system call tracker / News: Recent posts

A couple of contributed patches in this release, for using bigger log buffers and for matching against and logging a process's current working directory. Bugfixes, cleanups, the usual things :-)

Well, at long last, here's 0.81, "Cruel Ducky". It has several kernel bug fixes, and support for matching void pointers and support for strace's follow forks mode. syscalltrack is a linux kernel module and supporting user space environment which allow interception and modifying system calls that match user defined criteria. Think of it as strace on steroids.

syscalltrack is linux kernel module and supporting user space environment which allow interception and modifying system calls that match user defined criteria. After a long hiatus, this is the long awaited 0.80 release.

New release, lots of goodies, including:

* Added sctrace, an experimental strace(1) compatible tool based on
the syscalltrack framework. 'sctrace command' or 'sctrace -p pid'
will load rules matching the given executable (or pid) for all
supported system calls and log their invocation to the log file (or
log device).

* experimental logging device file, /dev/sct_log, and a utility to
control its behaviour, sct_logctrl. syscalltrack can now log system
call invocation either to syslog or directly to a device
file. Note that the format of information logged to the device file
will change in future versions (from text based to a binary
protocol).... read more

Support for many new system calls (read, write, fork and exit, to name the major ones) and many bug fixes. Better grab this release, it's extra crunchy!

Finally, we have some logos!
Check out http://syscalltrack.sourceforge.net/logo.html, and vote for your favorite logo by sending me (mulix) mail.

A new version of syscalltrack has been released, the 0.71 "boxing iguana" release. This version is mostly bug fixes and cleanups, in preparation for exciting happenings in kernel space in the next release.

* add a 'get rule count' and 'get rules' API to to the
sct_ctrl_lib. 'get rule count' will return the number of currently
registered rules, 'get rules' will return to user space from the
kernel a linked list of the before and after rules for each system
call. ... read more

new version available. contains support for type-casting of structs (useful in socket calls),
experimental device-file control support (its working, just not yet the default), support for 'FAIL' actions, to automatically fail system calls without invoking them (in 'before' rules), and various other features and bug fixes.
enjoy.

the previous addition of dynamic-cast of structs worked only in the filter - the logging was still done based on the static type of the struct.
now, the logging can also use a dynamic-cast, and this completes the dynamic-cast support for structs. the syntax for the cast in the config file is currently quite ugly and/or verbose - this will be handled in the future.

the syscalltrack module now supports an alternative (and generaly more flexible) method of controlling it, using a device-driver's interface. currently the default control method is still the 'sysctl' interface, but this will most likely change soon. device driver code and initial protocol were done using mulix-time ;)

we now have basic support for struct type-casting in rules. this allows doing things like converting a 'struct sockaddr' to a 'struct sockaddr_in' in a 'connect' syscall rule, and checking that the IP address field is set to a given function, for example. curerntly, the config tool requires the parameters to be supplied as ints or shorts, which makes it hard to use them for socket calls, but new macros to make it easier - will be added later on.

mostly a bugfix release - it does add 'pcomm' and 'ppid' variables (parent command, and parent process ID), and fixes some bugs in sct_config's parser, most noteably bug with parsing unary operators.

This release adds support for tracking some socket calls, support for 'after' rules (rules which are checked after the system call invocation, which allows matching on the return value), support for the the 'in' operator in filters (PARAMS[1] in ("passwd", "/etc/nsswitch.conf")), and various bugfixes, optimizations, and code cleanups.

the 'in' operator (testing if a value is inside a given vector of values) now works - it was supported inside the kernel module for a while - and now it's also supported by 'sct_config' - and thus can actually be used.

note: for strings, it performs a pattern match, rather tehn an exact match.

after disabling socket calls tracking in the last minute before release of 0.64, the problem that made us disable them (high potential for denying th ability to unload the module, and not allowing to unregister the socketcall hijack function) this feature was re-enabled (in CVS) - with only a minor problem of potentially locking the syscall_hijack.o module (but not the major, sct_rules.o module) in memory, while properly releasing any hijacked syscalls if all rules are deleted. since we intend to not allow unloading of syscall_hijack.o in the long run anyway (due to races inherent to using modules and syscall hijacking) this is not a big problem - and during development, under a controled environment, this locking of the module in memory can be easily overcome.

syscall tracker now supports both 'before' adn 'after' rules - that is, rules that are checked right before the syscall is executed, and rules checked right after it was executed. the later ('after') rules allow one to filter based on the syscall's return value (e.g. log only successfull opens of an some file) and logging this return value.

Amir has recently (last night?) finished implementing variable callbacks. this is an optimization that would allow us to calculate 'expensive' variables, knowing the calculation will be done on-demand (i.e. only when its realy needed). until now, all variables (PID, ID, COMM, syscall parameters) were calculated before the filtering rules were checked by the tracker.

About: The system call tracker is a Linux kernel module and supporting user space applications which allow interception of and
possibly taking action upon system calls that match user-defined criteria.

Changes: Filter expressions are now fully supported, including better error messages, and full parameter/variable type checking.
Unary operators ('~', '!') are now working. A bug in 'sct_config' that could cause crashes (due to a missing copy
constructor/assigment operator for a struct we pushed into an STL container) has been fixed, as well as a potential crash bug in
filter expressions evaluation in the kernel, and a few potential memory leaks.

some system calls are in fact multiplexing functions into a set of other syscalls (e.g. 'socketcall' is actually a mux for 'socket', 'listen', 'bind', 'recv', 'send', 'connect' etc.

basic support for multiplexing system calls was added to the kernel module, in a manner that is mostly transparent to the user-mode configuration utility. as a demonstration, support for the 'socket' kernel function (sub-syscall of 'socketcall') was added.

new version with new features, such as support for user-defined logging format, much better error reporting and checking by sct_config, support for new system calls, support for struct parameters to system calls, and fixing of memory leaks.

the subject says it all, doesnt it?
highlights for this release include:
* support for structures in system call parameters
* support for user defined logging formats
* preliminary support for filter expressions such as "UID == 3 && (PARAMS[0] > -3)"
* easier loading and unloading of the modules
* ver preliminary support for device file communications

the user-defined loging format feature allows the user, via a directive in the config file, to define the format of log records generated by the module, in a fassion similar to printf's format strings.

the feature works, and doesn't seem to cause any immediate crashes. sct_config/sct_example.conf contains an example usage of the 'log_format' directive.

basic support for 'struct' syscall parameters matching was added (available in the CVS repository). this allows matching on fields of numeric types in structures passed to system calls (such as settimeofday).

the first _alpha_ versin of syscall track was released today. this version is meant mostly for hacker programmers, althought it already works, and might be somewhat useable - and it didn't crash a kernel lately. enjoy.

we are in a feature freeze from now until 0.60 is released. we are working on a set of tests and getting the release ready (documentation and bug fixes).
0.60 will be the first public alpha release, and we're very excited. watch this space for updates!