Internet Anthropologist Think Tank: Black Hat: Dtrace a Rootkit?

  • Search our BLOG

  • HOME
    Terrorist Names SEARCH:

    Friday, February 22, 2008

    Black Hat: Dtrace a Rootkit?

    Black Hat: Dtrace a Rootkit?
    February 22, 2008
    By Sean Michael Kerner

    WASHINGTON, D.C.--Sun's Dtrace application was developed primarily as a tool to help monitor functions on Solaris. According to a pair of security researchers at the Black Hat conference, you can also use Dtrace as the basis for a rootkit-like tool for offensive and defensive security operations.

    At the conference, Security researcher Tiller Beauchamp noted that Sun created Dtrace in 2003 released it as part of Solaris 10 in 2005 under the CDDL open source license. Later, Apple incorporated it into Mac OS X Leopard.

    At its core, Dtrace is a framework for performance observability and debugging in real time. Beauchamp explained that the way it works is you set probes for places you're interested in and define the action you want to take which is usually some kind of measurement or recording.

    Beauchamp said Dtrace combines system performance, statistic debugging information and execution analysis in one tight package.

    "It's a real Swiss Army knife for reverse engineers," he added. Security researcher David Weston noted that Dtrace is an all-seeing eye into a system and its applications with few things that are off-limits. Weston and Beauchamp noted that they could use Dtrace as a basis not just for reverse engineering but also for exploit purposes as well.

    "It's like a friendly programming rootkit that lets you see everything," Weston said.

    Weston commented that Dtrace is not a debugger since Dtrace allows applications to continue normally, showing a user what's going on without break points.

    On its own, Weston explained, Dtrace does not allow a user to perform destructive action. Dtrace can be combined with other tools, however, to become destructive.

    According to Weston, using Dtrace in a few lines of script is significantly more complex for the security researcher than writing script with a common rootkit.

    Weston also detailed how a user could manipulate Dtrace to perform what he referred to as "snooping," which is essentially what a keystroke logger does.

    This article was first published on To read the full article, click here.






    Post a Comment

    Subscribe to Post Comments [Atom]

    << Home