Vulnerability Development mailing list archives
Re: Capturing System Calls
From: job () ITSX COM (Job de Haas)
Date: Fri, 23 Jun 2000 13:58:16 +0200
Hi,
I was thinking along these lines too. I haven't actually gotten my hands on the application yet but considering it's a security product it's probably statically linked. One more stipulation of the test, I'm not allowed to run it "wrapped" by another program, truss, strace, etc...
It depends on your definition of wrapping and on the privs the program runs under and from the priv you want to attack. apptrace, sotruss etc. 'wrap' in the sense that they use the dynamiclinking facility to intercept. truss, strace etc. do not. They use ptrace to inspect the system calls. ptrace can be used to inspect processes based on their PID and thus without 'wrapping'. You can do it on processes that are already running and also works fine on statically linked binaries. Only a sound ptrace implementation won't let you cross privilege boundaries. An example of runtime modification of /usr/bin/date was shown in a bugtraq thread: http://www2.merton.ox.ac.uk/~security/bugtraq-199905/0164.html ( The securityfocus references are just awefull ) Job
Current thread:
- Re: Capturing System Calls, (continued)
- Re: Capturing System Calls Robert G. Ferrell (Jun 22)
- Re: Capturing System Calls Everhart, Glenn (FUSA) (Jun 22)
- Re: Capturing System Calls Badger, Lee (Jun 22)
- Re: Capturing System Calls Badger, Lee (Jun 22)
- Re: Capturing System Calls Whyte, Jesse (Jun 22)
- Re: Capturing System Calls Edsel Adap (Jun 22)
- Re: Capturing System Calls Green Charles Contr AFRL/IFGB (Jun 22)
- Re: Capturing System Calls Todd Garrison (Jun 22)
- Re: Capturing System Calls Jason Legate (Jun 23)
- Re: Capturing System Calls TeeSPy (Jun 23)
- Re: Capturing System Calls Job de Haas (Jun 23)
- Re: Capturing System Calls Todd Garrison (Jun 22)
- Re: Capturing System Calls Marcy Abene (Jun 22)
- Re: Capturing System Calls Green Charles Contr AFRL/IFGB (Jun 22)
- Re: Capturing System Calls Joel Eriksson (Jun 23)
- Re: Capturing System Calls Darren Moffat - Solaris Sustaining Engineering (Jun 23)