From owner-freebsd-hackers Mon Sep 4 6:33:19 2000 Delivered-To: freebsd-hackers@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 695AD37B42C; Mon, 4 Sep 2000 06:33:15 -0700 (PDT) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.9.3/8.9.3) with SMTP id JAA83292; Mon, 4 Sep 2000 09:31:30 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Mon, 4 Sep 2000 09:31:30 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Pavlin Ivanov Radoslavov Cc: Andrzej Bialecki , awr , freebsd-hackers@FreeBSD.ORG, sef@FreeBSD.ORG Subject: Re: Q: System call interception In-Reply-To: <200009032307.QAA34204@rumi.usc.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sun, 3 Sep 2000, Pavlin Ivanov Radoslavov wrote: > > > > > > Intercepting syscalls is very easy. In my mind, what you should do is > > > write a KLD that creates a syscall that mimicks the actions of what > > Thanks for the detailed info and the pointers. > However, I forgot to mention that the solution I need should not > require modifications to the system, and should not require root > privilege. A number of spiffy replacement/wrapper libc libraries exist. In FreeBSD, applications generally invoke a syscall wrapper compiled into libc automatically using the syscall table (/usr/src/sys/kern/syscalls.master). By interposing a replacement library ahead of libc (must be dynamically linked), you can intercept invocations of these and other functions in libc, replacing them with your own calls. This is done to support socks, for example, wherein socket calls are replaced with socks versions of the same calls. The userland network stack, (Alpine?) was recently posted about on freebsd-net, and does much the same, replacing network calls in the application with invocations of the userland network stack. It's easy to imagine other types of syscall replacement, including catch invocations of syscall(2) directly by the application. Won't help you with assembly code, but whether or not this is an issue depends on whether the syscall interception is intended for functionality additions (SOCKS) or security. If security, the ptrace()/procfs scheme should be able to do that, but I'm not so familiar with that -- take a look at the FreeBSD-specific components of gdb to get an idea here. As mentioned already, our kernel is designed to support replaceable syscall handlers, and TIS has actually released a "wrapper toolkit" to allow the writing of security wrappers to impose new policies. This is implemented on FreeBSD, Solaris, and I believe work is underway for Windows NT and Linux. Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message