DTrace is not a security risk!

Recently, there was
a
presentation
at the annual meeting of
Chaos
Computer Club
in Berlin.
As the presentation describes DTrace at some length,
several have asked the question: is DTrace a security risk? The answer
is an emphatic “no” — quite the contrary in fact — but it merits some
explanation.

DTrace can only be used by users on the system that have the appropriate
privileges (as discussed in the Security chapter of the
DTrace documentation).
By default, the only user with
sufficient privileges to use DTrace is root — the super-user.
The techniques described in the paper and in the presentation
are only for use on a system that one has already compromised.
Of course, once a system is compromised, all bets are off; a nefarious
user can:

Yes, you can use DTrace on a compromised system to glean additional
information, but everything you
can do with DTrace was in principle possible before DTrace — DTrace
just happens to make it a little easier.
Indeed, the presentation
doesn’t even discuss the ways in which a nefarious user on a compromised
system can use DTrace — rather it describes how DTrace can be used to
understand the system well enough to design a nefarious
spoofing kernel module in the first place.
And revealingly, the presentation spends quite a bit of time
describing
how to design a nefarious kernel module such
that it evades instrumentation by DTrace.1 The fact
that time and effort were spend on DTrace evasion is telling:
as a tool designed to expose the inner workings of a production system,
DTrace is much more feared by
the Black Hats than it is useful to them;
far from being a security risk, DTrace is very much a security asset.


1 I hasten to add that the author’s techniques for evading
DTrace won’t actually work
completely. They will successfully evade one form of instrumentation, but
they leave the
nefarious module completely exposed to
several other forms of instrumentation and detection by DTrace. A
more devilish rootkit would completely replace DTrace with some sort of
Bizarro
DTrace that
knew how to completely deny the existence of its cohorts…

Technorati tags:

Posted on March 2, 2005 at 3:41 pm by bmc · Permalink
In: Solaris

23 Responses

Subscribe to comments via RSS

  1. Written by Chris
    on March 4, 2005 at 1:07 pm
    Permalink

    So I infer from your comments that a zone that has been compromised to the level of root being subverted is in no danger from dtrace? If I’m executing in a zone then I can see how the zone-specific kernel probes would work, but does dtrace cross those boundaries into global zone probes?

  2. Written by Bryan Cantrill
    on March 4, 2005 at 1:57 pm
    Permalink

    That’s right — you can’t run DTrace in the local zone, so having root in the local zone doesn’t buy you anything as far as DTrace is concerned…

  3. Written by Chris
    on March 4, 2005 at 3:03 pm
    Permalink

    Thanks Bryan. I figured it was the answer, but here’s my followup question – how can an admin of a zone use all the great features of dtrace? If the answer is “they can’t”, then I’m ok with that but it doesn’t help the consolidation cause, particularly if I’m trying to troubleshoot a performance problem that the customer says is because its in a zone but I know it’s their crappy {code||app server||database}.

  4. Written by Bryan Cantrill
    on March 4, 2005 at 8:31 pm
    Permalink

    You can use DTrace — it just has to be from the global zone. So the admin of a zone can’t use the great features of DTrace, but we don’t feel that the consolidation cause is harmed because the admin of the box can use DTrace to explore any and all performance issues. For example, one liner to figure out which zone is doing I/O:

    # dtrace -n io:::start’{@[zonename] = count()}’

    And so on…

  5. Written by Wee Yeh
    on March 7, 2005 at 4:56 pm
    Permalink

    I agree with you that DTrace is a great security asset. In fact, coupled with Zones, I figure we can build the “ultimate” honeypot or honeynets (with multiple zones). The more careful blackhat will note that “init” is not PID 1 but their compromise would be compromised by then.

  6. Written by David Neal
    on March 10, 2005 at 11:27 am
    Permalink

    Er, cracking /etc/shadow? Nein. Data stored in /etc/shadow goes through a one way hash function.
    It would have been more accurate to say “watch the input buffers of login, and expose the user’s password”, perhaps?

  7. Written by Bryan Cantrill
    on March 11, 2005 at 3:06 am
    Permalink

    Oh, Country Mouse… I’m afraid that the encrypted passwords stored in /etc/shadow can be cracked pretty easily using well-known dictionary attacks. (Why did you think that there was an /etc/shadow, anyway? Were there no such risk, these passwords could be stored in /etc/passwd — as they were historically.) Google “crack passwd” and you’ll come up with many hits explaining exactly how this is done…

  8. Written by David Neal
    on March 13, 2005 at 8:39 pm
    Permalink

    Hi, Brian!
    My commment wasn’t based on ignorance of dictionary attacks on /etc/shadow. It was based on misreading your comment and thinking that you were implying dtrace could be used to reverse engineer the contents of shadow.
    I was merely pointing out that dtrace wasn’t so useful for such a task, and instead it would make more sense to use dtrace (if possible) to catch passwords before they went through one way hash functions. My using phrases like “one way hash functions” should have clued you in on my knowing
    what’s in /etc/shadow and why it’s there. LOL.
    If you want to talk down to me, please direct it to the fact that I misread your blog entry. I’ve been a UNIX sysadmin since the early 80′s, City Mouse.

