Re: Hooking into Linux using the Linux Trace Toolkit

• Previous message: Neil Bortnak: "Re: GACI item list - to give some items for discussion"
• In reply to: Chris Wright: "Re: Hooking into Linux using the Linux Trace Toolkit"
• Next in thread: Crispin Cowan: "Re: Hooking into Linux using the Linux Trace Toolkit"
• Next in thread: Anil B. Somayaji: "Benchmarks (was Re: Hooking into Linux using the LTT)"
• Reply: Crispin Cowan: "Re: Hooking into Linux using the Linux Trace Toolkit"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Chris Wright wrote:
> 
> I am intrigued by the possiblity of reusing anything that LTT has done.
> I looked at your patch, and found mixed results.  In some places the
> hooks are expactly where I'd expect them.  In other spots, (like open,
> or socket) the hooks are too late.  They are effectively recording that
> these events just happened...this is the wrong spot for a security
> module hook, IMHO.  Also, the hooks appear often right in the function
> implementing a syscall.  I think compeilling arguments can be made for
> moving the hooks deeper into the code path (e.g. deeper into the VFS
> layer).  Generically the argument would be...the code path will discover
> things that we need to know to make a security decision.  If the hook is
> too soon, we have to reimplement this in the module...making it slow.
> While it is tempting to place the hooks as soon as possible, I think it
> may make more sense to place them as late as possbile when the kernel
> will have collected the most information about the action underway.
> It seems to me this will make the module interface richest.
> Examples:
> - On open we may care about the absolute path which isn't known at
> first.  It is the namei code that tries to sort out the ../.. stuff and
> get a dentry.
> - On a tcp/ip socket send...it is late (in the ip layer) that you actually
> get the outgoing device which seems like useful security info.

Interesting analysis. I agree with your appreciation of the positionning
of the hooks. Some retrieve interesting information regarding the occurrence
of an event, but are too far from the critical decision making to be useable
for a security module hook. This is an argument for what I suggested
previously, a broad range of pre-defined hooks that could be selected
at compile-time. I suspect that there could be different degrees of
hooking. Hence, a basic security module may need a very little number
of hooks, whereas an extended security module may necessitate deeper
hooks. This too could be made configurable.

> I do like how you've abstracted the interface.  (especially since it has
> a similar object view to my view ;-).  I'm still trying to figure out
> how we can borrow some of your work, I think it is good stuff.

Glad you're interested. Let me know if I can be of any help.

P.S.: Note that it is currently possible to dynamically create events
with LTT. This has interesting uses in module debugging, but could
also be quite effectively used for hook-placement testing.

Cheers,

Karim

===================================================
                 Karim Yaghmour
               karymat_private
      Embedded and Real-Time Linux Expert
===================================================

_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: Anil B. Somayaji: "LTT micro-benchmarks"
• Previous message: Neil Bortnak: "Re: GACI item list - to give some items for discussion"
• In reply to: Chris Wright: "Re: Hooking into Linux using the Linux Trace Toolkit"
• Next in thread: Crispin Cowan: "Re: Hooking into Linux using the Linux Trace Toolkit"
• Next in thread: Anil B. Somayaji: "Benchmarks (was Re: Hooking into Linux using the LTT)"
• Reply: Crispin Cowan: "Re: Hooking into Linux using the Linux Trace Toolkit"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Apr 16 2001 - 23:06:08 PDT