Blocking ptrace system calls to prevent process injection attacks
To prevent a process injection attack, which could lead to access to encrypted data by a tampered process, Thales implemented a global blocking for the ptrace system call. The purpose of this feature is to provide configurable options for disabling the ptrace system call based on user need. CTE provides toggle options on CipherTrust Manager based on the dynamic parameter which allows a security administrator to select which binaries are protected from ptrace attachment.
This change can be very invasive and block legitimate uses of the ptrace system call.
Options
There are three new options:
Enabled_For_Authenticators
The CTE binaries and the binaries specified in the authenticator list are protected from the ptrace attachment. Other binaries are not protected from the ptrace attachment. (Default behavior)
Enabled_For_All
All of the installed binaries are protected from ptrace attachment. This protects from a tampered processes causing process injection attacks through the ptrace attach call.
Disabled_For_All
The CTE binaries are protected from ptrace attachment but the binaries specified in the authenticator list are allowed to attach to a ptrace system call. This solves the problem of a user trying to attach a ptrace system call to one of the binaries specified in the authenticator list for other use cases. Other binaries are not protected from the ptrace attachment.
If you select Disabled for All, make sure that you set the log level on CipherTrust Manager to WARN or higher. If it is set to the default log level of ERROR, there will not be any messages related to ptrace logged in the vmd.log file.
Configuration
To configure blocking the ptrace system call:
-
Log on to CipherTrust Manager.
-
Click Transparent Encryption.
-
Click on the desired client name to open it.
-
In the Advanced Security Configuration, click View/Edit Settings link.
-
Select the appropriate option and click save.