Full Disclosure mailing list archives

RE: Application level firewall

From: Adam Lydick <adam.lydick () verizon net>
Date: Sun, 19 Oct 2003 07:56:54 -0700

I don't understand why anyone would bother checking application
checksums for access control. In fact, I'm not sure why anyone would
bother running an "application firewall" at all. Ponder this: as long as
debug privs aren't blocked between processes with the same uid by the
application "firewall" you can just attach to an approved process and
hijack its flow of control (that should be true of both linux and
win32).

I believe it is bad idea to rely on such tools to protect your system.
They are easy to work around (and this fact is documented, see my
comment above and the list archives). I think a better solution (as a
start) is to use software from authors that you trust. A even better
(more technical) solution are the various forms of sandboxing -- either
userland with managed code or in kernelspace with tools such as
systrace.

Trying to audit natively executing code on the fly sounds like a battle
you are going to lose. Maybe a clever developer could do something like
valgrind and jit x86-x86 and intercept syscalls (this could allow for a
somewhat slow systrace implementation in userland).

(Take with a grain of salt, I haven't tested any software such as ZA and
its brethern lately, so they might be doing some more magic that plugs
those holes -- but it seems likely that they cannot fix all of them
without patching a great deal of the OS)

Just my standard complaints. Cheers.

-- 
Adam Lydick

On Sat, 2003-10-18 at 08:19, Andriy Bilous wrote:

Some personal firewalls on windows are using checksums for every application
trying to access network device. Yesterday i've upgraded mirc and have got a
warning about this. iptables, unfortunately, doesn't provide such a
functionality out of the box. luckily, it have an open API and extends well
over the kernel modules facility. what you speak about has a different name
- "content filtering"

Andriy Bilous


<trim>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Application level firewall Jason Freidman (Oct 17)
- Re: Application level firewall Florian Weimer (Oct 17)
- Re: Application level firewall Raj Mathur (Oct 17)
  - Re: Application level firewall fg (Oct 17)
- Re: Application level firewall Andreas Gietl (Oct 17)
- Re: Application level firewall John Leach (Oct 17)
- Re: Application level firewall Kevin Currie (Oct 17)
- <Possible follow-ups>
- RE: Application level firewall Andriy Bilous (Oct 17)
  - RE: Application level firewall Oliver Heinz (Oct 17)
- RE: Application level firewall Andriy Bilous (Oct 18)
  - RE: Application level firewall Adam Lydick (Oct 18)