Bugtraq mailing list archives

Re: detecting sniffers is downright easy

From: proff () suburbia apana org au (Julian Assange)
Date: Mon, 15 May 1995 13:16:58 +1000 (EST)

It would be nice to have the kernel MD5 programs just before
it executes them, and refuse to execute them them if that MD5 checksum
isn't on the 'approved' list.  Put the code in the middle of the
'exec()' code, after loading and before running.


Thats an interesting idea. However one that I suspect would be very expensive,
given such factors as shared memory, dynamicly paged libraries and executables.

One might be better off in removing the /dev/kmem write fuctions from the kernel
and adding an "unmutable" bit (such as supported by 4.4 BSD) to the inode entry,
which can only be set in single user mode and modifying exec() to only allow
execution of unmutable files. You would also need to remove user access to the
/dev block devices which map the file-space in question.

-Proff

Current thread:

Re: detecting sniffers is downright easy Patrick Horgan (May 09)
- Re: detecting sniffers is downright easy Dr. Frederick B. Cohen (May 10)
- <Possible follow-ups>
- Re: detecting sniffers is downright easy Caspar Arquint (May 10)
- Re: detecting sniffers is downright easy Eric Murray (May 12)
- Re: detecting sniffers is downright easy Julian Assange (May 14)