"Michael H. Warfield" wrote:
> I use to think that making the stack non-executable would at
> least make it tougher. The existance of such a simple payload requiring
> no assembly language work at all, points out just what a lie that idea is.
> Sad to say but non-executable stacks are no help at all.
--- That's where real-time audit monitoring and response come in. The log monitor sees UID=root, LUID=daemon, 'exec'ing any programs not on an 'allowed' list and it can shut down the port/process immediately -- The list of programs spawned by a system daemon and UID=root is or can be a fairly small list. Programs like inetd shouldn't be writing to any file directly AFAIK. Suppose you hack in through sendmail (assuming you still run it as root) -- you can be alarmed about any files written outside of /var/mail or a user's directory. I still think all of these things provide increasing layers of difficulty.-- Linda A Walsh | Trust Technology, Core Linux, SGI law@sgi.com | Voice: (650) 933-5338
- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Sun Apr 23 2000 - 21:00:13 EST