From: Larry W. Cashdollar (lwcvapid.ath.cx)
Date: Thu Jan 08 2004 - 10:12:07 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I wrote a crude patch for linux kernel 2.4.17? a while back that stopped
symlinks from being created in /tmp. And a crude one that logged file
creation in /tmp. They are crude but worked.

http://vapid.dhs.org/tmp-patch-kernel-2.4.17.txt

A module would be much better.

On Thu, 8 Jan 2004, Just1n T1mberlake wrote:

> Hello Security Professionals,
>
> I have been thinking of ideas to stop many file attacks on Unix systems.
> When you find rootkits or other attack files on many Unix systems they will often try to hide their tracks by using filenames such as '...' and '/tmp/.X11-unix' etc.
> I wish to write a kernel module (for linux initially) that will prevent such attacks. The kernel module in pseudo code:
>
> module_file_create()
> {
> if filename_in_list(badfiles) then
> error_cannot_create
> else
> call_real_file_create
> }
>
> where badfiles is a list of filenames such as
> '...', '/tmp/.X11-unix' etc.
>
> As you can see it will be simple code which would be easy to check for bugs (format strings etc)
>
> I will also have a web site where people can submit other names which are bad so they can be incorporated into the next release. I will most probably do this in php.
>
> I think this concept could be applied to Windows NT as well but I am not sure of the way to do kernel modules on that OS. Also I do not know if any other projects do a similar thing such as SourceForge.
>
> Any thoughts/ideas?
>
> just1n
>
> -----BEGIN GEEK CODE BLOCK-----
> Version: 3.1
> GED/J d-- s:++>: a-- C++(++++) ULU++ P+ L++ E---- W+(-) N+++ o+ K+++ w---
> O- M+ V-- PS++>$ PE++>$ Y++ PGP++ t- 5+++ X++ R+++>$ tv+ b+ DI+++ D+++
> G+++++ e++ h r-- y++**
> ------END GEEK CODE BLOCK------
> --
> ____________________________________________________
> Get your own Hello Kitty email www.sanriotown.com
>
> Powered by Outblaze
>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]