Subterfuge with Subterfugue 97
toadnine writes "Things you never imagined you could do with Python and a 2.4 kernel... check out SUBTERFUGUE.
(Source: Need To Know)." A blue pill for applications.
Top Ten Things Overheard At The ANSI C Draft Committee Meetings: (10) Sorry, but that's too useful.
here is the first few lines of that Web site... (Score:4, Informative)
In case of slashdot effect, here's the summary:
SUBTERFUGUE is a framework for observing and playing with the reality of software; it's a foundation for building tools to do tracing, sandboxing, and many other things. You could think of it as "strace meets expect."
Features
What is the point? (Score:1)
I'm not trolling, I just fail to see why they decided to use Python.
Re:What is the point? (Score:2, Insightful)
Because this is exactly the sort of thing python is good for. It's clean and encourages reuse, and it's easy to write quickly, even for relatively slow programmers.
In this case it was probably the C integration that made it work really well.
Re:What is the point? (Score:1)
Just my 2-cents.
Re:What is the point? (Score:1)
Much of the time, speed of implementation counts for more than speed of execution.
Mike
Re:What is the point? (Score:3, Insightful)
The first is that the options you pass to trick the program are actually python code, if you look at the tutorial on the site.
The second is that you can easily extend the thing to write new tricks without recompilation. The tutorial actually demonstrates how the current tricks are written so that you can write your own. Granted, you could do this just as well in C or whatever, but this way the program can be directly modified with ease and no recompiles. This is important both to the original developer and the user who wants to extend it (which will be plenty of users, I'm sure).
Overall, he says that a lot of the code will be moved in to C at some point for additional speed, but I'd imagine that prototyping your trick in python first will be the standard. Hmmm... it might finally be time for me to sit down and learn Python after doging it for years.
Re:What is the point? (Score:2, Informative)
Mike
Re:What is the point? (Score:1)
Slashdot effect in effect = some questions (Score:2, Interesting)
Cuz if it doesn't one could easily make this very useful for multimedia work. Add GIMP text to movie while compressing to mpeg.
Re:Slashdot effect in effect = some questions (Score:1)
Christ don't moderators read before they mod. Wait,
Um, as I was saying...
Re:Slashdot effect in effect = some questions (Score:3, Interesting)
In short, that's not what this is good for.
If you want to add your text to a movie while compressing it, there are already good plugin-based frameworks for doing that sort of thing (I won't name names since it depends on whether you're trying to do streaming compression, compression to disk, etc)... but even writing your own framework to do the overlay and passing the result into an MPEG encoder yourself would be much, much easier than trying to do syscall-level interception of the data.
Re:Slashdot effect in effect = some questions (Score:1)
It would be potentially useful for trying out ideas like this, but as another poster noted, it's not really intended for permanent implementations of such things.
Mike
Finally an honest, true opinion of *nix security (Score:1, Interesting)
I for one have to agree... though i am no kernel hacker i have at least given a laymans browse through some networking code and from my opinion(a programming student) the *nix kernel and general code of the *nix's does not haven more defense against hacking...
i kind of agree with thos that say that *nix is apred because there is much less motivation to hack it... not many script kiddies run it so they would rather us windows to nuke windows... as soon as the long predicted switch over to linux happens (however quickly) then *nix WILL have the same problems as win...
i think this is the type of project that we as a commmunity should really try to rally around and help out...
'nother quote...
The primary goal of SUBTERFUGUE is to help you keep control of your computer
so if you can help do so now... and please everyone we need to look into the security issues before they become vulerabilities...
Re:Finally an honest, true opinion of *nix securit (Score:3, Informative)
"A chain is only..."
That's where *nix has (or seems to, anyway) have it all over Windows in reference to secutity. I have several processes on my XP laptop that run with root privs, and do so by default unless I want to really do some hacking and change the privs they have. (I can do it, but have much better things to do) A buffer overflow later I can be hacked to death.
