Intercepting glibc functions

The other day I came across an old forum post about logging exec calls to syslog without modifying code anywhere. I was intrigued; I didn’t know you could hook into glibc function calls like this. I wonder how far can this go? Naturally, I decided to take a quick whack at it myself, and I ended up coding a very basic implementation of Trusted Path Execution with it. I got good (although puzzling) results:

$ /tmp/ls
-bash: /tmp/true: Success

Well, it “worked”. The /tmp/ls (a copy of /bin/ls) binary didn’t output anything, and I did get a log entry:

AprĀ  3 23:09:12 localhost -bash: Denied exec of /tmp/ls

Tested with a few other binaries, it does work, I just apparently have to figure out how to properly handle the error.

Anyway, it’s been bugging me for a while that the only Mandatory Access Control (MAC) system available in RHEL/CentOS is SELinux. Don’t get me wrong, SELinux does a fair job, but I simply don’t like it. Not only is it a beast of a tool that you either have to deal with all of it, or turn it off, I prefer non-filesystem label systems such as grsecurity’s RBAC, or AppArmor, or SMACK, none of which are enabled in RHEL/CentOS.

So, what does a MAC system have to do with intercepting glibc functions? Well, some more searching on the topic lead me to an interesting project, libsandbox. Not quite the same implementation (it appears to be using ptrace instead of LD_PRELOAD), but the concept is similar. Only I think I can take it a step further, making it into a whole MAC system in and of itself. A MAC system that exists in userspace, and doesn’t require a specific kernel be installed.

Now, this method of intercepting calls won’t work on statically linked binaries, but that’s OK because most things in RHEL/CentOS are dynamically linked. Technically, an attacker could upload their own binaries to execute them and bypass the system, but not if tpe-lkm is installed on the system ;) So I at least have the framework for an idea here. And to get me going on working this into a proof-of-concept, I already came up with a working title:

GNU Linux Glibc Userspace Access Restriction Designator, or GL-guard.

Don’t laugh, I spent all of 2 minutes thinking of a title. I might replace the “D” word with something else further down the line, if this goes anywhere. I plan on uploading a very basic proof of concept to githup this weekend. Wish me luck!

One thought on “Intercepting glibc functions”

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>