Re: RFC - Kernel Process Firewall

From: David Wagner
Date: Tue Dec 30 2003 - 18:56:36 EST

Next message: Jeff Garzik: "Re: [PATCH] adaptec 1210sa"
Previous message: Justin T. Gibbs: "Re: [PATCH] adaptec 1210sa"
In reply to: raj: "RFC - Kernel Process Firewall"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

raj wrote:
>I have been working on a project called "Kernel Process Firewall (KPF)"
>that is nearing completion. The goal of the project is to provide users
>the ability to trace, monitor and control the system calls made by any
>process.

Some comments:

1) There's a great deal of related and prior work in this area.
Take a look, for instance, at Janus, consh, MapBox, SubDomain, Ostia, ...
http://www.cs.berkeley.edu/~daw/janus/
2) There are some real problems with using system call interception
for this purpose. There are TOCTTOU races, synchronization issues, ...
http://www.stanford.edu/~talg/papers/pubs.html
3) Have you looked at the LSM (Linux Security Modules) project?
It looks to me like this is what you want to be using, and it avoids
the problems with system call interposition.
http://lsm.immunix.org/
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Jeff Garzik: "Re: [PATCH] adaptec 1210sa"
Previous message: Justin T. Gibbs: "Re: [PATCH] adaptec 1210sa"
In reply to: raj: "RFC - Kernel Process Firewall"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]