UMAL : User Mode API Limiter

What's UMAL?

UMAL is API limiter tool for non-root users such as web-hosting user.
Now UMAL can check open,exec API with real path name. In near future UMAL can check unlink,socket API and so on.

What can UMAL check?

UMAL checks API.So UMAL can check all file access,network socket and so on. Of course UMAL check forked process too. But UMAL is only API limiter.So UMAL never can check SQL injection and so on.


Experimental release.(for Developers only support exec,open API)
It's only for FreeBSD/i386.Linux version will be avail far future.

Usage Example

1.Dump API usage log

To make white list of API,dump API usage log.(with -c option)

umal -c -o apiusage.log some_application arguments

if you use in CGI/Perl.The first line will be following.

#!umal -c -o apiusage.log /usr/bin/perl

2.Make white list from dumped log < apiusage.log>whitelist

3.Edit white list.(if you need) make white list from apiusage.log file. But sometimes it's not good. For example a CGI program writes files which have serial number. In this case,you can use directory permission.
Syntax is fallowing.
1st char:What API
Wopen as Write
Ropen as Read
Sexec SETUIDed file
2nd char:file path match pattern
ffallowing argument is exact file path
dmatch argument[^\/]*
Dmatch argument.*
3ed char always ':',and fallowing is file path.

4.Run with umal

Now you can run with umal. if target application use not-listed API.UMAL sends SIG_KILL to the process.

umal -l whitelist -o apiusage.log some_application arguments

How dose it work?

UMAL is very similar to truss(1).truss(1) dumps API usage log. UMAL checks API usage and kill the target process if the API is not listed in white list. Of course UMAL checks forked process in target process too. So you can check recursively. But UMAL just run in normal user permission,so you can not check SETUIDed programs.


daemon a_t_ Please contain "About UMAL:" to your e-mail subject.