As the subject says or is there a reliable and efficient way to detect there is a dtrace script current running (not by checking whether /usr/sbin/dtrace is running as that's not reliable because the exec name can be renamed.)?
I have an ssh automation tool which is developed for protecting the pass phrase, however, the dtarce is able to find the secret pass phrase.
Thanks in advance for answers.
DTrace doesn't necessarily work by scoping the process itself. It has providers which operate outside the context of the process entirely. That includes visibility to process data that the process itself doesn't see directly.
I suppose you could imagine encrypting important data before DTrace ever sees it, but that's simply not possible. You could make it harder, maybe, for a novice DTrace user (with root privilege) to see what the process is doing, but that's about it. With DTrace and root privilege there's not much your process could do that I can't see.
That's why I want to know if there is a way to detect whether currently there is any dtrace script running: if that can be done, my application can quit before decrypting the secret pass phrase/password.
I know it's not 100% secure in theory, but in practical way, that's the best protection we can achieve without any specific devices.
And without that kind of protection, all users' remote passwords can be very easily stolen by root using the dtrace as long as these users login to other systems through this machine. And in my mind, that's very serious security problem.
If your trying to protect yourself from root, your application security model is very very wrong.
As root, you don't need to play games with dtrace. Just replace the application itself with a trojan.
Or just plain replace the users shell with something that logs all I/O.
I know root can replace the ssh command and even libs, but my application has a built-in certification mechanism to make sure the ssh command it calls is the original and I also developed the WZFileGuard to detect these kind of threats, and can put all the programs/libs/registry files on to a CD and run from there.
I have been in development of security software for UNIX for many years.
In data center environment, any critical server's root account will be accessed by multiple system administrators at one time or another. You should have some security software in place so that good system admin can be protected.
With dtrace, a bad system admin can just run a script and leave it running. Then any one on the server try to telnet/ssh/sftp to other machines will have their password/pass phrase stolen. That's a big security threat.
We can't assume all users who have access to root account can be fully trusted.
And as I said before, the WZFileGuard is the software for detecting changes made to the system so can detect trojan. But it seems there is no way to detect whether someone with root access is doing something badly using the dtrace.