[index] [text page] [<<start] [<prev] [next>] [last>>]
Page 56: Systrace

Page 56

  Based on functionality created for OpenBSD
  Runs on OpenBSD, NetBSD, Mac OS X
  All systraced-processes need to be run via the systrace binary
  Systrace analyses all system calls and decides if they should be allowed
  Can grant capabilites to non-root binaries
  Great way to 'sandbox' a program, potential trojan, etc
  Systrace can 'learn' what system calls are needed and generate policy
  Can block system call and provide you ability to grant or deny 

Copyright 2003, Bri Hatch of Onsight, Inc.

Presented at ISSA Puget Sound, 2003.

Presentation created using vim and MagicPoint.