Vulnerability Development: Re: Kernel module for file protection ideas

[George Capehart <gwc () acm org>]

On Thursday 08 January 2004 11:20 am, Bruno Lustosa wrote:
> * Just1n T1mberlake <hotpackets () hellokitty com> [08-01-2004 13:50]:
> > I have been thinking of ideas to stop many file attacks on Unix
> > systems. When you find rootkits or other attack files on many Unix
> > systems they will often try to hide their tracks by using filenames
> > such as '...' and '/tmp/.X11-unix' etc. I wish to write a kernel
> > module (for linux initially) that will prevent such attacks. The
> > kernel module in pseudo code:
> This would help against a few of them, but just until they start
> using some name not in the bad names list.
> For example, suckit uses something in /usr/share/locale. If it's
> tagged as bad, one could just name it something else. Hiding a file
> isn't really hard after all, at least if you are hiding from someone
> not searching for it.
White lists are always better than blacklists.  It's usually *much* 
easier to provide a list of acceptable options/values/whatever than it 
is to provide a list of the unacceptable ones.  The number of elements 
in that set approaches infinity . . . ;-)

/g