jmjonesat_private wrote: >On Tue, 4 Sep 2001, Crispin Cowan wrote: > >>JMJ: you've been hinting at your world-conquering LSM module for a >>while, but never told us what it is. DO you have an access control >>reason to want FDs? If so, please share it, and you may get them. >> >In a hard technical sense, no. FD's index applications' access and are a >quick way to organize information about a specific application's access >over it's lifetime. I'd thought I'd said that they were "useful to me", >not project-altering important. Just got "warmed up" in my rant. > Ok. It is my expectation that we will get absolute path names via the expected Al Viro patch to specify mount points in dentries. I'm not sure what that implies for requested paths. >What I'd thought I'd said was that application specified filenames are >critical to me. The absolute filename is useful, but doesn't help me >evaluate access in the way which I am trying to accomplish, which is to >create signatures that suggest a "pattern of thinking" by the exploit >coder, and use (what the industry tends to think of as AI but I think of >more as a probability/typicality filtering system) to identify and contain >tasks that should be watched, and "score" them, providing clues to the >admin about both the internal user and externally introduced applications. > Thanks for the explanation. I think I see where you are going. I recomend that you look at some previous work in this field: * Stephanie Forrest's seminal paper "Self-Nonself Discrimination in a Computer.", IEEE Symposium on Security and Privacy 1994 http://cs.unm.edu/~forrest/publications/virus.pdf * More recent work from Forrest & her grad students on using pattern recognition in application behavior to detect attacks http://www.cs.unm.edu/~forrest/papers.html#CS * Cylant Security is a dead company that tried to commercialize this idea. The reasons for their failure are complex, and I'm not exactly privy to them, but IMHO part of the cause was because they were fairly ignorant of Forrest's work. Their web site is down, but google still has a cache http://www.google.com/search?q=cache:FM7vTPEoEgg:www.cylant.com/+cylant&hl=en * Anil Somayaji (one of Forrest's grad students) was at one point on the LSM mailing list, and may still be here. >FD's help because they help build a tree for application groups. Also, >I'm convinced that it's trivial to maintain an index of FD's vs. original >filenames in 2.4... but the talk about 2.5 (future) is reassuring to me >that the difficulty level of acquiring this information may drop, >somewhat. > This is interesting, particularly because Forrest et al specifically claim that malfeasance can be detected most efficiently by looking at the pattern of system calls the application makes, INDEPENDENT of the arguments to those system calls. Roughly speaking, including the arguments injects a bunch of noise in the base pattern that makes it much more expensive to "train" the detector what "normal" behavior looks like. The counter-argument to Forrest's position is that her claim is true only in the case of attackers that are oblivious to her detection method. It is plausible that an attacker who wanted to bypass a Forrest-style detector could creatively craft an attack that issues syscalls in the right pattern to look like "nobody here but us chickens" :-) but still be doing malicious things, e.g. if one of those arguments happens to be opening /etc/passwd for write. Crispin -- Crispin Cowan, Ph.D. Chief Scientist, WireX Communications, Inc. http://wirex.com Security Hardened Linux Distribution: http://immunix.org Available for purchase: http://wirex.com/Products/Immunix/purchase.html _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Thu Sep 06 2001 - 13:10:43 PDT