On Wed, 7 May 2003, petter wahlman wrote:
> On Wed, 2003-05-07 at 18:00, Richard B. Johnson wrote:
> > On Wed, 7 May 2003, petter wahlman wrote:
> > >
> > > It seems like nobody belives that there are any technically valid
> > > reasons for hooking system calls, but how should e.g anti virus
> > > on-access scanners intercept syscalls?
> > > Preloading libraries, ptracing init, patching g/libc, etc. are
> > ^^^^^^^^^^^^^^^^^^^
> > |________ Is the way to go. That's how
> > you communicate every system-call to a user-mode daemon that
> > does whatever you want it to do, including phoning the National
> > Security Administrator if that's the policy.
> > > obviously not the way to go.
> > >
> > Oviously wrong.
> And how would you force the virus to preload this library?
The same way you would force a virus to not be statically linked.
You make sure that only programs that interface with the kernel
thorugh your hooks can run on that particular system.
Penguin : Linux version 2.4.20 on an i686 machine (797.90 BogoMips).
Why is the government concerned about the lunatic fringe? Think about it.
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to firstname.lastname@example.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Wed May 07 2003 - 22:00:32 EST