such predicates in systrace
itself, however.

> I'm also sure that getting the right ruleset for a given program is
> going to take a lot more work than you think.

actually, it's really not that bad. :-)

we're running systrace in production on monkey.org for all user
sessions (over 200 users, and about as many program policies),
starting from a modified login shell.

what we've found is that you can generate policy very quickly, since
there are really only a few syscalls you MUST audit (fork/exec, open,
connect, etc.) and many that are fine to otherwise include by default.

a little bit of Makefile infrastructure and cpp magic, and the cost of
generating policy for new programs (or updating policy for existing
ones) is very low.

-d.

---
http://www.monkey.org/~dugsong/