  9. Written by David Neal
    on March 13, 2005 at 8:43 pm
    Permalink

    P.S.
    Update your dang blog!

  10. Written by Bryan Cantrill
    on March 14, 2005 at 9:31 am
    Permalink

    Update my dang blog to say what exactly? And in the future, if you don’t want to be talked down to, you might consider not talking down to someone in the first place…

  11. Written by 阀门
    on May 30, 2007 at 2:14 am
    Permalink
  12. Written by 阀门
    on May 30, 2007 at 2:14 am
    Permalink
  13. Written by 阀门
    on May 30, 2007 at 2:15 am
    Permalink
  14. Written by 阀门
    on May 30, 2007 at 2:15 am
    Permalink
  15. Written by 阀门
    on May 30, 2007 at 2:15 am
    Permalink
  16. Written by ad
    on July 15, 2007 at 11:38 pm
    Permalink

    [b]香港会计事务所
    [b]日聪注册香港公司
    登尼特香港公司注册香港登尼特:专业公司注册、香港公司注册,上海公司注册,美国公司注册,注
    册深圳公司,中国及海外公司.
    登尼特注册香港公司香港登尼特:专业注册公司、注册香港公司,注册上海公司,注册美国公司,注
    册深圳公司,中国及海外公司,香港公司注册,深圳公司注册,上海公司注册,中国公司注册。
    上海企业注册中心,专业香港公司注册主要提供香港公司注册、香港公
    司注册咨询,香港公司注册代办,香港公司注册办理,香港公司注册银行开户,商务秘书等一条龙服务。香港公司注册登记处,致力于注册香
    港公司、工商企业登记、香港会计税务、香港律师咨询等服务,是香港政府唯一的工商企业登记注册机构

  17. Written by ADD
    on July 15, 2007 at 11:38 pm
    Permalink

    登尼特注册香港公司专业注册香港公司,权威全球公司注册,注册英、美、BVI公司,中
    国及全球商标注册.
    登尼特北京香港公司注册
    上海公司注册中心专业注册香港公司海外公司注册、深圳公司注册、香港公司注册、注册
    公司、注册商标及提供注册公司的配套服务,公司注册成立后是企业运作的开始,注册香港公司电话:0755-82143660刘小姐
    登尼特注册香港公司专业服务,包括注册香港公司价格咨询,注册
    香港公司知识,注册香港公司的优势及发展,有需要注册香港公司的欢迎和我们联系。0755-82143660刘小姐
    海鸥注册香港公司简况,香港公司注册:包括公司名称查册核实、准备首次会议记录、准备所有法定文
    件、安排所有股东签署文件、担任香港公司注册法定秘书、香港公司注册处代宣誓、代付香港公司注册费用、标准章一枚、香港公司注册更改
    章一枚。本公司提供一切香港公司注册的业务活动。香港公司注册电话:0755-82143660刘小姐

  18. Written by ADD
    on July 15, 2007 at 11:39 pm
    Permalink

    波仕达会计事务所专业注册香港公司服务:*注册香港公司咨询,*注册香港公司服务,本公司提供
    一切条件方便客户;
    登尼特香港公司注册咨询
    登尼特香港公司注册,香港公司注册:包括香港公司注册名称查册核实、准备首次会议记
    录、准备所有法定文件、安排所有股东签署文件、担任香港公司注册法定秘书、香港公司注册处代宣誓。
    登尼特注册香港公司条件
    波仕达香港公司注册
    [b]日聪专业注册香港公司海外公司注册、深圳公司注册、香港公司注册、注册公司、注册商标及提
    供注册公司的配套服务,公司注册成立后是企业运作的开始,注册香港公司电话:0755-82143660刘小姐
    日聪香港公司注册简况,香港公司注册:包括公司名称查册核实、准备首次会议记
    录、准备所有法定文件、安排所有股东签署文件、担任香港公司注册法定秘书、香港公司注册处代宣誓、代付香港公司注册费用、标准章一枚
    、香港公司注册更改章一枚。本公司提供一切香港公司注册的业务活动。香港公司注册电话:0755-82143660刘小姐