(Aside: To all "yuo skr1p7 k1d33z", I'm behind a good firewall. And patched to the 9s.
Only having tight, secure networking code does not good security make, though it is probably the most important. The whole must be designed to be secure or it all falls down.
Soko
Re:Finally an honest, true opinion of *nix securit (Score:1)
Re:Finally an honest, true opinion of *nix securit (Score:1)
A system with a good design won't require checks to be spread throughout the implementation; rather, they'll be at well-defined points. Assumptions (as to what kind of input to accept, for instance) will be well-defined, explicit where necessary, and documented. Much of this is not the kind of thing you pick up from looking at the low-level code.
Finally, a reminder: For a long time, UNIX was the only game in town. It hosted the huge university servers and was having security issues addressed in all likelihood well before you were born. It's thus rather funny to see one saying that Windows appears more vulnerable because it is attacked more -- as UNIX systems were handling attacks long before Windows even existed.
Spend five years or so actually doing design and implementation work; then maybe you'll be qualified to make the kind of statement you just did.
Re:Finally an honest, true opinion of *nix securit (Score:1)
well i dont really understand why i was modded flamebate because i meant no flaming... i simply wish for *nix to get more secure... i beleive that this new tehcnology will help very much... and i was quoting from the article itself and then agreeing to it...
also as for my personal experiance in programming i have been learning to program for over 5 years now and what i meant was that I actually have taken a look at some of the code unlike many security experts who gain their entire base of knowloedge form a user standpoint... i believe that right NOW *nix is more secure but who knows what would happen if there was a flood of people going over to use it...
what i meant was that there would be a bigger motivation to hack it... right now not many people wanna try and mess with *nix but i beleive that *nix needs to prepare... i have not seen very much actual security defense other than sinply 'ive never been hacked' which makes me afraid...
my point is that *nix IS more secure NOW but who knows where it will go in the FUTURE... i just wish it stays as secure as it is now... im just kinda tired of people putting blind faith in *nix... i put my faith in it too but thats because i have looked into some wide spread problems and i think that *nix is the answer and we must all try and help... no flame intended
Application Firewall (Score:5, Interesting)
Firewalls like ZoneAlarmPro let the user keep an eye on which programs are accessing the network, but don't provide much more granularity than that - and do nothing to protect/inform the user about what the application may be doing locally (filesystem access, etc). With a tool like this, a very granular application-level firewall could be created that would enable you to peek at the app down to any level, whether you wanted to know exactly which network connections it was making (each individual socket - rather than ZoneAlarmPro's "yes, allow this to access the network" which then lets the app do any connections it wants), or whether you wanted to see which files it accessed and/or prevent that access.
Sounds great!
Re:Application Firewall (Score:1)
Re:Application Firewall (Score:1)
Yes, I actually use several of these (particularly RegMon lately) and love them - but as you pointed out they are only good for external observation, not for altering the 'reality' of the applications environment as Subterfuge apparently can do, or for preventing an access as a Firewall can/should. But I guess knowing who's spying on you and how is a good first step, even if we can't prevent it yet ;)
Re:Application Firewall (Score:1)
Re:Application Firewall (Score:3, Funny)
Paraphrasing from the page: "it is slow. About 10x slower than normal. Running Netscape under subterfuge is like running Netscape remotely and displaying it over a 28.8 connection".
yes I use Windows
Never mind... you won't notice the difference.
Re:Application Firewall (Score:1)
The site mentions that speed is *not* their primary goal here, but rather simplification of the development of Tricks. But they also say that they expect speed to improve - and of course if it were written in a lower level language it could be optimized further, etc. We've also got to take into consideration Moore's law, etc - I just think the technology here is interesting and could make my granular "Application Firewall" a much simpler (and closer) reality
Norton Internet Security has per-app permissions (Score:2)
Norton purchased the rights to WRQ's AtGuard(tm) product, and now markets it as their own. It can restrict network access on a per port and a per application basis.
