lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <30335309.9kgxB5Lv94@sifl>
Date:	Mon, 16 Apr 2012 10:09:50 -0400
From:	Paul Moore <paul@...l-moore.com>
To:	libseccomp-discuss@...ts.sourceforge.net
Cc:	David Windsor <dwindsor@...il.com>,
	linux-security-module@...r.kernel.org,
	Will Drewry <wad@...omium.org>, linux-kernel@...r.kernel.org
Subject: Re: [libseccomp-discuss] ANN: libseccomp

On Saturday, April 14, 2012 10:10:28 AM David Windsor wrote:
> Out of curiosity, are there any current efforts towards creating a "learning
> mode" type of application for seccomp?  I.e. creating a profile for a
> particular application based upon which syscalls it makes during normal
> operation.  I realize that many people consider this a security anti-
> pattern, but it could be useful for the initial creation of a seccomp filter
> for a particular application, and other security subsystems already do this
> (ala AppArmor's learning/complain mode).  IIUC, no other kernel mechanisms
> would need to be created; ptrace could accomplish syscall monitoring.  

I'm not aware of any serious efforts, but as Kees already pointed out, his 
seccomp tutorial could be extended to do something similar to what you 
describe.  Kees' tutorial uses raw BPF, but the same basic principles would 
work with libseccomp as well if you wanted a higher level interface.

The libseccomp sources also contain a simple little script which runs an 
application via strace and presents a slightly cleaned up version of the 
strace report which shows the syscalls, their frequency (important if you want 
to tune the seccomp filter), and some of the arguments you're likely to want 
to filter on.  Simple example:

 # ./tools/sys_inspector -h
 usage ./tools/sys_inspector [-f] [-a] [-o <file>] <command> [<args>]
 # ./tools/sys_inspector -f /bin/true
 ============================================================
 Syscall Report ("/bin/true")
    freq syscall
 ============================================================
       8 mmap
       4 mprotect
       2 open
       2 fstat
       2 close
       1 read
       1 munmap
       1 exit_group
       1 execve
       1 brk
       1 arch_prctl
       1 access

-- 
paul moore
www.paul-moore.com

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