Systrace Based on functionality created for OpenBSD Runs on OpenBSD, NetBSD, Mac OS X All systraced-processes need to be run via the systrace binary Systrace analyses all system calls and decides if they should be allowed Can grant capabilites to non-root binaries Great way to 'sandbox' a program, potential trojan, etc Systrace can 'learn' what system calls are needed and generate policy Can block system call and provide you ability to grant or deny
Copyright 2003, Bri Hatch of Onsight, Inc.
Presented at ISSA Puget Sound, 2003.
Presentation created using vim and MagicPoint.