RFC - Kernel Process Firewall

RFC - Kernel Process Firewall

[raj]

Folks,
I have been working on a project called "Kernel Process Firewall (KPF)" 
that is nearing completion.  The goal of the project is to provide users 
the ability to trace, monitor and control the system calls made by any 
process.  I expect KPF to be of great value to system administrators, 
security analysts and researchers in general and solicit your comments. 
 Some of you may have seen version 0.1 of the RFC which I mailed out 
earlier this month, just before I started work on the project.  I have 
added more details in version 0.2, which is available from

http://www.cs.wisc.edu/~raj/comminst/RFC

If any of you'd be interested in accessing the code, I'll make it available.

Thanks in advance,
Raj

Re: RFC - Kernel Process Firewall

[David Wagner]

raj wrote:
>I have been working on a project called "Kernel Process Firewall (KPF)" 
>that is nearing completion.  The goal of the project is to provide users 
>the ability to trace, monitor and control the system calls made by any 
>process.

Some comments:

1) There's a great deal of related and prior work in this area.
Take a look, for instance, at Janus, consh, MapBox, SubDomain, Ostia, ...
http://www.cs.berkeley.edu/~daw/janus/
2) There are some real problems with using system call interception
for this purpose.  There are TOCTTOU races, synchronization issues, ...
http://www.stanford.edu/~talg/papers/pubs.html
3) Have you looked at the LSM (Linux Security Modules) project?
It looks to me like this is what you want to be using, and it avoids
the problems with system call interposition.
http://lsm.immunix.org/