``The current implementation has security issues resulting from using the stackgap to pass modified arguments to syscalls. This is is easier to understand with with multi-threaded programs: since systrace is using the stackgap to pass modified arguments to syscalls, a second thread can overwrite those arguments after systrace placed them but before the first thread executed the syscall. Fixing this would require a completely different mechanism to pass arguments to syscalls, perhaps having a wrapper for each syscall to accommodate systrace (and receive arguments in kernel space) and avoid TOCTOU races.''

``The big problem with the stackgap is that it was per-process, so in a multithreaded program systrace would be trying to use the same memory area for the modified arguments of more than one concurrent system call!

The bigger problem is that, because systrace is used to enforce security policy (rather than just trace process execution) is that if systrace validates any user-space buffers (eg pathnames) it must validate a copy that isn't mapped writably into the address space of any other programs, and then pass the copy into the system call. This is necessary whether the buffer is accepted as-is, or adjusted.

It is easy to see how a threaded program can circumvent such checks, but it is also possible for a non-threaded program to arrange to have a buffer area writable by another process.

Oh, and systrace has never been able to modify the arguments of netbsd32 (and linux32) emulated binaries.''

• Support C99 complex arithmetic was added by importing the "cephes" math library
• POSIX Message queues were added
• bozohttpd was added as httpd.
• the x86 bootloader now reads /boot.cfg to configure banner text, console device, timeout etc. - see boot.cfg(5)
• ifconfig(8) now has a "list scan" command to scan for access points
• SMP (multiprocessor) support is now enabled in i386 and amd64 GENERIC kernels
• Processor-sets, affinity and POSIX real-time extensions were added, along with the schedctl(8) program to control scheduling of processes and threads.
• systrace was removed, due to security concerns
• the refuse-based Internet Access Node file system was committed, which provides a filesystem interface to FTP and HTTP, similar to the old alex file system, see http://mail-index.netbsd.org/source-changes/2007/08/28/0081.html
• LKMs don't care for options MULTIPROCESSOR and LOCKDEBUG, i.e. it's easier to reuse LKMs between debugging/SMP and non-debugging/SMP kernels now.
• PCC, the Portable C Compiler that originates in the very beginnings of Unix, was added to NetBSD. The idea is that it is used as alternative to the GNU C Compiler in the long run.
• In addition to the iSCSI target (server) code that is already in NetBSD 4.0, there'a also a refuse-based iSCSI initiator (client) now, see http://mail-index.netbsd.org/source-changes/2007/11/08/0038.html

• Many driver updates and new drivers, see your nearest GENERIC kernel config file
• Many security updates, see list of security advisories
• Many 3rd software packages that NetBSD ships with were updated: ipsec-tools (racoon), GCC 4.1, Automated Testing Framework 0.4, OpenSSH 4.7, wpa_supplicant and hostapd 0.6.2, OpenPAM Hydrangea

So much on this subject for now. If someone's willing to help out with continuing Mark Kirby's NetBSD CVS Digest either using his software-setup or by simply reading the list and writing a monthly/weekly digest of the "interesting" changes, I'd appreciate this very much. Put me on CC: for your postings! :)

[Tags: alex, bozohttpd, c99, cephes, cvs, cvs-digest, digest, ian, iscsi, lkm, pcc, refuse, smp, systrace]

1. "Daten sicher löschen" (deleting files safely) talks about deleting files in a secure way. The article also mentions a NetBSD 4.0_BETA2 based Live CD called "NetBSD/Schrubber", an article and slides for a presentation about the topic that Stefan will give at the Chemnitz Linuxdays 2007.

2. "Systrace" contains an (also german language) introduction on what Systrace is and how to use it, including an article and presentation slides that Stefan gave at the GUUG Spring Talks 2007 and will give at the Chemnitz Linuxdays 2007.

See the sysjail homepage for more. If anyone tries this and has some experiences to share, please send mail to some NetBSD list (and CC: me :).

[Tags: jail, sysjail, systrace]