Provos' systrace (2002)


A system-call interposer with argument observation mechanism

Knowledge domain directly at the syscall level

TOCTOU problems with system calls taking pointers to pointers..

Not easy to use intelligently

In 2003, I was saying we needed a way to classify system calls
into "groups"




We failed to use systrace in a mandatory fashion

Only one success story: the OpenSSH pre-authentication sandbox
(not a total loss, got us through 10 years..)