Star Cambridge Researcher Breaks Open/NetBSD Systrace
Linked by Thom Holwerda on Thu 9th Aug 2007 17:02 UTC, submitted by Joe User
Privacy, Security, Encryption University of Cambridge researcher Robert Watson has published a paper at the First USENIX Workshop On Offensive Technology in which he describes serious vulnerabilities in OpenBSD's Systrace, Sudo, Sysjail, the TIS GSWTK framework, and CerbNG. The technique is also effective against many commercially available anti-virus systems. His slides include sample exploit code that bypasses access control, virtualization, and intrusion detection in under 20 lines of C code consisting solely of memcpy() and fork(). Sysjail has now withdrawn their software, recommending against any use, and NetBSD has disabled Systrace by default in their upcoming release.
E-mail Print r 1   12 Comment(s) http://osne.ws/e7q
Order by: Score:
Add Comment Post a Comment

not bad...
by dmitry on Thu 9th Aug 2007 17:55 UTC
dmitry
Member since:
2006-01-16

Nice and a serious slap into OpenBSD's face, hah Theo? ...

Reply Bookmark Score: 0

RE: not bad...
by systyrant on Thu 9th Aug 2007 18:05 UTC in reply to "not bad..."
systyrant Member since:
2007-01-18

I wouldn't call it a serious slap. It may be a serious problem, but if you think you can do better then by all means... do better.

I have faith that the *BSD developers will sort it all out.

Reply Bookmark Score: 10

RE: not bad...
by Soulbender on Fri 10th Aug 2007 04:01 UTC in reply to "not bad..."
Soulbender Member since:
2005-08-18

Not really, since Theo has always said systrace is problematic which is, among other things, why it isnt used by default. If systrace is your only line of the defense, well, then you get what you deserve.
But hey, dont let facts get in the way of a nice flamewar.

Reply Bookmark Score: 3

It's my understanding ...
by openwookie on Thu 9th Aug 2007 18:10 UTC
openwookie
Member since:
2006-04-25

.. that this is only exploitable on multiprocessor systems.

Also, it seems that there is a solution available:

There is a straight forward solution for this problem. The initial
prototype of Systrace had a look-aside buffer in the kernel for
copyin. I told Robert about this, not sure if he mentioned that in
his paper or not. There obviously would be some associated
performance impacts. (Niels Provos, on the OpenBSD mailing list)

Still pretty serious though.

Reply Bookmark Score: 3

RE: It's my understanding ...
by zamolx3 on Thu 9th Aug 2007 20:03 UTC in reply to "It's my understanding ..."
zamolx3 Member since:
2007-08-09

No, this is exploitable also on Uniprocessor systems.
Read the paper/slides before posting comments.

http://www.watson.org/~robert/2007woot/

Reply Bookmark Score: 5

ouch...
by Flatland_Spider on Thu 9th Aug 2007 18:16 UTC
Flatland_Spider
Member since:
2006-09-01

Rough day for the OpenNetBSD camps.

What's the saying, "What doesn't kill you makes you stronger?"

Reply Bookmark Score: 4

RE: ouch...
by SEJeff on Thu 9th Aug 2007 19:40 UTC in reply to "ouch..."
SEJeff Member since:
2005-11-05

This would only be rough if there was a worm of somesort mass turning OpenBSD boxes into bots. Since this is very unlikely, it isn't a bad day.

Those guys live for finding new ways to break code and are probably pretty excited about this.

Reply Bookmark Score: 5

RE[2]: ouch...
by Flatland_Spider on Thu 9th Aug 2007 20:51 UTC in reply to "ouch..."
Flatland_Spider Member since:
2006-09-01

That's true. It could be worse then a little dirt on the "Secure by Default" slogan and fodder for the OS fanboy cannons. ;)

Reply Bookmark Score: 0

Please... enough already..
by BSDfan on Thu 9th Aug 2007 20:59 UTC
BSDfan
Member since:
2007-03-14

"Just so it is clear, systrace is just a tool included in the distribution. It is not used by anything in the base system by default but be wary of using this tool as it stands."

http://undeadly.org/cgi?action=article&sid=20070809201304

Reply Bookmark Score: 3

Well...
by jadeshade on Fri 10th Aug 2007 05:16 UTC
jadeshade
Member since:
2007-07-10

The NetBSD Toaster has a clear i/o channel (bread goes in the slot, toast goes out the slot), so that is at least one architecture that should be invulnerable to attack. If these researchers can have the machine produce toast without bread, then this may be bigger than I thought.

I don't doubt that it'll be fixed in a few weeks.

Reply Bookmark Score: 2

Pretty much old news
by Dunceor on Fri 10th Aug 2007 06:41 UTC
Dunceor
Member since:
2007-03-08

This has been in the BUGS section of systrace for a while.

"BUGS
Applications that use clone()-like system calls to share the complete address space between processes may be able to replace system call arguments after they have been evaluated by systrace and escape policy enforcement."

This has never been something that is enabled by default so I do not see how this can be a serious problem.

Watson has done some very interesting research though and it's good somebody decided to really dive into it and see what the problems in. Kudos!

Reply Bookmark Score: 3

NetBSD toaster vulnerability
by ASau on Fri 10th Aug 2007 22:14 UTC
ASau
Member since:
2007-05-02

NetBSD toaster does not check its input,
you can feed anything there.

Browser: Emacs-w3m/1.4.4 w3m/0.5.2

Reply Bookmark Score: 2

Add Comment Post a Comment