Which approach should be taken for audit subsystem

[Robert Watson]

On Wed, 9 Apr 2003, Andrew R. Reiter wrote:

> Yes, you can modify the sysent vector.  Or just overwrite the beginning
> of the routine with a jump to your code... I guess modifying the vector
> is the best way. 
> 
> Thank your for putting some time in here.  Though, I am interested in
> hearing Robert's comments. 

I've never been a big fan of system call wrapping as a way to impose
access control or audit mechanisms.  One of the problems that is
frequently stumbled into is that of race conditions on arguments.  Almost
all (although not quite all) such modules have problems wherein the
arguments are copied into the kernel twice: once by the wrapper, and once
by the original kernel service code.  With an SMP box, or even with a
single-threaded box if you force page faults, you can race to replace an
argument between the check and use, resulting in the wrapper using one
version, and the kernel using another.  Neils Provos modified systrace to
add a system call argument look-aside buffer when I pointed this
vulnerability out to him.  I talk a bit more about this vulnerability and
some related vulnerabilities in my DISCEX III paper... 

My preferred approach for Audit actually goes through and modifies all the
system calls to attach argument data to an active audit record.  In fact,
that's the approach we've taken in Audit prototyping work recently, and
I'd like to take in a FreeBSD implementation.  The ktrace approach is nice
in that it has a low code modification requirement, but I think to do it
properly with threads, etc, it requires a moderate level of modification.

Robert N M Watson             FreeBSD Core Team, TrustedBSD Projects
robert at fledge.watson.org      Network Associates Laboratories



To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message