Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 4 Sep 2000 09:31:30 -0400 (EDT)
From:      Robert Watson <rwatson@FreeBSD.ORG>
To:        Pavlin Ivanov Radoslavov <pavlin@catarina.usc.edu>
Cc:        Andrzej Bialecki <abial@webgiro.com>, awr <awr@plan9.hert.org>, freebsd-hackers@FreeBSD.ORG, sef@FreeBSD.ORG
Subject:   Re: Q: System call interception 
Message-ID:  <Pine.NEB.3.96L.1000904092640.83208A-100000@fledge.watson.org>
In-Reply-To: <200009032307.QAA34204@rumi.usc.edu>

next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 3 Sep 2000, Pavlin Ivanov Radoslavov wrote:

> > > 
> > > Intercepting syscalls is very easy.  In my mind, what you should do is
> > > write a KLD that creates a syscall that mimicks the actions of what
> 
> Thanks for the detailed info and the pointers.
> However, I forgot to mention that the solution I need should not
> require modifications to the system, and should not require root
> privilege.

A number of spiffy replacement/wrapper libc libraries exist.  In FreeBSD,
applications generally invoke a syscall wrapper compiled into libc
automatically using the syscall table (/usr/src/sys/kern/syscalls.master).
By interposing a replacement library ahead of libc (must be dynamically
linked), you can intercept invocations of these and other functions in
libc, replacing them with your own calls.  This is done to support socks,
for example, wherein socket calls are replaced with socks versions of the
same calls.  The userland network stack, (Alpine?) was recently posted
about on freebsd-net, and does much the same, replacing network calls in
the application with invocations of the userland network stack.

It's easy to imagine other types of syscall replacement, including catch
invocations of syscall(2) directly by the application.  Won't help you
with assembly code, but whether or not this is an issue depends on whether
the syscall interception is intended for functionality additions (SOCKS) 
or security.  If security, the ptrace()/procfs scheme should be able to do
that, but I'm not so familiar with that -- take a look at the
FreeBSD-specific components of gdb to get an idea here.  As mentioned
already, our kernel is designed to support replaceable syscall handlers,
and TIS has actually released a "wrapper toolkit" to allow the writing of
security wrappers to impose new policies.  This is implemented on FreeBSD,
Solaris, and I believe work is underway for Windows NT and Linux. 

  Robert N M Watson 

robert@fledge.watson.org              http://www.watson.org/~robert/
PGP key fingerprint: AF B5 5F FF A6 4A 79 37  ED 5F 55 E9 58 04 6A B1
TIS Labs at Network Associates, Safeport Network Services




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1000904092640.83208A-100000>