hubertf's NetBSD Blog
Send interesting links to hubert at feyrer dot de!
 
[20080225] Rationale on removing systrace from NetBSD
According to www.systrace.org, ``Systrace enforces system call policies for applications by constraining the application's access to the system. The policy is generated interactively. Operations not covered by the policy raise an alarm, allowing an user to refine the currently configured policy. It is available for OpenBSD, NetBSD and Linux.'' Systrace was removed from NetBSD-current a few weeks ago, without much discussion. Asking about what the rationale behind this was, Christos Zoulas explained:

    ``The current implementation has security issues resulting from using the stackgap to pass modified arguments to syscalls. This is is easier to understand with with multi-threaded programs: since systrace is using the stackgap to pass modified arguments to syscalls, a second thread can overwrite those arguments after systrace placed them but before the first thread executed the syscall. Fixing this would require a completely different mechanism to pass arguments to syscalls, perhaps having a wrapper for each syscall to accommodate systrace (and receive arguments in kernel space) and avoid TOCTOU races.''

David Laight adds:

    ``The big problem with the stackgap is that it was per-process, so in a multithreaded program systrace would be trying to use the same memory area for the modified arguments of more than one concurrent system call!

    The bigger problem is that, because systrace is used to enforce security policy (rather than just trace process execution) is that if systrace validates any user-space buffers (eg pathnames) it must validate a copy that isn't mapped writably into the address space of any other programs, and then pass the copy into the system call. This is necessary whether the buffer is accepted as-is, or adjusted.

    It is easy to see how a threaded program can circumvent such checks, but it is also possible for a non-threaded program to arrange to have a buffer area writable by another process.

    Oh, and systrace has never been able to modify the arguments of netbsd32 (and linux32) emulated binaries.''

With NetBSD's previous big-lock based SMP implementation and with thread scheduling done in userland, the problem may have been not so imminent. With NetBSD moving towards proper thread-scheduling and multiple CPUs running inside the kernel, this becomes more and more of an issue, and -- as sad as things are to lose systrace -- the step taken was the right one. Anyone missing systrace feel free to fix the passing of system call arguments as outlined by David.

[Tags: , ]


[20080225] Mondo catch-up on source-changes (~Aug '07 'till Feb '08)
In the context of Mark Kirby stopping his NetBSD CVS Digest, I've felt an urge to catch up on source-changes, and put up some of the items here that I haven't found mentioned or announced elsewhere (or that I've plainly missed) after digging through some 7,000 mails. All those changes are available in NetBSD-current today and that will be in NetBSD 5.0:

  • Support C99 complex arithmetic was added by importing the "cephes" math library
  • POSIX Message queues were added
  • bozohttpd was added as httpd.
  • the x86 bootloader now reads /boot.cfg to configure banner text, console device, timeout etc. - see boot.cfg(5)
  • ifconfig(8) now has a "list scan" command to scan for access points
  • SMP (multiprocessor) support is now enabled in i386 and amd64 GENERIC kernels
  • Processor-sets, affinity and POSIX real-time extensions were added, along with the schedctl(8) program to control scheduling of processes and threads.
  • systrace was removed, due to security concerns
  • the refuse-based Internet Access Node file system was committed, which provides a filesystem interface to FTP and HTTP, similar to the old alex file system, see http://mail-index.netbsd.org/source-changes/2007/08/28/0081.html
  • LKMs don't care for options MULTIPROCESSOR and LOCKDEBUG, i.e. it's easier to reuse LKMs between debugging/SMP and non-debugging/SMP kernels now.
  • PCC, the Portable C Compiler that originates in the very beginnings of Unix, was added to NetBSD. The idea is that it is used as alternative to the GNU C Compiler in the long run.
  • In addition to the iSCSI target (server) code that is already in NetBSD 4.0, there'a also a refuse-based iSCSI initiator (client) now, see http://mail-index.netbsd.org/source-changes/2007/11/08/0038.html
Plus:
  • Many driver updates and new drivers, see your nearest GENERIC kernel config file
  • Many security updates, see list of security advisories
  • Many 3rd software packages that NetBSD ships with were updated: ipsec-tools (racoon), GCC 4.1, Automated Testing Framework 0.4, OpenSSH 4.7, wpa_supplicant and hostapd 0.6.2, OpenPAM Hydrangea
The above list is a mixed list of items. There are a number of areas where there is very active development going on in NetBSD. Andrew Doran is further working on SMP, fine-grained locking inside the kernel and interrupt priority handling. Antti Kantee has has done more work on his filesystems work (rump, puffs, refuse/fuse), and Jared McNeill and Jörg Sonnenberger have continued their work on NetBSD's power management framework. Those changes are large and far-reaching, and I've yet to look at them before I can report more here.

