LWN.net Logo

Advertisement

TrustCommerce

E-Commerce & credit card processing - the Open Source way!

Advertise here

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for December 4, 2008

KSM runs into patent trouble

Tux3: the other next-generation filesystem

LWN.net Weekly Edition for November 27, 2008

LWN.net Weekly Edition for November 20, 2008

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

systrace and the Stanford Checker (and Rational tools)

systrace and the Stanford Checker (and Rational tools)

Posted Feb 5, 2004 23:40 UTC (Thu) by AnswerGuy (subscriber, #1256)
Parent article: Needed: code auditors

There are several things that could help with this auditing effort.

One is Niels Provos'systrace which is built-into recent versions of NetBSD and OpenBSD and is available as a kernel patch and attendent user-space utility/suite for Linux.

Systrace is a system call reference monitor which allows us to create a policy to intercept, allow and deny access to selected system calls (including options to match filename or other system call arguments with glob patterns and to allow specific system calls to be run with modified UID:GID -- user and group --- privileges). Any program that violates the policy is automatically killed and the violation is logged.

Of course this isn't a proactive as a code audit. However, it can help considerably. On a practical level it helps protect the system from many bugs as well as alerting the administrators to the presence of the bug. Naturally we will have to spend time building and refining the policies --- some programs might legitimately be executing extraordinary code (system calls) in rare cases (exception handling and error recovery).

Another tool that has been discussed by the LWN team occasionally over the years has been the Meta Level Compilation research project at Stanford, headed up by Dawson Engler. This has been used to detect numerous bugs in the Linux kernel (as test and research cases and for demonstration and proof-of-concept purposes).

Basically they use a modified compiler and a set of code extensions which, if I understand it correctly, allow them to apply a set of compilation assertions about the code paths and "machine state" leading into and upon return from functions defined in the code. This is similar to the concept of "programming by contract" (Eiffel, et al.) where pre-conditions, post-conditions and invariants can be defined for each code block and the compiler can warn of failures to conform to these policies.

Unfortunately I haven't heard of any publication or releases from the Stanford team in a couple of years and they've ignore e-mails from me requesting further information. I've inquired about the possibility of interviewing anyone on their team about the state of the project a few times.

Fortunately their project isn't the only one in the field. One that was mentioned in the LWN discussion thread over a year ago was splint (Secure Programming lint). Another is David Wheeler's flawfinder. His site also has links to several other tools in the same genre. I even seem to reading that Linus was working on some tools for this sort of work.

Certainly no tool or suite of tools will find every possible software flaw. However, the fact that code auditing is tedious, laborious, and error prone work screams for more diligent and widespread use of any tools that are available as well as for the development of more sophisticated code auditing tools. "Tedium" and labor and errors are precisely what we build computers to avoid!

(Log in to post comments)

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds