Need help for sysmask

From: XIAO Gang
Date: Fri Jun 03 2005 - 01:34:00 EST

Next message: Nick Piggin: "Re: Avoiding external fragmentation with a placement policy Version12"
Previous message: Christian Hesse: "Re: [PATCH] Dynamic tick for x86 version 050602-2"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Could somebody please help me with comments / checks / tests on my kernel security patch "sysmask"? See http://wims.unice.fr/sysmask/doc/ for documentation and download.

This is a security project designed to allow set up systems that tolerate (controlled) executions of arbitrary malicious codes without being hurt. In practice, this means that the majority of current security updates due to vulnerabilities in software, library or even parts of the kernel will become unnecessary.

The code is now much stabilized after several weeks of intensive test on a busy server (http://wims.unice.fr/), including a demo challenge page (http://wims.unice.fr/wims/wims.cgi?module=adm/unice/challenge) that has been bombarded with all sorts of tricks. The server runs on a patched 2.4.29, SMP-enabled but there is only one cpu in the hardware.

Sysmask is rather ready for a 1.00 release. But before doing so, it would be great if the following problem could be solved with your help.

1. I hope that somebody can give it a test on other hw/sw configurations with result feedback, especially for the 2.6 kernel versions and hopefully on a true SMP with a good load level.

It would be best if some tests could be done with full activation of the protection. For this some manual editing of the default sysmask configuration files would be necessary. But this should be quite straightforward, and the footprint of sysmask on an existing system is strictly minimal, with only one file (/etc/inittab) that needs to be modified in order to fully activate it.

2. Although I am not planning to submit the patch to the official kernel immediately, it would like to be able to make it more conform to the kernel standards and conventions. Among others, I need your help to solve some known problemes, the biggest being squatting an existing syscall number (sys_mpx). Of course this is just a temporary solution, due to the fact that I don't know how to get a permanent one.

3. Another example is that the current patch adds a few hundred bytes (200-300) to the size of task_struct. Is this potentially a problem, should it be moved to a page allocation?

Please give me a cc if you reply to this message; I am not constantly following the list.

--

XIAO Gang (~{P$8U~}) xiao@xxxxxxxx
home page: pcmath126.unice.fr/xiao.html

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Nick Piggin: "Re: Avoiding external fragmentation with a placement policy Version12"
Previous message: Christian Hesse: "Re: [PATCH] Dynamic tick for x86 version 050602-2"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]