Re: security patch

From: Zan Lynx
Date: Thu Sep 22 2005 - 15:32:42 EST

On Thu, 2005-09-22 at 16:03 -0400, Valdis.Kletnieks@xxxxxx wrote:
> On Thu, 22 Sep 2005 19:44:33 -0000, breno@xxxxxxxxxxxxxxxx said:
> > I'm doing a new feature for linux kernel 2.6 to protect against all kinds of buffer
> > overflow. It works with new sys_control() system call controling if a process can or can't
> > call a system call ie. sys_execve();
> This has been done before. ;)
> Also, note *VERY* carefully that this does *NOT* protect against buffer overflow
> the way ExecShield and PAX and similar do - this merely tries to mitigate the
> damage.
> Note that you probably don't *DARE* remove open()/read()/write()/close() from
> the "permitted syscall" list - and an attacker can have plenty of fun just with
> those 4 syscalls.
> (That's also why SELinux was designed to give better granularity to syscalls - it
> can restrict a program to "write only to files it *should* be able to write").

An interesting thing that I don't think has been done before is to
create a map linking stack call chains to syscalls. If the call stack
doesn't match then it isn't a valid call.

Although that might already be part of execution fingerprinting, now
that I think about it...
Zan Lynx <zlynx@xxxxxxx>

Attachment: signature.asc
Description: This is a digitally signed message part