Extracting written string from the write syscall

Casey Schaufler casey at schaufler-ca.com
Fri Apr 27 00:46:39 UTC 2018

On 4/26/2018 5:08 PM, Sargun Dhillon wrote:
> On Thu, Apr 26, 2018 at 4:40 PM, Casey Schaufler <casey at schaufler-ca.com> wrote:
>> On 4/26/2018 3:57 PM, Steve Grubb wrote:
>>> On Thu, 26 Apr 2018 20:34:57 +0000
>>> Wajih Ul Hassan <wajih.lums at gmail.com> wrote:
>>>> Hi all,
>>>>  .....
>> You could write a Linux Security Module (LSM) to monitor the
>> content of writes. The performance impact would be rather
>> amazing.
> I would recommend using BPF + kprobes + perf_event buffers for this
> purpose. There are enough places you can probe to grab these strings
> in the kernel, and if you do your filtering in BPF, you can then push
> it into kernel space based on filtering. Although, AFAIK, the BPF JITs
> don't do vectorization of instructions, but it's still not too bad. If
> you put your kprobe on the syscall itself, and probe the userspace
> addr, remember you're going to be open to a time-of-use, time-of-check
> style attack.

That looks like a whole lot of mechanism to perform a simple task.

To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

More information about the Linux-security-module-archive mailing list