sandboxing

[silvio () big net au (silvio () big net au)]

ok.. so like.. this is old hat, but it's never been talked about alot I spose..
i have mentioned it a few times before.. but oh well

LD_PRELOAD is a poor mans sandbox when you think about it in terms
of analysing a binary.

because.. a binary that runs knows about all the shared libraries involved.
look at the link map list.. you can just count them, and if you have too
many.. something is whack.

if your forensics guy is smart, he wont use an env variable for LD_PRELOAD,
but more like /etc/ld.so.preload - but doesnt matter since everything
is available anyway.

**

ok.. quick comment.. who the hell uses libpcap in multithreaded code?
i think they may have by now (or never) made it MT safe..

--
Silvio