David Wagner wrote: > Casey Schaufler wrote: > >A good audit > >analysis tool is going to be able to answer querys based on fd, > >such as "where did this Trojan Horse get stdin from?". > > But this is not responsive to the question. This may be a good reason > to record what fd 0 is connected to when the app was started, but it's > not clear to me why this is a good reason to audit the fd on every call > to read(). > > (I'll note, though, that this is the closest I've heard to a reason that > came close to persuading me: I could imagine that there might be some > persuasive argument based on the fact that fds 0, 1, and 2 are special. > After some thought, I couldn't think of any such scenario, though, so > I must admit that I am still unconvinced. Please let me know if I am > missing something.) I'm a bit vague on the issue, but there was a spate of vulnerabilities (IIRC last year) involving the hijacking of fd's 0, 1, and 2. The attack scenario seemed to involve something to do with child processes inheriting stdin/out/error from the parent, those file descriptors pointing to something funny, and the child failing to properly close and re-open these special descriptors. This lame description of mine is not sufficient to determine whether auditing the fd's passed to open or read would help. I can't remember enough keywords to do an effective web search to find the real details, but hopefully I've triggered someone's memory. Crispin -- Crispin Cowan, Ph.D. Chief Scientist, WireX Communications, Inc. http://wirex.com Security Hardened Linux Distribution: http://immunix.org Available for purchase: http://wirex.com/Products/Immunix/purchase.html _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Fri Jul 20 2001 - 19:50:25 PDT