Search
Close this search box.

Month: March 2005

Recently, there was
a
presentation
at the annual meeting of
Chaos
Computer Club
in Berlin.
As the presentation describes DTrace at some length,
several have asked the question: is DTrace a security risk? The answer
is an emphatic “no” — quite the contrary in fact — but it merits some
explanation.

DTrace can only be used by users on the system that have the appropriate
privileges (as discussed in the Security chapter of the
DTrace documentation).
By default, the only user with
sufficient privileges to use DTrace is root — the super-user.
The techniques described in the paper and in the presentation
are only for use on a system that one has already compromised.
Of course, once a system is compromised, all bets are off; a nefarious
user can:

  • Load their own daemons to act as
    trojan
    horses
    , potentially sniffing
    passwords and compromising subsequent machines

  • Examine /etc/shadow and crack it to obtain cleartext for
    every password on the system

  • Use the
    pre-existing Solaris observability tools
    (truss(1), gcore(1), mdb(1), etc.)
    to observe and modify arbitrary processes

  • Crash and/or destroy the system beyond repair
  • Load their own kernel modules to spoof arbitrary parts of the system

Yes, you can use DTrace on a compromised system to glean additional
information, but everything you
can do with DTrace was in principle possible before DTrace — DTrace
just happens to make it a little easier.
Indeed, the presentation
doesn’t even discuss the ways in which a nefarious user on a compromised
system can use DTrace — rather it describes how DTrace can be used to
understand the system well enough to design a nefarious
spoofing kernel module in the first place.
And revealingly, the presentation spends quite a bit of time
describing
how to design a nefarious kernel module such
that it evades instrumentation by DTrace.1 The fact
that time and effort were spend on DTrace evasion is telling:
as a tool designed to expose the inner workings of a production system,
DTrace is much more feared by
the Black Hats than it is useful to them;
far from being a security risk, DTrace is very much a security asset.


1 I hasten to add that the author’s techniques for evading
DTrace won’t actually work
completely. They will successfully evade one form of instrumentation, but
they leave the
nefarious module completely exposed to
several other forms of instrumentation and detection by DTrace. A
more devilish rootkit would completely replace DTrace with some sort of
Bizarro
DTrace that
knew how to completely deny the existence of its cohorts…

Technorati tags:

Recent Posts

September 2, 2024
November 18, 2023
November 27, 2022
October 11, 2020
July 31, 2019
December 16, 2018
September 18, 2018
December 21, 2016
September 30, 2016
September 26, 2016
September 13, 2016
July 29, 2016
December 17, 2015
September 16, 2015
January 6, 2015
November 10, 2013
September 3, 2013
June 7, 2012
September 15, 2011
August 15, 2011
March 9, 2011
September 24, 2010
August 11, 2010
July 30, 2010
July 25, 2010
March 10, 2010
November 26, 2009
February 19, 2009
February 2, 2009
November 10, 2008
November 3, 2008
September 3, 2008
July 18, 2008
June 30, 2008
May 31, 2008
March 16, 2008
December 18, 2007
December 5, 2007
November 11, 2007
November 8, 2007
September 6, 2007
August 21, 2007
August 2, 2007
July 11, 2007
May 20, 2007
March 19, 2007
October 12, 2006
August 17, 2006
August 7, 2006
May 1, 2006
December 13, 2005
November 16, 2005
September 13, 2005
September 9, 2005
August 21, 2005

Archives

Archives