Vulnerability Development mailing list archives

Re: Capturing System Calls

From: Charles.Green () RL AF MIL (Green Charles Contr AFRL/IFGB)
Date: Thu, 22 Jun 2000 17:47:13 -0400


Thank you for your concern and opinion but this isn't on the gov's dime. I
work for a company (as I hope you do too) and we do work with the airforce
on some projects. The airforce is kind enough to let me have an e-mail
account. Next time I'll use my yahoo e-mail account :-)

None of the tools will allow me to capture and replace (or wrap) system
calls without modifying the kernel or wrapping the application. A member of
my team said it can be done, I'm simply trying to give him the benefit of
the doubt. As everyone deserves.

-----Original Message-----
From: Marcy Abene [mailto:geetwentythree () yahoo com]
Sent: Thursday, June 22, 2000 5:28 PM
To: Green Charles Contr AFRL/IFGB; VULN-DEV () SECURITYFOCUS COM
Subject: Re: Capturing System Calls


On Thu, 22 Jun 2000, Green Charles Contr AFRL/IFGB wrote:

I was thinking along these lines too. I haven't actually gotten my
hands on the application yet but considering it's a security product
it's probably statically linked.

One more stipulation of the test, I'm not allowed to run it

"wrapped"

by another program, truss, strace, etc...

This line of thinking actually stemmed from a friendly

argument I and

one of the guys on the team were having. I said that it couldn't be
done without getting into the kernel and he was telling me that he's
seen software that could do it. I was giving him the benefit of the
doubt and was hoping you guys could prove me wrong :-)


Hi af.mil,

Can you please name a single example of when this would ever
matter?  Why
would you want to analyze system calls WITHOUT the use of
tools that do

exactly that?  What is your point?  Why are you wasting
taxpayer dollars

to play these time-wasting games, when the tools are right in
front of

you?

You've got:
 http://subterfugue.org/
 ftp://ftp.tislabs.com/pub/wrappers
 kernel modules
 Linux: strace, ltrace, gdb
 FreeBSD: ktrace, gdb
 Solaris 6-7: truss, gdb
 Solaris 8: apptrace, gdb
GET TO WORK!

Concerned taxpayer.

__________________________________________________
Do You Yahoo!?
Send instant messages with Yahoo! Messenger.
http://im.yahoo.com/

Current thread:

Re: Capturing System Calls, (continued)
- Re: Capturing System Calls Badger, Lee (Jun 22)
- Re: Capturing System Calls Badger, Lee (Jun 22)
- Re: Capturing System Calls Whyte, Jesse (Jun 22)
  - Re: Capturing System Calls Edsel Adap (Jun 22)
- Re: Capturing System Calls Green Charles Contr AFRL/IFGB (Jun 22)
  - Re: Capturing System Calls Todd Garrison (Jun 22)
    - Re: Capturing System Calls Jason Legate (Jun 23)
    - Re: Capturing System Calls TeeSPy (Jun 23)
  - Re: Capturing System Calls Job de Haas (Jun 23)
- Re: Capturing System Calls Marcy Abene (Jun 22)
- Re: Capturing System Calls Green Charles Contr AFRL/IFGB (Jun 22)
  - Re: Capturing System Calls Joel Eriksson (Jun 23)
- Re: Capturing System Calls Darren Moffat - Solaris Sustaining Engineering (Jun 23)