  19. Written by 专业注册香港公司
    on July 15, 2007 at 11:40 pm
    Permalink

    注册香港公司
    日聪专业提供深圳注册香港公司服务:*注册香港公司咨询,*注册香港公司服务,
    本公司提供一切条件方便客户;
    日聪香港公司注册
    香港日聪注册香港公司、海鸥注册香港公司、登尼特注册香港公司、瑞丰注册香港公司、东莞注册香
    港公司、上海注册香港公司、代理注册香港公司、注册香港公司留言、香港公司注册处。
    登尼特注册香港公司 香港登尼特:专业注册公司、注册香港公司,注册上海公司,注册美国公司,注
    册深圳公司,中国及海外公司,香港公司注册,深圳公司注册,上海公司注册,中国公司注册。[b]
    Piers
    怎样抓住中东市场新机会,作为浙江企业中开拓中东市场比较成功的典型,宁波燎原灯具股份
    公司今年1至4月出口中东地区的销售额已达300多万美元。该公司董事长邵云蒸说:“中东地区的市场有三个特点:一是中东地区消费者平均年
    龄相当年轻;二是中东国家的家庭成员人数比发达国家多;三 …
    电子狗,专业汽车电子狗生产厂家,集研发,销售于一体QQ:775008741。
    欧洲资源[b]

  20. Written by 专业注册香港公司
    on July 15, 2007 at 11:40 pm
    Permalink

    注册香港公司
    日聪专业提供深圳注册香港公司服务:*注册香港公司咨询,*注册香港公司服务,
    本公司提供一切条件方便客户;
    日聪香港公司注册
    香港日聪注册香港公司、海鸥注册香港公司、登尼特注册香港公司、瑞丰注册香港公司、东莞注册香
    港公司、上海注册香港公司、代理注册香港公司、注册香港公司留言、香港公司注册处。
    登尼特注册香港公司 香港登尼特:专业注册公司、注册香港公司,注册上海公司,注册美国公司,注
    册深圳公司,中国及海外公司,香港公司注册,深圳公司注册,上海公司注册,中国公司注册。[b]
    Piers
    怎样抓住中东市场新机会,作为浙江企业中开拓中东市场比较成功的典型,宁波燎原灯具股份
    公司今年1至4月出口中东地区的销售额已达300多万美元。该公司董事长邵云蒸说:“中东地区的市场有三个特点:一是中东地区消费者平均年
    龄相当年轻;二是中东国家的家庭成员人数比发达国家多;三 …
    电子狗,专业汽车电子狗生产厂家,集研发,销售于一体QQ:775008741。
    欧洲资源[b]

  21. Written by ADD
    on July 15, 2007 at 11:41 pm
    Permalink

    [b]登尼特专业注册公司提供注册公司咨询0755-82143181
    [b]登尼特专业注册公司提供注册公司咨询0755-82143181
    [b]香港日聪专业注册公司提供注册公司咨询0755-82143181
    [b]登尼特专业注册公司提供注册公司咨询0755-82143181
    香港海鸥注册公司提供公司注册咨询0755-82143272
    [b]登尼特专业公司注册提供公司注册咨询0755-82143181
    [b]登尼特专业公司注册提供公司注册咨询0755-82143181
    [b]香港日聪专业公司注册提供注册公司咨询0755-82143181

  22. Written by ADD
    on July 15, 2007 at 11:41 pm
    Permalink

    [b]登尼特专业公司注册提供注册公司咨询0755-82143181
    [b]香港日聪专业公司注册提供注册公司咨询0755-82143181
    [b]登尼特专业公司注册提供注册公司咨询0755-82143181
    香港日聪商标事务所专业注册商标,包括注册香港商标,注册中国商标,注册海外商标,马德
    里商标注册,商标买卖,商标异议,品牌规划,商标注册,专利申请,版权登记等服务。中国区电:0755-82143272,atahkhk@21cn.com
    香港日聪商标注册网,免费提供商标注册信息查询,根据国际惯例,查询所涉及的商标注册信
    息仅供参考,无任何法律效力。尽管如此,国家工商行政管理总局商标局仍会尽最大努力向中外公众提供尽可能准确的商标注册信息,并及时
    更新商标注册数据库信息。

  23. Written by ad
    on July 15, 2007 at 11:42 pm
    Permalink

    登尼特专业注册公司提供全球公司注册及全球商标注册服务。
    香港日聪商标事务所专业注册香港商标,免费提供香港商标注册的信息查询,根据国际惯例,
    查询所涉及的香港商标注册信息仅供参考,无任何法律效力。
    香港日聪商标事务所专业香港商标注册,免费提供香港商标信息查询,0755-2143660
    香港日聪商标事务所专业中国商标注册,免费提供中国商标信息查询,0755-2143660
    香港日聪商标事务所专业注册中国商标,免费提供中国商标信息查询,0755-2143660[b]

Subscribe to comments via RSS