Critical Linux security API is still a kludge (Inquirer)
Posted Oct 24, 2006 16:19 UTC (Tue) by nix
In reply to: Critical Linux security API is still a kludge (Inquirer)
Parent article: Critical Linux security API is still a kludge (Inquirer)
Hooking glibc's exec() wouldn't help for infected shared objects (likely to be a common target in any case, at least if viruses were actually a problem, which of course they aren't: infect one shared library and *bang* you've just got N executables too).
And of course shared libraries are mmap()ed in by ld.so (well, so is the executable, but you can tell what that's called statically: finding out the total set of shared libraries a program will use is impossible in the general case because of dlopen(), and indeed anything reimplementing dlopen() itself via mmap(), or via open() and read() into a prepared mmap()ed area.)
It has many of the same fundamental flaws as does digsig: it'll stop everyone but the determined attackers it's most useful to stop. (I'd like digsig to work as well but unfortunately it's one of those tools that only works until a single malware author works around it).
to post comments)