Hooking into Linux using the Linux Trace Toolkit

• Previous message: Huagang Xie: "Re: Be careful please"
• Next in thread: Huagang Xie: "Re: Hooking into Linux using the Linux Trace Toolkit"
• Reply: Huagang Xie: "Re: Hooking into Linux using the Linux Trace Toolkit"
• Reply: Greg KH: "Re: Hooking into Linux using the Linux Trace Toolkit"
• Reply: Anil B. Somayaji: "Benchmarks (was Re: Hooking into Linux using the LTT)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello Everyone,

I'd like to point out that there has been a hooking capability
available for Linux for quite a while within the patch provided
with the Linux Trace Toolkit (http://www.opersys.com/LTT).
Amongst other things, there is a standard interface to hooking
to almost anything major pertaining to security within the
kernel (system calls, reads, writes, opens, etc.).

Here's an example module that uses the hooking interface:
                  
#define MODULE
#include 
#include 

int my_callback(uint8_t pmEventID, void* pmStruct)
{ printk("Something happened on the network \n");
}

int init_module(void)
{ trace_register_callback(&my_callback, TRACE_EV_NETWORK);
  return 0;
}

void cleanup_module(void)
{ trace_unregister_callback(&my_callback, TRACE_EV_NETWORK);
}

Plus, I've done quite a thorough study of the cost of the
hooks and these results are part of a paper I presented at
the Usenix Tecnical conference last year. To get the complete
picture of what the hooks incure on the kernel, I'd suggest
you read the paper:
ftp://ftp.opersys.com/pub/LTT/Documentation/ltt-usenix.ps.gz

But you'd be interested to know that adding the hooks within
the kernel yields at most 1% overhead over very heavy load.
With the case of a kernel compile, for example, the overhead
is around 0.25%.

Now, any other extra overhead would go to whatever extra
functionnalities are implemented by the functions called
by the hooks.

That being said, I've since added an event-driven state machine
engine which can be provided with a state machine descriptions
who's progression is dictated by the events that occur.
This could easily be used to implement strict security
policies.

Cheers,

Karim

===================================================
                 Karim Yaghmour
               karymat_private
      Embedded and Real-Time Linux Expert
===================================================

_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: Philippe Biondi: "Re: ideas on interface (was Be careful please)"
• Previous message: Huagang Xie: "Re: Be careful please"
• Next in thread: Huagang Xie: "Re: Hooking into Linux using the Linux Trace Toolkit"
• Reply: Huagang Xie: "Re: Hooking into Linux using the Linux Trace Toolkit"
• Reply: Greg KH: "Re: Hooking into Linux using the Linux Trace Toolkit"
• Reply: Anil B. Somayaji: "Benchmarks (was Re: Hooking into Linux using the LTT)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Apr 14 2001 - 00:52:46 PDT