Re: Hooking into Linux using the Linux Trace Toolkit

• Previous message: Crispin Cowan: "Re: A Comment from User Space"
• In reply to: Greg KH: "Re: Hooking into Linux using the Linux Trace Toolkit"
• Next in thread: Chris Wright: "Re: Hooking into Linux using the Linux Trace Toolkit"
• Next in thread: Anil B. Somayaji: "Benchmarks (was Re: Hooking into Linux using the LTT)"
• Reply: Chris Wright: "Re: Hooking into Linux using the Linux Trace Toolkit"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Greg KH wrote:
> 
> LTT is nice, but doesn't really work for a security module to use, as
> there is no way to influence what happens after the hook is called.

I would amend this and put ", currently." instead of the "." a the end
of the phrase. Meaning that there should be no reason that the current
hooks return values be used to implement a policy. One could imagine
a scheme where the hooked function gets to continue if the hook returns
1 and returns immediately if the hook returns 0.

In any case, you have to admit that any meaningfull action has to be taken
as part of the hook. Hence, if a process tries to "open" a file and the
hook code determines that this is illegal, then it is the hook's code
to do the proper action and, for instance, kill the process.

A scheme where hook return values generate complex behavior is unlikely
to be included into the kernel. I think that what is needed is a smart
set of hooks (and this already exists) with very simple reactions to
return values. Any complex behavior should be part of the hook-reaction
code.

> A security module needs to be able to stop the access to a file by a
> process, stop the execution of a syscall, etc.  Not just provide system
> accounting (which is what LTT does.)

I'm afraid I'll have to clear some misconceptions about LTT. Although
LTT is used to provide system accounting, it is far broader in reach.
As I suggested a year ago in the Usenix article, the hooks and hooking
mechanisms provided by the LTT patch can be used for extensive security
auditing and intrusion detection. This has since been repeated by others
including Alan Cox who suggested that LTT could be used to bring C2
security to the kernel precisely because we are hooked on the important
paths of the kernel.

> 
> Although everyplace LTT hooks, is probably a good place for us to also
> hook :)

Exactly what I'm saying. Everything is there to be used. As it stands
now and using the existing hooks, it should be fairly straight forward
to implement a very advanced security mechanisms. Any additions, such
as reactions to return values, would be fairly easy to add.

Cheers,

Karim

===================================================
                 Karim Yaghmour
               karymat_private
      Embedded and Real-Time Linux Expert
===================================================

_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: Karim Yaghmour: "Re: Hooking into Linux using the Linux Trace Toolkit"
• Previous message: Crispin Cowan: "Re: A Comment from User Space"
• In reply to: Greg KH: "Re: Hooking into Linux using the Linux Trace Toolkit"
• Next in thread: Chris Wright: "Re: Hooking into Linux using the Linux Trace Toolkit"
• Next in thread: Anil B. Somayaji: "Benchmarks (was Re: Hooking into Linux using the LTT)"
• Reply: Chris Wright: "Re: Hooking into Linux using the Linux Trace Toolkit"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Apr 15 2001 - 18:26:05 PDT