bgiles@dimensional.com (Bear Giles):
> A related concept that I debated implementing, someday, is writing a
> device driver that makes a Linux box look like a SCSI disk.
>
> There are two non-trivial uses for this device:
>
> 1) it greatly simplifies some types of embedded system development.
> The embedded system is designed to use a SCSI disk, but during
> development the internal disk is replaced with an external host,
> typically a developer's workstation. This totally eliminates
> hassles downloading new files, uploading log files, etc.
It's a lot of extra work... I think that could be done with a dual attached
SCSI - when updates are to be made the disk is synced/unmounted from the
test system, mounted/fscked and mounted by the development, update made
dismounted, test system booted. Most of this could be automated via scripts.
> 2) the same approach can be used for stealth monitoring of extremely
> sensitive systems. An attacker would only see a SCSI hard disk -
> there is absolutely no way to know that this "disk" is actually
> physically located and controlled by another system. The standard
> driver would allow the monitoring system to continually cross-check
> active and reference files. A somewhat more adventurous driver
> could implement a type of data logging - the attacker may think
> he's deleting files, but it monitoring system will retain a complete
> record.
This shoulds possible, but there might be a tremendous amount of overhead.
The monitoring system would have to know about the file system (obvious),
but it would be duplicating the activity of the real host:
1. blocks would have to allocated in the same way; this calls for
a. a search of existing allocation tables to determin if it
is a new allocation, or an update of an already allocated block.
b. if new, then the original block is replace on disk with the
the data.
c. if updated, then the original block saved someplace, and the
new data stored.
2. To maintain an audit (and recoverable...) the modifications would
have to be saved in a journal.
This almost sounds like a WORM drive emulating a standard magnetic disk....
(perhaps "emulating a WORM on a magnetic disk, emulating a magnetic disk"...:)
Might be possible - the old data could be compressed when it is updated to
reduce the amount of storage needed for the journal.
-------------------------------------------------------------------------
Jesse I Pollard, II
Email: pollard@navo.hpc.mil
Any opinions expressed are solely my own.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Wed Jun 07 2000 - 21:00:15 EST