system call tracker / News: Recent posts

syscalltrack 0.82 "Minty Chinchilla" released

A couple of contributed patches in this release, for using bigger log buffers and for matching against and logging a process's current working directory. Bugfixes, cleanups, the usual things :-)

Posted by Muli Ben-Yehuda 2003-02-05

syscalltrack 0.81 "Cruel Ducky" released

Well, at long last, here's 0.81, "Cruel Ducky". It has several kernel bug fixes, and support for matching void pointers and support for strace's follow forks mode. syscalltrack is a linux kernel module and supporting user space environment which allow interception and modifying system calls that match user defined criteria. Think of it as strace on steroids.

Posted by Muli Ben-Yehuda 2003-01-28

syscalltrack 0.80 "Tanned Otter" released

syscalltrack is linux kernel module and supporting user space environment which allow interception and modifying system calls that match user defined criteria. After a long hiatus, this is the long awaited 0.80 release.

Posted by Muli Ben-Yehuda 2002-11-24

0.73, "August Penguin", released

New release, lots of goodies, including:

* Added sctrace, an experimental strace(1) compatible tool based on
the syscalltrack framework. 'sctrace command' or 'sctrace -p pid'
will load rules matching the given executable (or pid) for all
supported system calls and log their invocation to the log file (or
log device).

* experimental logging device file, /dev/sct_log, and a utility to
control its behaviour, sct_logctrl. syscalltrack can now log system
call invocation either to syslog or directly to a device
file. Note that the format of information logged to the device file
will change in future versions (from text based to a binary
protocol).... read more

Posted by Muli Ben-Yehuda 2002-08-01

0.72 "bald hare" released

Support for many new system calls (read, write, fork and exit, to name the major ones) and many bug fixes. Better grab this release, it's extra crunchy!

Posted by Muli Ben-Yehuda 2002-06-23

logos gallery

Finally, we have some logos!
Check out, and vote for your favorite logo by sending me (mulix) mail.

Posted by Muli Ben-Yehuda 2002-06-09

version 0.71 released

A new version of syscalltrack has been released, the 0.71 "boxing iguana" release. This version is mostly bug fixes and cleanups, in preparation for exciting happenings in kernel space in the next release.

* add a 'get rule count' and 'get rules' API to to the
sct_ctrl_lib. 'get rule count' will return the number of currently
registered rules, 'get rules' will return to user space from the
kernel a linked list of the before and after rules for each system
call. ... read more

Posted by Muli Ben-Yehuda 2002-06-01

version 0.7 released

new version available. contains support for type-casting of structs (useful in socket calls),
experimental device-file control support (its working, just not yet the default), support for 'FAIL' actions, to automatically fail system calls without invoking them (in 'before' rules), and various other features and bug fixes.

Posted by guy keren 2002-02-25

proper logging of dynamic-cast structs

the previous addition of dynamic-cast of structs worked only in the filter - the logging was still done based on the static type of the struct.
now, the logging can also use a dynamic-cast, and this completes the dynamic-cast support for structs. the syntax for the cast in the config file is currently quite ugly and/or verbose - this will be handled in the future.

Posted by guy keren 2002-02-21

device-driver control for syscalltrack

the syscalltrack module now supports an alternative (and generaly more flexible) method of controlling it, using a device-driver's interface. currently the default control method is still the 'sysctl' interface, but this will most likely change soon. device driver code and initial protocol were done using mulix-time ;)

Posted by guy keren 2002-01-19

dynamic struct type-casting in rules

we now have basic support for struct type-casting in rules. this allows doing things like converting a 'struct sockaddr' to a 'struct sockaddr_in' in a 'connect' syscall rule, and checking that the IP address field is set to a given function, for example. curerntly, the config tool requires the parameters to be supplied as ints or shorts, which makes it hard to use them for socket calls, but new macros to make it easier - will be added later on.

Posted by guy keren 2002-01-19

version 0.66.6 released

mostly a bugfix release - it does add 'pcomm' and 'ppid' variables (parent command, and parent process ID), and fixes some bugs in sct_config's parser, most noteably bug with parsing unary operators.

Posted by guy keren 2002-01-04

version 0.66 released

This release adds support for tracking some socket calls, support for 'after' rules (rules which are checked after the system call invocation, which allows matching on the return value), support for the the 'in' operator in filters (PARAMS[1] in ("passwd", "/etc/nsswitch.conf")), and various bugfixes, optimizations, and code cleanups.

