views:

99

answers:

3

Assume a Linux binary foobar which has two different modes of operation:

  • Mode A: A well-behaved mode in which syscalls a, b and c are used.
  • Mode B: A things-gone-wrong mode in which syscalls a, b, c and d are used.

Syscalls a, b and c are harmless, whereas syscall d is potentially dangerous and could cause instability to the machine.

Assume further that which of the two modes the application runs is random: the application runs in mode A with probability 95 % and in mode B with probability 5 %. The application comes without source code so it cannot be modified, only run as-is.

I want to make sure that the application cannot execute syscall d. When executing syscall d the result should be either a NOOP or an immediate termination of the application.

How do I achieve that in a Linux environment?

+2  A: 

This is one possible application of sandboxing (specifically, Rule-based Execution). One popular implementation is SELinux.

You will have to write the policy that corresponds to what you want to allow the process to do.

Pascal Cuoq
This is certainly the use case for SELinux. Other sandboxing technologies are available.
stsquad
@stsquad I incorporated your comment. You were perhaps reacting partly to the "claims" in the previous version… I phrased it this way because of having heard some people SELinux is not so usable in practice, precisely because of the need for adequate policies. Not having tried it, I do not have an opinion one way or the other, so perhaps the new version is better from this point of view.
Pascal Cuoq
+4  A: 

Is the application linked statically?

You may override some symbols, for example, lets redefine socket

int socket(int domain, int type, int protocol)
{
        write(1,"Error\n",6);
        return -1;
}

Then build shared library:

gcc -fPIC -shared test.c -o libtest.so

Let's run:

nc -l -p 6000

Ok

And now:

$ LD_PRELOAD=./libtest.so nc -l -p 6000
Error
Can't get socket

What happens when you run with variable LD_PRELOAD=./libtest.so it overrides symbols defined in libtest.so over thous defined in the library.

Artyom
+3  A: 

It seems that systrace does exactly what you need. From the Wikipedia page:

An application is allowed to make only those system calls specified as permitted in the policy. If the application attempts to execute a system call that is not explicitly permitted an alarm gets raised.

Torsten Marek