Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Core Dump as an Intrusion Event

From: antirez <antirez () linuxcare com>
Date: Sun, 8 Oct 2000 08:05:14 +0200
A better solution would be a kernel patch that hooks into the SIGSEGV
signal handler and logs all segmentation faults. A predefined list of
programs can be monitored. Maybe it's fesable to log segfaults of all
root processes.


This is an example:

--- /usr/src/linux/kernel/signal.c        Sat Oct  7 23:35:17 2000
+++ /usr/src/linux-2/kernel/signal.c      Sat Oct  7 23:44:25 2000
@@ -282,6 +282,10 @@
                goto out_nolock;
        }

+       if (sig == SIGSEGV)
+               printk(KERN_NOTICE "%s(pid:%d) segmentation fault\n",
+                      current->comm, current->pid);
+
        switch (sig) {
        case SIGKILL: case SIGCONT:
                /* Wake up the process if stopped.  */

If you want to log only some uid just add currend->uid checking
in the 'if'.
Hacking a bit with the arch related code of the i386 may be
possible to log also the address that caused the problem
and the type of access.

Maybe I and gigi sullivan will release a complete patch soon
but it seems it can't be done interly as module :(
Some linux-kernel skilled people can confirm this?

antirez

--
Salvatore Sanfilippo, Open Source Developer, Linuxcare Italia spa
+39.049.80 43 411 tel, +39.049.80 43 412 fax
antirez () linuxcare com, http://www.linuxcare.com/
Linuxcare. Support for the revolution.
Previous By Date Next
Previous By Thread Next

Current thread: