Vulnerability Development mailing list archives

Re: Kernel module for file protection ideas

From: George Capehart <gwc () acm org>
Date: Thu, 8 Jan 2004 21:47:25 -0500

On Thursday 08 January 2004 11:20 am, Bruno Lustosa wrote:

* Just1n T1mberlake <hotpackets () hellokitty com> [08-01-2004 13:50]:

I have been thinking of ideas to stop many file attacks on Unix
systems. When you find rootkits or other attack files on many Unix
systems they will often try to hide their tracks by using filenames
such as '...' and '/tmp/.X11-unix' etc. I wish to write a kernel
module (for linux initially) that will prevent such attacks. The
kernel module in pseudo code:


This would help against a few of them, but just until they start
using some name not in the bad names list.
For example, suckit uses something in /usr/share/locale. If it's
tagged as bad, one could just name it something else. Hiding a file
isn't really hard after all, at least if you are hiding from someone
not searching for it.


White lists are always better than blacklists.  It's usually *much* 
easier to provide a list of acceptable options/values/whatever than it 
is to provide a list of the unacceptable ones.  The number of elements 
in that set approaches infinity . . . ;-)

/g

Current thread:

Kernel module for file protection ideas Just1n T1mberlake (Jan 08)
- Re: Kernel module for file protection ideas Larry W. Cashdollar (Jan 08)
- Re: Kernel module for file protection ideas Bruno Lustosa (Jan 08)
  - Re: Kernel module for file protection ideas George Capehart (Jan 09)
- Re: Kernel module for file protection ideas Michael Hendrickx (Jan 09)
- RE: Kernel module for file protection ideas Aditya [ Aditya Lalit Deshmukh ] (Jan 09)
  - Re: Kernel module for file protection ideas Valdis . Kletnieks (Jan 10)
    - RE: Kernel module for file protection ideas Aditya [ Aditya Lalit Deshmukh ] (Jan 10)
- Re: Kernel module for file protection ideas Vikram Rangnekar (Jan 12)