Black Hat: Dtrace a Rootkit?

WASHINGTON, D.C. Sun’s Dtrace application was developed primarily as a tool to help monitor functions on Solaris. According to a pair of security researchers at the Black Hat conference, you can also use Dtrace as the basis for a rootkit-like tool for offensive and defensive security operations.

At the conference, Security researcher Tiller Beauchamp noted that Sun created Dtrace in 2003 released it as part of Solaris 10 in 2005 under the CDDL open source license. Later, Apple incorporated it into Mac OS X Leopard.

At its core, Dtrace is a framework for performance observability and debugging in real time. Beauchamp explained that the way it works is you set probes for places you’re interested in and define the action you want to take which is usually some kind of measurement or recording.

Beauchamp said Dtrace combines system performance, statistic debugging information and execution analysis in one tight package.

“It’s a real Swiss Army knife for reverse engineers,” he added.

[cob:Related_Articles]Security researcher David Weston noted that Dtrace is an all-seeing eye into a system and its applications with few things that are off-limits. Weston and Beauchamp noted that they could use Dtrace as a basis not just for reverse engineering but also for exploit purposes as well.

“It’s like a friendly programming rootkit that lets you see everything,” Weston said.

Weston commented that Dtrace is not a debugger since Dtrace allows applications to continue normally, showing a user what’s going on without break points. [cob:Special_Report]

On its own, Weston explained, Dtrace does not allow a user to perform destructive action. Dtrace can be combined with other tools, however, to become destructive.

According to Weston, using Dtrace in a few lines of script is significantly more complex for the security researcher than writing script with a common rootkit.

Weston also detailed how a user could manipulate Dtrace to perform what he referred to as “snooping,” which is essentially what a keystroke logger does.

As part of their effort to make effective security use of Dtrace, Beauchamp and Weston have developed a toolkit called RE:Trace. The RE:Trace toolkit includes a Ruby wrapper for Dtrace which can be used to overcome some issues with Dtrace preventing destructive actions.

As well since RE:Trace is Ruby based it can be used as part of other Ruby security frameworks including the popular open source Metaploit exploit framework.

Weston commented that RE:Trace has helped him to develop exploits more quickly. Beauchamp actually showed one such exploit on

News Around the Web