So much on this subject for now. If someone's willing to help out with continuing Mark Kirby's NetBSD CVS Digest either using his software-setup or by simply reading the list and writing a monthly/weekly digest of the "interesting" changes, I'd appreciate this very much. Put me on CC: for your postings! :)

[Tags: , , , , , , , , , , , , , ]



[20070224] German language articles: Systrace, and Deleting Files Safely
Stefan Schumacher has mentioned two of his recent articles and presentations on regional-de:
  1. "Daten sicher löschen" (deleting files safely) talks about deleting files in a secure way. The article also mentions a NetBSD 4.0_BETA2 based Live CD called "NetBSD/Schrubber", an article and slides for a presentation about the topic that Stefan will give at the Chemnitz Linuxdays 2007.

  2. "Systrace" contains an (also german language) introduction on what Systrace is and how to use it, including an article and presentation slides that Stefan gave at the GUUG Spring Talks 2007 and will give at the Chemnitz Linuxdays 2007.
Mmm, NetBSD advocacy at its best! :-)

[Tags: , , , ]


[20060729] sysjail: a userland virtualisation system using systrace
Found via the #NetBSD community blog, I'm blogging this so I'll find it later when I'm looking for it in my tag list: ``sysjail is a userland virtualisation system for operating systems supporting the systrace library. It runs on OpenBSD and NetBSD. The first generation of sysjail is as close to a drop-in replacement for FreeBSD's jail subsystem as permitted. As with a jail, processes within a sysjail are disallowed resources belonging to the system proper, known as the "host" system, or other sysjail instances. While sysjail currently behaves as an OpenBSD implementation of jail, it has the potential to provide significant auditing, profiling and debugging tools allowing full auditing of intercepted system calls, run-time modification and extension of policies, etc. The sysjail sources are released mainly under the BSD 3-part license (see sources).''

See the sysjail homepage for more. If anyone tries this and has some experiences to share, please send mail to some NetBSD list (and CC: me :).

[Tags: , , ]



[20050913] Article: systrace in OpenBSD
It's a pity that so many authors just write for the one operating systems they know, even if things work on more than one OS as the feature discussed is present there too. But that's rarely mentioned, sigh. Anyways, here's an article about systrace, which is readily available on NetBSD as well as OpenBSD, so this may be of interest here. Check it out!

[Tags: , , ]


[20050203] systrace homepage
I admit I didn't know that systrace has a homepage, even as it's as obvious as www.systrace.org.

[Tags: , ]


[20050202] Book extract: systrace in OpenBSD
The book "Secure Architectures with OpenBSD has a chapter systrace in OpenBSD, which may very well apply to NetBSD's systrace as well, given that Niels Provos, the creator of systrace himself, ported and now maintains systrace on NetBSD. Systrace is a tools that allows monitoring, interception and restriction of system calls.

[Tags: , , ]


