[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

systrace - application confinement tool for Mac OS X

Subject: systrace - application confinement tool for Mac OS X
From: Niels Provos <email@hidden>
Date: Mon, 2 Dec 2002 00:25:32 -0500
Delivered-to: email@hidden
Mail-followup-to: email@hidden, email@hidden
Resent-date: Mon, 2 Dec 2002 17:12:57 -0500
Resent-from: email@hidden
Resent-message-id: <email@hidden>
Resent-to: email@hidden
User-agent: Mutt/1.3.27i

Hi,

I added support for Mac OS X to Systrace and am looking for feedback.

Systrace is a sandboxing/application confinement tool that can be
used to increase application and service security.

Its main features are:

- application confinement: the operations that an application can
perform are limited strictly to its intended functionality limiting/
preventing damage due to a compromise.
- easy policy generation: policy can be generated automatically in a
test run or interactively while running a new application.
- supports different binary emulations. this is not directly relevant
to Mac OS X but it implies careful abstraction of functionality.
- non-interactive policy enforcement: enforces a configured policy,
all operations that are not covered by the policy are denied and logged.
this all serves as intrusion detection system.
- privilege elevation: instead of suid/sgid programs, it is possible to
execute this programs with minimal privileges and elevated privileges
as necessary for a single system call.

I think that the main goal of a security solution should be simplicity
and kept that goal in mind while designing Systrace. Systrace uses
a hybrid approach that includes a very small kernel part and the majority
of the code is executed in userland.

You can find more information including a detailed paper at

http://www.citi.umich.edu/u/provos/systrace/

Systrace itself is very mature. Monkey.org uses it for all of their
users (>200) and all of their system daemons.

A beta version of Systrace for Mac OS X is available at

http://www.citi.umich.edu/u/provos/systrace/maxosx.html

I would appreciate comments.

Regards,
Niels Provos.
_______________________________________________
Hackers mailing list
email@hidden
http://www.opendarwin.org/mailman/listinfo/hackers
_______________________________________________
darwin-development mailing list | email@hidden
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/darwin-development
Do not post admin requests to the list. They will be ignored.

Prev by Date: Re: PAM questions. HELP!
Next by Date: Where is __MyCompanyName__ defined?
Previous by thread: Re: PAM questions. HELP!
Next by thread: Where is __MyCompanyName__ defined?
Index(es):
- Date
- Thread

Home