Re: [malware-list] [RFC 0/5] [TALPA] Intro to a linuxinterfaceforon access scanning

From: Arjan van de Ven
Date: Tue Aug 05 2008 - 14:02:47 EST

Next message: Press, Jonathan: "RE: [malware-list] [RFC 0/5] [TALPA] Intro to a linux interfaceforon access scanning"
Previous message: Pavel Machek: "Re: [RFC][Patch 5/5]integrity: IMA as an integrity service provider"
In reply to: Alan Cox: "Re: [malware-list] [RFC 0/5] [TALPA] Intro to a linuxinterfaceforon access scanning"
Next in thread: Alan Cox: "Re: [malware-list] [RFC 0/5] [TALPA] Intro to a linuxinterfaceforon access scanning"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 5 Aug 2008 18:29:44 +0100
Alan Cox <alan@xxxxxxxxxxxxxxxxxxx> wrote:

> > And this can be done from userland with the preload: the
> > "workaround" from the preload assumes you've already executed
> > malicious code, which is outside of your protection scope.
> >
> > What am I missing?
>
> Scripts

get either opened or exec'd...

(ignoring stdin-fed scripts right now.. but that's a problem regardless)

> Attempts to screen content

can you explain?

> Exec occuring after ld.so is compromised

this is post-compromise scenario; if you have enough root rights to do
that then it's game over.

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Press, Jonathan: "RE: [malware-list] [RFC 0/5] [TALPA] Intro to a linux interfaceforon access scanning"
Previous message: Pavel Machek: "Re: [RFC][Patch 5/5]integrity: IMA as an integrity service provider"
In reply to: Alan Cox: "Re: [malware-list] [RFC 0/5] [TALPA] Intro to a linuxinterfaceforon access scanning"
Next in thread: Alan Cox: "Re: [malware-list] [RFC 0/5] [TALPA] Intro to a linuxinterfaceforon access scanning"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]