[1816] in bugtraq
Re: detecting sniffers is downright easy
daemon@ATHENA.MIT.EDU (Julian Assange)
Mon May 15 01:05:06 1995
From: Julian Assange <proff@suburbia.apana.org.au>
To: chowes@helix.net (Charles Howes)
Date: Mon, 15 May 1995 13:16:58 +1000 (EST)
Cc: bugtraq@fc.net
In-Reply-To: <Pine.SUN.3.91.950514165802.5620F@trance.helix.net> from "Charles Howes" at May 14, 95 05:05:23 pm
> It would be nice to have the kernel MD5 programs just before
> it executes them, and refuse to execute them them if that MD5 checksum
> isn't on the 'approved' list. Put the code in the middle of the
> 'exec()' code, after loading and before running.
Thats an interesting idea. However one that I suspect would be very expensive,
given such factors as shared memory, dynamicly paged libraries and executables.
One might be better off in removing the /dev/kmem write fuctions from the kernel
and adding an "unmutable" bit (such as supported by 4.4 BSD) to the inode entry,
which can only be set in single user mode and modifying exec() to only allow
execution of unmutable files. You would also need to remove user access to the
/dev block devices which map the file-space in question.
-Proff