mailing list archives
Re: Need help. Proof of concept 100% security.
From: Crispin Cowan <crispin () immunix com>
Date: Fri, 15 Aug 2003 12:56:10 -0700
Balwinder Singh wrote:
This sounds somewhat similar to our SubDomain
<http://immunix.org/subdomain.html> product, which profiles applications
in terms of what files they may access. It sounds very similar to the
approach taken by Systrace
<http://newsroom.cisco.com/dlls/corp_012403.html> and Entercept
<http://www.entercept.com/>, which like EFC, profile applications in
terms of which system calls they may invoke.
I have developed an application, which I believe can provide 100%
security against various attacks.I can hear people laughing. Hmm..
The applications is called Execution Flow Control (EFC).
Details of software can be found at http://126.96.36.199/efc
At least Systrace also allows you to profile the arguments presented to
syscalls, so you can fake SubDomain's file access control paradigm. This
is important, because "touch /etc/pointless" is rather different from
"touch /etc/hosts.allow". It is unclear from the EFC documents if EFC
supports argument profiling.
The advantages of syscall access control:
* more expressive: if you know that application Foo has no business
calling e.g. mkdir, then you can catch exploits that try to
leverage that kind of thing.
The advantages of SubDomain:
* It is easier to generate a file access profile for an application
than a syscall profile. Instead, SubDomain just has a long list of
prohibited/dangerous syscalls for confined applications, letting
the admin think about important stuff (which files to grant access
to) and ignore less important stuff (who cares if *this* app calls
* Syscall mediation is prone to race conditions inside the kernel if
it is implemented using syscall interposition.
Crispin Cowan, Ph.D. http://immunix.com/~crispin/
Chief Scientist, Immunix http://immunix.com