While there are a few annoying bugs still seemingly in the product (from my viewpoint anyway; the most annoying one being that launching "C:\Program Files\Directory\Item.exe", "C:\Progra~1\Direct~1\Item.exe", "C:\Program Files\Direct~1\Item.exe", etc., all are treated as seperate applications), for the most part, it works. It has privacy controls to block HTTP referers, cookies, trojan blocking (although if a legit application binds to a trojan port, watch out), etc.
And if I did not mention, while this product was called AtGuard, it worked on Windows 95/98 back in 1999 [wrq.com], and still works on Windows XP, so it has been around. Now if only someone made a product with the file restriction permissions per application that Subterfugue seems to do...
Re:Application Firewall (Score:1)
- Access to the Network
- Access to the Registry
- Access to the File System
- Access to the Windows OS (OLE, DCOM, ActiveX etc.)
For each of these, you can set very fine grained controls. For example, you can restrict "Notepad" to only be able to access
Generally a very good piece of software, I watched it catch Nimda purely through its behavior, not a signature.
Re:Application Firewall (Score:1)
Re:Application Firewall (Score:1)
Re:Application Firewall (Score:1)
my
Re:I have the way out! (Score:1)
Do you really need to? (Score:2)
Pity that with the license requirements I'll never test it, as I like to experiment with operating systems.
ummm... (Score:2, Informative)
Re:ummm... (Score:1)
"... you take the blue pill: the story ends. You wake up in your bed and believe whatever you want to believe. You take the red pill: you stay in wonderland, and I show you how deep the rabbit-hole goes."
As the blub states: "A blue pill for applications." You can get the applications to "believe whatever you want [them] to believe".
Re:ummm... (Score:1)
Mike
Ultimate test suite. (Score:1)
suite tool box, from the looks of it you could
use this to stress test your application in all
sorts of ways. Want to know how your app deals
with some level of network or system misbehavior,
it would be very easy to write a pass through
script that would mangle 1 in 300 characters read
off the wire, or produce a randomised map of
'bad' sectors on the storage volume that
can be written to but not read from.
Bad signals, subtly wonky devices etc. would all
be trivially easy to emulate, this is a tool you
would want if you really want to make your
app bulletproof.
YES! (Score:1)
Although it hasn't been done yet, it'd be possible to write a fake-ptrace trick (along the lines of qtrace aka mec) which would allow you to fake a disk full while running the program in question under gdb (or strace or whatever).
Mike
Higher Levels Bad? (Score:1)
Wouldn't writing Kernel code in a higher level language put it in more of a position to be "used in a manner not intended"
The higher up the language scale you go you get more and more vauge with your literal meanings of code...
By adding more and more layers you open yourself up to more and more exploits at the Kernel level... So why re-invent the wheel.... It works... It works well.... So why change...
Re:Higher Levels Bad? (Score:1)
Re:Higher Levels Bad? (Score:1)
In any case, it's not any kind of security hole, because it doesn't rely in any way on anything but vanilla kernel behavior. (It is a "security" headache to an application that's planning to do something sneaky, but that's intended.)
Mike
Re:Higher Levels Bad? (Score:1)
The wonders of open source! (Score:1)
Sure, it's very interesting that Linux has a system interface that's so straightforward that it can be easily manipulated in sort-of-real-time by a simple scripting language, and I'm sure you have to be root to run it, but somehow the fact that somebody's already put together something like this, even just as a proof-of-concept, really makes me less confident about Linux, not more.
Maybe it's just the whole Matrix-like undertones.*
*ObGeekFiction: Actually, the first literary reference that came to my mind was Hiro's "BigBoard" in Snow Crash. (Looks like someone is working on the Metaverse [geocrawler.com] too...)
Re:The wonders of open source! (Score:3, Insightful)
but somehow the fact that somebody's already put together something like this, even just as a proof-of-concept, really makes me less confident about Linux, not more.
So let me get this straight... Because the system is more-or-less fully documented and has straightforward and clean APIs that allow you to poke and prod at it in a well-defined manner you are less confident about the OS? I'm sure glad you don't design cars or houses or medical equipment, that's for damn sure.
