Extracting written string from the write syscall

Richard Guy Briggs rgb at redhat.com
Fri Apr 27 18:21:01 UTC 2018


On 2018-04-27 02:37, Wajih Ul Hassan wrote:
> Thanks for your replies. However, I am now thinking of another solution.
> Let's say I can capture write() in the userspace by either instrumenting
> the LibC or LD_PRELOAD wrapper and store the string buffer passed to
> write().
> Can I call/generate *some other non-instrusive* syscall which can take that
> string buffer that I stored earlier and that syscall with the buffer will
> be visible in the audit.log? I am not worried about performance hit right
> now.

Use an AUDIT_USER message with the text and some identifier that links
it with a particular write call?

> On Thu, Apr 26, 2018 at 7:46 PM Casey Schaufler <casey at schaufler-ca.com> wrote:
> > On 4/26/2018 5:08 PM, Sargun Dhillon wrote:
> > > On Thu, Apr 26, 2018 at 4:40 PM, Casey Schaufler <casey at schaufler-ca.com>
> > wrote:
> > >> On 4/26/2018 3:57 PM, Steve Grubb wrote:
> > >>> On Thu, 26 Apr 2018 20:34:57 +0000
> > >>> Wajih Ul Hassan <wajih.lums at gmail.com> wrote:
> > >>>
> > >>>> Hi all,
> > >>>>  .....
> > >> You could write a Linux Security Module (LSM) to monitor the
> > >> content of writes. The performance impact would be rather
> > >> amazing.
> > >>
> > > I would recommend using BPF + kprobes + perf_event buffers for this
> > > purpose. There are enough places you can probe to grab these strings
> > > in the kernel, and if you do your filtering in BPF, you can then push
> > > it into kernel space based on filtering. Although, AFAIK, the BPF JITs
> > > don't do vectorization of instructions, but it's still not too bad. If
> > > you put your kprobe on the syscall itself, and probe the userspace
> > > addr, remember you're going to be open to a time-of-use, time-of-check
> > > style attack.
> >
> > That looks like a whole lot of mechanism to perform a simple task.

- RGB

--
Richard Guy Briggs <rgb at redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html



More information about the Linux-security-module-archive mailing list