Vulnerability Development mailing list archives

Re: Core Dump as an Intrusion Event

From: Kev <klmitch () MIT EDU>
Date: Fri, 6 Oct 2000 10:08:15 -0400

A better solution would be a kernel patch that hooks into the SIGSEGV
signal handler and logs all segmentation faults. A predefined list of
programs can be monitored. Maybe it's fesable to log segfaults of all
root processes.


Only if you combine the latter with the former; many daemons setuid(),
say to user nobody, but you still want to be able to detect intrusion
attempts.
--
Kevin L. Mitchell <klmitch () mit edu>

Current thread:

Re: Core Dump as an Intrusion Event, (continued)
- Re: Core Dump as an Intrusion Event Alexander Kiwerski (Oct 05)
- Re: Core Dump as an Intrusion Event antirez (Oct 05)
- Re: Core Dump as an Intrusion Event Slawek (Oct 05)
- Re: Core Dump as an Intrusion Event Pascal Bouchareine (Oct 05)
- Re: Core Dump as an Intrusion Event Crist Clark (Oct 05)
- Re: Core Dump as an Intrusion Event W. Reilly Cooley (Oct 05)
- Re: Core Dump as an Intrusion Event Eclipse, Solar (Oct 05)
  - Re: Core Dump as an Intrusion Event Erik Tayler (Oct 06)
  - Re: Core Dump as an Intrusion Event Jarno Huuskonen (Oct 06)
  - Re: Core Dump as an Intrusion Event Crist Clark (Oct 07)
  - Re: Core Dump as an Intrusion Event Kev (Oct 07)
  - Re: Core Dump as an Intrusion Event antirez (Oct 08)
    - Re: Core Dump as an Intrusion Event Jarno Huuskonen (Oct 08)
    - Re: Core Dump as an Intrusion Event Gigi Sullivan (Oct 09)
    - Re: Core Dump as an Intrusion Event Jarno Huuskonen (Oct 09)
    - Re: Core Dump as an Intrusion Event Gigi Sullivan (Oct 11)
    - Re: Core Dump as an Intrusion Event antirez (Oct 12)
    - Re: Core Dump as an Intrusion Event antirez (Oct 09)
    - Re: Core Dump as an Intrusion Event antirez (Oct 09)
    - Re: Core Dump as an Intrusion Event Daniel Roesen (Oct 10)
- Re: Core Dump as an Intrusion Event Michael Wojcik (Oct 07)