Re:The wonders of open source! (Score:2)
You're trolling, but I'll bite.
Sure, it's very interesting that Linux has a system interface that's so straightforward that it can be easily manipulated in sort-of-real-time by a simple scripting language
People have already pointed out the 'application firewall' use, and probably the fantastic debugging uses. It's not just interesting, it's dang useful. Think about how people could use it to chase down possible buffer overflows. Force the system to return something other than what your program expects. How does it respond? Gracefully? Die an ugly death? Maybe I should fix that... :-)
and i'm sure you have to be root to run it
Maybe not. So long as it's enabled in the kernel, you should be able to make use of it. strace and truss and their ilk have been doing the 'trace system calls' thing for years. This is just more powerful.
but somehow the fact that somebody's already put together something like this really makes me less confident about Linux, not more.
Already? I have no clue what you're talking about. Linux has been around for more than a decade. Python's been around for almost a decade too. Unix has been around in some form since the late 60's. Already in the 2.4 kernels? They've been around for more than a year.
Re:The wonders of open source! (Score:1)
Root is not required, though it may be run as root. It makes use of nothing not already present in the Linux 2.4 kernel; nothing needs to be enabled. It really doesn't do anything you couldn't do yourself with gdb, if you were really clever and patient. :-)
Mike
Capability OS's (Score:2, Interesting)
Take a look at capability operating systems [google.com]. That how the design flaw should really be solved.
loz
Re:Capability OS's (Score:5, Interesting)
Yes, a pure capability system is the state-of-the-art in computer security (assuming you have an intelligent way of handing out capabilities -- a problem I have not seen the solution to yet).
But, you should note that if you can run a per-system call check (which Subterfuge seems to let you), you can implement a capability system on top of UNIX! The whole point of Subterfuge is that you can insert your own algorithm for deciding if process P can perform action A. This allows you to implement ACL's, capabilities, or whatever you can think up! The speeed will be underwhelming (though much optimization is possible), but it will work, right now, with all of your existing programs.
Show me a pure capability system that does this, and I will eat my hat (and then run said system). Bonus points if it supports all the hardware Linux runs on.
ps, for a good introduction to capabilities the state of such operating systems research visit the EROS website [eros-os.org] and visit the "introductory essays" section.
Re:Capability OS's (Score:3, Informative)
It seems more like a system emulation package that runs in user space, and within which a program can be executed (by the emulator). The emulator then passes any calls it chooses to the system in a normal way, traces what it chooses, throws any it chooses into the bit bucket, etc.
Sounds like a nice tool, but not an OS kind of system.
Re:Capability OS's (Score:1)
Mike
Re:Capability OS's (Score:1)
I don't know enough about capabilities to have much of an opinion. It seems like a useful feature, though it's pretty coarse-grained and requires root assistance.
SUBTERFUGUE does many things--it wasn't intended to address this problem exlusively or in an optimal way.
Mike
prototype fault-tolerant file system (Score:5, Interesting)
I got it working in a couple of days. Working in a high-level language and all in user-space really simplified the task.
Re:prototype fault-tolerant file system (Score:1)
Mike
Perl in the Linux kernel? (Score:2)
Re:Perl in the Linux kernel? (Score:5, Informative)
I haven't ever heard about it, until I read your comment. After a quick Google searching I found some info about it.
In the Summer 2000 issue of The Perl Journal, Simon Cozens wrote Perlix, The Perl Operating System [samag.com] article:
Very interesting text, he mentions Tom Christiansen's Perl Power Tools: The Unix Reconstruction Project [perl.com] - "Our goal is quite simply to reimplement the classic Unix command set in pure Perl, and to have as much fun as we can doing so." I like the simple version of cat [perl.com]:
Simon Cozens also writes about Gregor Purdy's Perl Shell [focusresearch.com] (psh) - "The Perl Shell is a shell that combines the interactive nature of a Unix shell with the power of Perl. The goal is to eventually have a full featured shell that behaves as expected for normal shell activity. But, the Perl Shell will use Perl syntax and functionality for control-flow statements and other things." - and about Claudio Calvelli's Linux filesystem written in Perl (PerlFS), but the link [assurdo.com] is dead and I couldn't find the new PerlFS home page (anyone knows it?).
