Keeping track of called syscalls in real-time
Ben Mezger
su at seds.nl
Thu Jun 29 09:45:49 EDT 2017
> This sounds like an LSM, possibly with a component which communicates
> with userspace, depending on how sophisticated "verify" needs to be.
Yes, the component *should* communicate with the userspace. The
sophistication of "verify" varies from user to user. The tool will
provide a few procedures to, say, verify integrity and log call. But
"verify" was a plain example, where my point was that the user could
extend/add these procedures for their own needs.
VisorFlow sounds interesting. I've seen the paper is on submission. When
will it be published?
On 06/28/2017 09:49 PM, W. Michael Petullo wrote:
>> Whenever fopen("/etc/shadow", "r") is called, the tool would intercept
>> it, run the verify() procedure, and return back to the syscall, allowing
>> it to do it's job.
>
> This sounds like an LSM, possibly with a component which communicates
> with userspace, depending on how sophisticated "verify" needs to be.
>
> We've also done some very early work in trying to do this type of thing
> from a hypervisor. See:
>
> https://www.flyn.org/projects/VisorFlow/
>
--
- seds
~> https://seds.nl
More information about the Kernelnewbies
mailing list