-=* Known limitations of ptace-based security policy enforcement *=- Some programs such as Systrace[1] can make use of the ptrace mechanisms to control the parameters of every syscall used by a given process. This is possible due to the call to syscall_trace() just a few instructions before calling the syscall's function. syscall_trace() sets the traced task's state to TASK_STOPPED, makes it sleep and wakes the parent which will be able to analyze the call through ptrace(). Now that the traced task is sleeping, what happens if it receives a signal ? Tavis Ormandy discovered that up to and including 2.4.35.4, if a traced task in a TASK_STOPPED state receives either a SIGCONT or SIGKILL signal, it resumes its execution and completes its syscall without the parent being able to act in any way. With SIGCONT, execution resumes normally, and confuses the parent which sees a running task where it would expect a stopped one. With SIGKILL, the task is really killed right after the syscall completion. In both cases, if the parent was responsible for checking the syscall parameters, its control can be bypassed using this trick. While the situation is easily fixable in the case of the SIGCONT signal (and will be fixed in version 2.4.36), it looks like it will not be fixed without a massive change in the way ptrace works on all architectures, which is clearly not an option at this stage of the stable 2.4 branch. It was demonstrated that although extremely difficult because of timing race and also because only one attempt is permitted, forking processes, creating files or directories, and other single-syscall actions may escape from the control of the parent. In all situations, the parent will notice that the traced process is running again and/or has a wrong syscall number. It is recommended that programs designed to monitor and/or control other process activities using ptrace report alerts when the monitored process gets suddenly killed or unexpectedly wakes up while its syscall parameters are being checked. References : ------------ [1] http://www.systrace.org/ Status of this document : ------------------------- Revision : 1.0 Created : 2007/12/09 - Willy Tarreau Updated : 2007/12/09