security research repository of nathan andrew fain / cyphunk

The Subterfugue process sandbox

These are tools that let one run a process and, in a sense, selectively debug by telling the tool to perform analysis when conditions are met in the kernel, such as when a certain argument is sent to sendto() one could replace it on the stack with their own value. You could write your own version of functions and hijack them with with LD_PRELOAD but being able to script instead of compile is significantly better for debugging.

There are several frameworks for such debugging available.  DTrace with RE:Trace (osx, sun), SystemTap on linux and vtrace for win32+linux, all scriptable.  My favorate as yet is Subterfugue though old its keep-it-simple-stupid methods have kept me coming back. Here is an example that changes the argument passed to a write() into rot13 ascii:

trans = string.maketrans('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ',

class Rot13(Trick):
    def callbefore(self, pid, call, args):
        m = getMemory(pid)
        address = args[1]
        size = args[2]
        data = m.peek(address, size)
        m.poke(address, string.translate(data, trans), self)

    def callmask(self):
        return { 'write' : 1 }

And the output:

bash-2.03$ sf --tri=Rot13 date
Jrq Sro  2 02:55:34 PFG 2000
bash-2.03$ sf --tri=Rot13 --tri=Rot13 date
Wed Feb  2 02:55:37 CST 200

So because Im too lazy to make a CVS commit, ill explain how you can revive it yourself. Hey! Really this is better. Its future proof: You wont have to worry about the software dieing if I go off to work at some draconian anti-opensource company just like all the other wonderful security engineers out there (Im looking at you Boomerang Decompiler). You wont have to worry because… within the next 5 minutes youll know how to maintain it yourself, kinda.

  1. Downgrade python:
    download and install python 1.5.2. You could try your luck with later versions but the object c methods are different and subterfugue needs these for heavy use of ptrace() hooking. Lets race to see who recodes them first. Anyway, whatever version to try be sure you have the from the python install sources.
  2. Update system call map:
    grab the strace sources. The system call map that subterfugue is using is dated from 2001 or so and needs to be updated for newer kernels. compare the in subterfugue to the syscallent.h of strace. From about array index 250+ is where the new entries start. To add them I just cut and paste to a new file, ran a replace routine for line in f.readlines(): print line.translate(string.maketrans(‘{}/*’,'()##’)). Also needed to be sure there there was no more than one flag in each array.
  3. make install and then test with a trick from /usr/lib/subterfugue/tricks/: sf –tri=Count date

If time permits I would like to rewrite the ptrace c shell using python 2+ methods. Until then, this works.

Published by

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s