Posted by Muli Ben-Yehuda 2001-12-19

'in' operator support

the 'in' operator (testing if a value is inside a given vector of values) now works - it was supported inside the kernel module for a while - and now it's also supported by 'sct_config' - and thus can actually be used.

note: for strings, it performs a pattern match, rather tehn an exact match.

Posted by guy keren 2001-12-11

socket calls tracking - re-enabled

after disabling socket calls tracking in the last minute before release of 0.64, the problem that made us disable them (high potential for denying th ability to unload the module, and not allowing to unregister the socketcall hijack function) this feature was re-enabled (in CVS) - with only a minor problem of potentially locking the syscall_hijack.o module (but not the major, sct_rules.o module) in memory, while properly releasing any hijacked syscalls if all rules are deleted. since we intend to not allow unloading of syscall_hijack.o in the long run anyway (due to races inherent to using modules and syscall hijacking) this is not a big problem - and during development, under a controled environment, this locking of the module in memory can be easily overcome.

Posted by guy keren 2001-12-10

support for 'after' rules added

syscall tracker now supports both 'before' adn 'after' rules - that is, rules that are checked right before the syscall is executed, and rules checked right after it was executed. the later ('after') rules allow one to filter based on the syscall's return value (e.g. log only successfull opens of an some file) and logging this return value.

Posted by guy keren 2001-12-10

variables callback support

Amir has recently (last night?) finished implementing variable callbacks. this is an optimization that would allow us to calculate 'expensive' variables, knowing the calculation will be done on-demand (i.e. only when its realy needed). until now, all variables (PID, ID, COMM, syscall parameters) were calculated before the filtering rules were checked by the tracker.

Posted by guy keren 2001-12-10

version 0.64 released

About: The system call tracker is a Linux kernel module and supporting user space applications which allow interception of and
possibly taking action upon system calls that match user-defined criteria.

Changes: Filter expressions are now fully supported, including better error messages, and full parameter/variable type checking.
Unary operators ('~', '!') are now working. A bug in 'sct_config' that could cause crashes (due to a missing copy
constructor/assigment operator for a struct we pushed into an STL container) has been fixed, as well as a potential crash bug in
filter expressions evaluation in the kernel, and a few potential memory leaks.

Posted by Muli Ben-Yehuda 2001-12-02

basic support for 'multiplexed' syscalls added

some system calls are in fact multiplexing functions into a set of other syscalls (e.g. 'socketcall' is actually a mux for 'socket', 'listen', 'bind', 'recv', 'send', 'connect' etc.

basic support for multiplexing system calls was added to the kernel module, in a manner that is mostly transparent to the user-mode configuration utility. as a demonstration, support for the 'socket' kernel function (sub-syscall of 'socketcall') was added.

Posted by guy keren 2001-11-17

syscalltrack version 0.63 released

new version with new features, such as support for user-defined logging format, much better error reporting and checking by sct_config, support for new system calls, support for struct parameters to system calls, and fixing of memory leaks.

Posted by guy keren 2001-10-16

release 0.63 scheduled for Oct 17th

the subject says it all, doesnt it?
highlights for this release include:
* support for structures in system call parameters
* support for user defined logging formats
* preliminary support for filter expressions such as "UID == 3 && (PARAMS[0] > -3)"
* easier loading and unloading of the modules
* ver preliminary support for device file communications

Posted by Muli Ben-Yehuda 2001-10-12

basic user-defined logging format

the user-defined loging format feature allows the user, via a directive in the config file, to define the format of log records generated by the module, in a fassion similar to printf's format strings.

the feature works, and doesn't seem to cause any immediate crashes. sct_config/sct_example.conf contains an example usage of the 'log_format' directive.

Posted by guy keren 2001-10-01

basic 'struct' parameters support

basic support for 'struct' syscall parameters matching was added (available in the CVS repository). this allows matching on fields of numeric types in structures passed to system calls (such as settimeofday).

Posted by guy keren 2001-09-24

first alpha release (0.60)

the first _alpha_ versin of syscall track was released today. this version is meant mostly for hacker programmers, althought it already works, and might be somewhat useable - and it didn't crash a kernel lately. enjoy.

Posted by guy keren 2001-09-18

feature freeze for the 0.60 release is in effect

we are in a feature freeze from now until 0.60 is released. we are working on a set of tests and getting the release ready (documentation and bug fixes).
0.60 will be the first public alpha release, and we're very excited. watch this space for updates!

Posted by Muli Ben-Yehuda 2001-09-08