From kragen@dnaco.net Fri Sep 25 09:46:12 1998 Date: Fri, 25 Sep 1998 09:46:11 -0400 (EDT) From: Kragen X-Sender: kragen@pike To: Matthew Kirkwood cc: Pavel Kankovsky , security audit list Subject: Re: A DOS attack against Linux In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Keywords: X-UID: 2155 Status: O X-Status: On Fri, 25 Sep 1998, Matthew Kirkwood wrote: > On a not-quite-related note -- did anything come of the syscall > auditing/logging projects? ISAAC.cs.berkeley.edu did Janus, which required some small kernel support, but did configurable syscall refusal. I don't know what's going on with it these days. Janus has the minor problem that it's fail-open -- if the Janus process crashes, the supposedly imprisoned process is freed. Given that most of Janus's input comes from the (presumably hostile) imprisoned process, it's quite likely that any crashing bug would be exploitable. Ideal would be to kill the imprisoned process when Janus dies. Janus originally worked on Solaris, btw, but the author ported it to Linux. I pointed out that you could play some really dirty tricks having to do with signal handling and dynamically writing code into the hostile process's address space to avoid the need to modify the kernel. I think the small kernel patch would be a better idea. I don't know what the current state of this is. I understand that several mainframe security products work the same way, and some similar proprietary tools have been created for some proprietary Unices. This could potentially be a major selling point for Linux, btw. "Mainframe-class security systems built in." Janus was built with the more modest goal of restraining Web-browser helper applications. Kragen -- Kragen Sitaker The sages do not believe that making no mistakes is a blessing. They believe, rather, that the great virtue of man lies in his ability to correct his mistakes and continually make a new man of himself. -- Wang Yang-Ming