Tuesday, August 19, 2003

Systrace Policy Library

While reading Michael Lucas' excellent Absolute OpenBSD, I learned of a project which maintains a library of Systrace policies called the Hairy Eyeball Project. Systrace allows administrators to define which system calls their applications can execute. Systrace is included in OpenBSD and ports exist for other operating systems. I most interested in the FreeBSD version which Rich Murphey presented at DefCon XI. I haven't seen anything from DefCon XI posted in the site's archives yet.

While perusing the mailing lists I discovered CerbNG which appears to have similar functionality to Systrace. I think projects like this are key to improving security. Boundaries between the untrusted "outside world" and the trusted "inside world" are dissolving. Road warriors infected with the latest worm use their VPN to connect to the corporate network, bypassing defenses aimed at exterior threats. Increasingly hosts must defend themselves as access control is becoming difficult if not impossible. Organizations are unwilling or unable to segment their networks, as most can't even define the relative importance of their business assets. The future of security is every machine being a bastion host.

If you need a commercial solution, Primary Response from Sana Security "monitors and protects applications at the OS kernel level, building a profile of the application's normal behavior based on the code paths of a running program, then continually monitoring those code paths for deviations from the norm."

No comments: