The Observation Deck
Search
Close this search box.

Month: March 2005

DTrace is not a security risk!

Recently, there was
a
presentation at the annual meeting of
Chaos
Computer Club in Berlin.
As the presentation describes DTrace at some length,
several have asked the question: is DTrace a security risk? The answer
is an emphatic “no” — quite the contrary in fact — but it merits some
explanation.

DTrace can only be used by users on the system that have the appropriate
privileges (as discussed in the Security chapter of the
DTrace documentation).
By default, the only user with
sufficient privileges to use DTrace is root — the super-user.
The techniques described in the paper and in the presentation
are only for use on a system that one has already compromised.
Of course, once a system is compromised, all bets are off; a nefarious
user can:

  • Load their own daemons to act as
    trojan
    horses    , potentially sniffing
    passwords and compromising subsequent machines

  • Examine /etc/shadow and crack it to obtain cleartext for
    every password on the system

  • Use the
    pre-existing Solaris observability tools
    (truss(1), gcore(1), mdb(1), etc.)
    to observe and modify arbitrary processes

  • Crash and/or destroy the system beyond repair
  • Load their own kernel modules to spoof arbitrary parts of the system

Yes, you can use DTrace on a compromised system to glean additional
information, but everything you
can do with DTrace was in principle possible before DTrace — DTrace
just happens to make it a little easier.
Indeed, the presentation
doesn’t even discuss the ways in which a nefarious user on a compromised
system can use DTrace — rather it describes how DTrace can be used to
understand the system well enough to design a nefarious
spoofing kernel module in the first place.
And revealingly, the presentation spends quite a bit of time
describing
how to design a nefarious kernel module such
that it evades instrumentation by DTrace.1 The fact
that time and effort were spend on DTrace evasion is telling:
as a tool designed to expose the inner workings of a production system,
DTrace is much more feared by
the Black Hats than it is useful to them;
far from being a security risk, DTrace is very much a security asset.

1 I hasten to add that the author’s techniques for evading
DTrace won’t actually work
completely. They will successfully evade one form of instrumentation, but
they leave the
nefarious module completely exposed to
several other forms of instrumentation and detection by DTrace. A
more devilish rootkit would completely replace DTrace with some sort of
Bizarro
DTrace that
knew how to completely deny the existence of its cohorts…

Technorati tags:

Recent Posts

What punch cards teach us about AI risk

November 26, 2023

Is it worse for John Fisher?

November 18, 2023

Homebrew social networking

November 27, 2022

Twitter, when the wall came down

November 5, 2022

Twitter Spaces, a few weeks in

May 2, 2021

Compensation as a reflection of values

March 4, 2021

Rust after the honeymoon

October 11, 2020

The singular urgency of Ava DuVernay's 13th

June 2, 2020

The soul of a new computer company

December 2, 2019

Ex-Joyeur

July 31, 2019

Reflecting on The Soul of a New Machine

February 10, 2019

A EULA in FOSS clothing?

December 16, 2018

Open source confronts its midlife crisis

December 14, 2018

Assessing software engineering candidates

October 5, 2018

Should KubeCon be double-blind?

October 3, 2018

The relative performance of C and Rust

September 28, 2018

Falling in love with Rust

September 18, 2018

Talks I have given, conversations I have had

February 3, 2018

The sudden death and eternal life of Solaris

September 4, 2017

Reflections on Systems We Love

December 21, 2016

Submitting to Systems We Love

September 30, 2016

Systems We Love

September 26, 2016

Hacked by a bug?

September 13, 2016

dtrace.conf(16) wrap-up

July 29, 2016

Unikernels are unfit for production

January 22, 2016

Bringing clarity to containers

December 17, 2015

Requests for discussion

September 16, 2015

Software: Immaculate, fetid and grimy

September 3, 2015

The foundation of cloud-native computing

July 21, 2015

Triton: Docker and the "best of all worlds"

March 24, 2015

SmartDataCenter and the merits of being opinionated

February 5, 2015

Predicteria 2015

January 6, 2015

2014 in review: Docker rising

January 2, 2015

SmartDataCenter and Manta are now open source

November 3, 2014

Broadening node.js contributions

June 11, 2014

From VP of Engineering to CTO

April 15, 2014

agghist, aggzoom and aggpack

November 10, 2013

Happy 10th Birthday, DTrace!

September 3, 2013

Serving up disaster porn with Manta

July 23, 2013

Manta: From revelation to product

June 25, 2013

A systems software double-header: Surge and GOTO

October 8, 2012

Post-revolutionary open source

August 1, 2012

DTrace in the zone

June 7, 2012

Debugging node.js memory leaks

May 5, 2012

Standing up SmartDataCenter

September 15, 2011

KVM on illumos

August 15, 2011

In defense of intrapreneurialism

July 12, 2011

When magic collides

March 9, 2011

Log/linear quantizations in DTrace

February 8, 2011

The DIRT on JSConf.eu and Surge

October 2, 2010

A physician's son

September 24, 2010

DTrace, node.js and the Robinson Projection

August 30, 2010

The liberation of OpenSolaris

August 19, 2010

The node.js demographic

August 11, 2010

OpenSolaris and the power to fork

August 3, 2010

Hello Joyent!

July 30, 2010

Good-bye, Sun

July 25, 2010

Turning the corner

March 10, 2010

John Birrell

November 26, 2009

Queue, CACM, and the rebirth of the ACM

May 15, 2009

Moore's Outlaws

February 19, 2009

Eulogy for a benchmark

February 2, 2009

The Hunter becomes the Hunted

January 22, 2009

Catching disk latency in the act

December 31, 2008

On Modalities and Misadventures

November 16, 2008

Fishworks: Now it can be told

November 10, 2008

Concurrency's Shysters

November 3, 2008

Happy 5th Birthday, DTrace!

September 3, 2008

DTrace and the Palisades Interstate Parkway

July 29, 2008

Revisiting the Intel 432

July 18, 2008

DTrace on Linux

June 30, 2008

A Tribute to Jim Gray

May 31, 2008

dtrace.conf(08)

March 16, 2008

Announcing dtrace.conf

December 18, 2007

Boom/bust cycles

December 5, 2007

On Dreaming in Code

November 11, 2007

DTrace on QNX!

November 8, 2007

DTrace, Leopard, and the business of open source

October 29, 2007

DTrace on ONTAP?

September 6, 2007

DTrace at Google

August 21, 2007

Caught on camera

August 2, 2007

On the beauty in Beautiful Code

July 28, 2007

Beautiful Code

July 11, 2007

DTrace on the Scoble Show

July 3, 2007

Alexander Morgan Gaffikin Cantrill

June 23, 2007

DTrace at Joyent

May 20, 2007

The inculcation of systems thinking

May 6, 2007

Ian Murdock joins Sun!

March 19, 2007

DTrace on Rails, reprise

October 12, 2006

DTrace on AIX?

August 17, 2006

DTrace on Mac OS X!

August 7, 2006

DTrace on FreeBSD, update

May 25, 2006

DTrace on Rails

May 1, 2006

DTrace for Linux

December 13, 2005

Welcome to ZFS!

November 16, 2005

Your Debian fell into my OpenSolaris!

November 7, 2005

Man, myth, legend

September 13, 2005

TR35

September 9, 2005

DTrace and Ruby

August 21, 2005

DTrace on FreeBSD?

August 16, 2005

Archives

Archives
The Observation Deck