Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Capturing System Calls

From: Charles.Green () RL AF MIL (Green Charles Contr AFRL/IFGB)
Date: Thu, 22 Jun 2000 16:38:06 -0400

I was thinking along these lines too. I haven't actually gotten my hands on
the application yet but considering it's a security product it's probably
statically linked.

One more stipulation of the test, I'm not allowed to run it "wrapped" by
another program, truss, strace, etc...

This line of thinking actually stemmed from a friendly argument I and one of
the guys on the team were having. I said that it couldn't be done without
getting into the kernel and he was telling me that he's seen software that
could do it. I was giving him the benefit of the doubt and was hoping you
guys could prove me wrong :-)


-----Original Message-----
From: Andrew Reiter [mailto:s467338 () gettysburg edu]
Sent: Thursday, June 22, 2000 2:33 PM
To: Green Charles Contr AFRL/IFGB
Subject: Re: Capturing System Calls



All syscalls are actually really called through libc library.
 Therefore,
if you modify libc, you can do this.  Let me know if you need
any further
pointers on how to do this.

Andrew

On Thu, 22 Jun 2000, Green Charles Contr AFRL/IFGB wrote:

|On UNIX Systems, (FreeBSD, Linux, Solaris) is there a way to
capture/modify
|system calls calls from an application with out modifying
the kernel (or
|using kernel modules) - preferably in userspace? The reason
I ask is that a
|group of us are being asked to evaluate a piece of software
for my company
|but they've put some heavy restrictions on how we do it. One of the
|restriction is that we're not allowed to modify the kernel.
|

---------------------------------------------------------
Andrew Reiter                  <s467338 () gettysburg edu>
Computer Security Engineer
Previous By Date Next
Previous By Thread Next

Current thread: