Hi!
> > When you see snippet from strace, that says:
> >
> > open("/etc/passwd", O_RDONLY) = 3
> >
> > Do you trust it? You should not.
> [...]
> > Any ideas how to get rid of this problem? It is nasty. It is very
> > nasty and makes strace unusable for anything security-sensitive.
>
> Yes, this is a problem if you're trying to be secure. Anything that allows
> memory contents to change while a process is stopped is trouble. There was a
> thread about mapping a timeofday counter into every process to speed up
> gettimeofday--this would also cause problems.
>
> What to do? You could keep an eye on what is mapped and abort (or warn the
> user) when a syscall is potentially accessing "volatile" memory. In order to
> do this, though, you have to know the memory access patterns of every syscall,
> reputed to be a quagmire for ioctl calls.
We already "know" such access paterns: if strace has to print it, it
has to know it :-).
Unfortunately, any memory mapped file is potentially "volatile". Even
executables and libraries. There are lots of accesses to
executables...
Pavel
-- I'm pavel@ucw.cz. "In my country we have almost anarchy and I don't care." Panos Katsaloulis describing me w.r.t. patents me at discuss@linmodems.org- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Sat Jan 01 2000 - 23:11:58 EST