On 2000-09-26 the SF Project: Perlix Kernel [sourceforge.net] was registered by Bill Dahab [sourceforge.net]. The Perlix.sf.net [sourceforge.net] homepage is empty, the Development Status is Planning. The stats [sourceforge.net] show more activity a year ago. Here's the summary:
Let me also quote the latest news [sourceforge.net] about Perlix:
I also found Greg McLearn's Perl Operating System: Initial Planning Stage [uwaterloo.ca] from 2001-11-23:
It sounds very interesting and I'm going to find out more about the current stage of Perlix/PerlOS development (if any). If anyone knows something interesting, please let us know.
Neat hack, but... (Score:4, Informative)
People seem to be assuming that subterfugue is kernel code. I just looked at the source, and it's not. It depends on some kernel patches for 2.3.x, but subterfugue itself is a user-level syscall interceptor. When they refer to sf as the subterfugue driver, they mean "driver" in the mushy sense of "anything that's not an application is a driver", not in the precise sense of something that gets loaded into the kernel. Also, only programs (and their descendants) run explicitly via subterfugue are affected at all; it doesn't hook in at a level that allows it to operate on arbitrary processes.
Subterfugue is basically a Python wrapper for strace, so you can inspect and modify syscalls and their arguments in Python instead of in C. Yes, it's neat, but not nearly as neat as being able to implement real drivers or network protocols or filesystems in Python (like this [lwn.net]).
Re:Neat hack, but... (Score:1)
Sometimes you do want to do things on a system level, and there are several other tools out there that take this approach. The right tool for the right job.
FUSE (and several other tools like it) is cool. It's solving a different problem. As above, different tools for different tasks.Mike
Just what the Unix world needs... (Score:4, Interesting)
This is one of those nasty little types of hacks that was the main inspiration for Apple going to OS X. To those of you who don't know much about it, every version of MacOS Classic to be seen by the public has a mechanism for subverting system calls that has seen especially heavy use since System 7 (rumor has it that the majority of upgrades to the system have been done this way, at least up until OS 8.5 or so, because no one knows how to operate the Classic build scripts anymore). It's actually routine to short-circuit the Mac Toolbox when doing low-level programming.
If you want some real strange fireworks, get an old (68k) Mac running some version of System 7 and a copy of an extension called Screwy. AFAIK it was written as a prank and will break every UI call in the system without actually crashing anything (at least not immediately). Really sick.
/Brian
Re:Just what the Unix world needs... (Score:1)
Mike
Re:Just what the Unix world needs... (Score:3, Informative)
And I always thought that the reason MacOS did so much trapping was just to keep things modular. Upgrades to the Toolbox might have required traps if the Toolbox resided on ROMs... And there's nothing essentially wrong with trapping the way MacOS did. The reason it felt dirty was because of the lack of protected memory. If an application didn't work well with some extension, it wouldn't necessarily die quietly.
Am I full of it? Some Mac weenie want to correct me?
Re:Just what the Unix world needs... (Score:2)
Patching traps was skanky programming but it was necessary. That doesn't make it a good idea now, when on-chip caches are larger than the entire memory bank on the original Mac, which is why Apple did away with it completely rather than try to add equivalent functionality to Rhapsody/Darwin.
All I can say is this: Subterfugue has its legitimate uses, most of which involve reverse-engineering and packet-sniffing (developing a Linux driver for an iPod comes to mind as one application). Any application developer who uses it in a program deserves to be hurt; "patching traps" and/or the equivalent is the API equivalent of a "come from" statement and anyone who feels that it's critical to serious application development is either perverse or lazy.
/Brian