Home > Articles > Security > Network Security

  • Print
  • + Share This
This chapter is from the book

This chapter is from the book

29.6 Additional Uses for systrace

Beyond application sandbox enforcement, the systrace facility has other uses. These are just now starting to be explored.

29.6.1 Software Testing

One interesting use of systrace is to test the error-handling abilities of various applications. The systrace system can be used to reliably and predictably force failures with various error conditions on a per-system call level. For example, to examine how a process reacts if it is unable to read the configuration file for malloc, a line such as the following would be integrated into a systrace policy for the process:

native-fsread: filename eq "/etc/malloc.conf" then deny[enoent] 

This would return a “file not found” error for this file. The application’s handling of this error condition could then be tested to look for graceful handling of the error. Note that denying an application the right to peform a native-exit will force it to abort, which will produce a core dump.

29.6.2 IDS Logging

Another use of systrace is as an intrusion detection logging system. This is best done with the logging of native-exec entries. For example, to enable logging of all file openings by a network daemon process, the systrace policy for the daemon would include a line like this:

native-fsread: filename eq "*" then permit log 

Now every file opening carried out by the process will be logged by the application. An otherwise complete policy will have to be created for the process as well.

  • + Share This
  • 🔖 Save To Your Account