Tags: , 2bsd, 3com, 501c3, 64bit, acl, acls, acm, acorn, acpi, acpitz, adobe, Advocacy, advocacy, advogato, aes, afs, aiglx, aio, airport, alereon, alex, alix, alpha, altq, am64t, amazon, amd64, anatomy, ansible, apache, apm, apple, arkeia, arla, arm, art, Article, Articles, ascii, asiabsdcon, aslr, asterisk, asus, atf, ath, atheros, atmel, audio, audiocodes, autoconf, avocent, avr32, aws, axigen, azure, backup, balloon, banners, basename, bash, bc, beaglebone, benchmark, bigip, bind, blackmouse, bldgblog, blog, blogs, blosxom, bluetooth, board, bonjour, books, boot, boot-z, bootprops, bozohttpd, bs2000, bsd, bsdca, bsdcan, bsdcertification, bsdcg, bsdforen, bsdfreak, bsdmac, bsdmagazine, bsdnexus, bsdnow, bsdstats, bsdtalk, bsdtracker, bug, build.sh, busybox, buttons, bzip, c-jump, c99, cafepress, calendar, callweaver, camera, can, candy, capabilities, card, carp, cars, cauldron, ccc, ccd, cd, cddl, cdrom, cdrtools, cebit, centrino, cephes, cert, certification, cfs, cgd, cgf, checkpointing, china, christos, cisco, cloud, clt, cobalt, coccinelle, codian, colossus, common-criteria, community, compat, compiz, compsci, concept04, config, console, contest, copyright, core, cortina, coverity, cpu, cradlepoint, cray, crosscompile, crunchgen, cryptography, csh, cu, cuneiform, curses, curtain, cuwin, cvs, cvs-digest, cvsup, cygwin, daemon, daemonforums, daimer, danger, darwin, data, date, dd, debian, debugging, dell, desktop, devd, devfs, devotionalia, df, dfd_keeper, dhcp, dhcpcd, dhcpd, dhs, diezeit, digest, digests, dilbert, dirhash, disklabel, distcc, dmesg, Docs, Documentation, donations, draco, dracopkg, dragonflybsd, dreamcast, dri, driver, drivers, drm, dsl, dst, dtrace, dvb, ec2, eclipse, eeepc, eeepca, ehci, ehsm, eifel, elf, em64t, Embedded, embedded, emips, emulate, encoding, envsys, eol, espresso, etcupdate, etherip, euca2ools, eucalyptus, eurobsdcon, eurosys, Events, exascale, ext3, f5, facebook, falken, fan, faq, fatbinary, features, fefe, ffs, filesystem, fileysstem, firefox, firewire, fireworks, flag, flash, flashsucks, flickr, flyer, fmslabs, force10, fortunes, fosdem, fpga, freebsd, freedarwin, freescale, freex, freshbsd, friendlyAam, friendlyarm, fritzbox, froscamp, fsck, fss, fstat, ftp, ftpd, fujitsu, fun, fundraising, funds, funny, fuse, fusion, g4u, g5, galaxy, games, gcc, gdb, gentoo, geode, getty, gimstix, git, gnome, google, google-soc, googlecomputeengine, gpio, gpl, gprs, gracetech, gre, groff, groupwise, growfs, grub, gumstix, guug, gzip, hackathon, hackbench, hal, hanoi, happabsd, hardware, Hardware, haze, hdaudio, heat, heimdal, hf6to4, hfblog, hfs, history, hosting, hotplug, hp, hp700, hpcarm, hpcsh, hpux, html, httpd, hubertf, hurd, i18n, i386, i386pkg, ia64, ian, ibm, ids, ieee, ifwatchd, igd, iij, image, images, imx233, imx7, information, init, initrd, install, intel, interix, internet2, interview, interviews, io, ioccc, iostat, ipbt, ipfilter, ipmi, ipplug, ipsec, ipv6, irbsd, irc, irix, iscsi, isdn, iso, isp, itojun, jail, jails, japanese, java, javascript, jetson, jibbed, jihbed, jobs, jokes, journaling, kame, kauth, kde, kerberos, kergis, kernel, keyboardcolemak, kirkwood, kitt, kmod, kolab, kvm, kylin, l10n, landisk, laptop, laptops, law, ld.so, ldap, lehmanns, lenovo, lfs, libc, license, licensing, linkedin, links, linksys, linux, linuxtag, live-cd, lkm, localtime, locate.updatedb, logfile, logging, logo, logos, lom, lte, lvm, m68k, macmini, macppc, macromedia, magicmouse, mahesha, mail, makefs, malo, mame, manpages, marvell, matlab, maus, max3232, mbr95, mbuf, mca, mdns, mediant, mediapack, meetbsd, mercedesbenz, mercurial, mesh, meshcube, mfs, mhonarc, microkernel, microsoft, midi, mini2440, miniroot, minix, mips, mirbsd, missile, mit, mixer, mobile-ip, modula3, modules, money, mouse, mp3, mpls, mprotect, mtftp, mult, multics, multilib, multimedia, music, mysql, named, nas, nasa, nat, ncode, ncq, ndis, nec, nemo, neo1973, netbook, netboot, netbsd, netbsd.se, nethack, nethence, netksb, netstat, netwalker, networking, neutrino, nforce, nfs, nis, npf, npwr, nroff, nslu2, nspluginwrapper, ntfs-3f, ntp, nullfs, numa, nvi, nvidia, nycbsdcon, office, ofppc, ohloh, olimex, olinuxino, olpc, onetbsd, openat, openbgpd, openblocks, openbsd, opencrypto, opendarwin, opengrok, openmoko, openoffice, openpam, openrisk, opensolaris, openssl, or1k, oracle, oreilly, oscon, osf1, osjb, paas, packages, pad, pae, pam, pan, panasonic, parallels, pascal, patch, patents, pax, paypal, pc532, pc98, pcc, pci, pdf, pegasos, penguin, performance, pexpect, pf, pfsync, pgx32, php, pie, pike, pinderkent, pkg_install, pkg_select, pkgin, pkglint, pkgmanager, pkgsrc, pkgsrc.se, pkgsrcCon, pkgsrccon, Platforms, plathome, pleiades, pocketsan, podcast, pofacs, politics, polls, polybsd, portability, posix, postinstall, power3, powernow, powerpc, powerpf, pppoe, precedence, preemption, prep, presentations, prezi, Products, products, proplib, protectdrive, proxy, ps, ps3, psp, psrset, pthread, ptp, ptyfs, Publications, puffs, puredarwin, pxe, qemu, qnx, qos, qt, quality-management, quine, quote, quotes, r-project, ra5370, radio, radiotap, raid, raidframe, rants, raptor, raq, raspberrypi, rc.d, readahead, realtime, record, refuse, reiserfs, Release, Releases, releases, releng, reports, resize, restore, ricoh, rijndael, rip, riscos, rng, roadmap, robopkg, robot, robots, roff, rootserver, rotfl, rox, rs323, rs6k, rss, ruby, rump, rzip, sa, safenet, san, sata, savin, sbsd, scampi, scheduler, scheduling, schmonz, sco, screen, script, sdf, sdtemp, secmodel, Security, security, sed, segvguard, seil, sendmail, serial, serveraptor, sfu, sge, sgi, sgimips, sh, sha2, shark, sharp, shisa, shutdown, sidekick, size, slackware, slashdot, slides, slit, smbus, smp, sockstat, soekris, softdep, softlayer, software, solaris, sony, sound, source, source-changes, spanish, sparc, sparc64, spider, spreadshirt, spz, squid, ssh, sshfs, ssp, statistics, stereostream, stickers, storage, stty, studybsd, subfile, sudbury, sudo, summit, sun, sun2, sun3, sunfire, sunpci, support, sus, suse, sushi, susv3, svn, swcrypto, symlinks, sysbench, sysctl, sysinst, sysjail, syslog, syspkg, systat, systrace, sysupdate, t-shirt, tabs, talks, tanenbaum, tape, tcp, tcp/ip, tcpdrop, tcpmux, tcsh, teamasa, tegra, teredo, termcap, terminfo, testdrive, testing, tetris, tex, TeXlive, thecus, theopengroup, thin-client, thinkgeek, thorpej, threads, time, time_t, timecounters, tip, tk1, tme, tmp, tmpfs, tnf, toaster, todo, toolchain, top, torvalds, toshiba, touchpanel, training, translation, tso, tty, ttyrec, tulip, tun, tuning, uboot, ucom, udf, ufs, ukfs, ums, unetbootin, unicos, unix, updating, upnp, uptime, usb, usenix, useradd, userconf, userfriendly, usermode, usl, utc, utf8, uucp, uvc, uvm, valgrind, vax, vcfe, vcr, veriexec, vesa, video, videos, virtex, virtualization, vm, vmware, vnd, vobb, voip, voltalinux, vpn, vpnc, vulab, w-zero3, wallpaper, wapbl, wargames, wasabi, webcam, webfwlog, wedges, wgt624v3, wiki, willcom, wimax, window, windows, winmodem, wireless, wizd, wlan, wordle, wpa, wscons, wstablet, X, x.org, x11, x2apic, xbox, xcast, xen, Xen, xfree, xfs, xgalaxy, xilinx, xkcd, xlockmore, xmms, xmp, xorg, xscale, youos, youtube, zaurus, zdump, zfs, zlib

'nuff. Grab the RSS-feed, index, or go back to my regular NetBSD page

Disclaimer: All opinion expressed here is purely my own. No responsibility is taken for anything.

Access count: 24011970
Copyright (c) Hubert Feyrer