RE: [Full-Disclosure] EFC Released

From: Rainer Gerhards (rgerhards_at_hq.adiscon.com)
Date: 03/04/04

  • Next message: Sean Crawford: "RE: [Full-Disclosure] Backdoor not recognized by Kaspersky" 
    To: <timothy.demulder@tiscali.be>, <full-disclosure@lists.netsys.com>
Date: Thu, 4 Mar 2004 15:12:10 +0100

    There has already been a lot of discussion on this concept on this list
    (see archives). A major shortcoming of this concept is that some program
    code may only very seldomly be excuted (error/exception handlers). As
    such, a pogramm may be killed just because it is gracefully handling an
    exceptional situation...

    Rainer

    > -----Original Message-----
    > From: Timothy Demulder [mailto:timothy.demulder@tiscali.be]
    > Sent: Thursday, March 04, 2004 9:45 AM
    > To: full-disclosure@lists.netsys.com
    > Subject: Re: [Full-Disclosure] EFC Released
    >
    > On Thu, 04 Mar 2004 11:17:20 +0530
    > Balwinder Singh <balwinder@gmx.net> wrote:
    >
    > > Dear All,
    > >
    > > Execution Flow Control (EFC) is available for download at
    > > http://sourceforge.net/projects/efc/
    > >
    > > What is EFC?
    > >
    > > EFC monitors the execution of a program by observing system
    > calls made
    > > by the program. EFC generates a database for each program
    > describing
    > > its behavioral model. The moment request for execution of a
    > program is
    > > made, kernel also loads program's behavioral model into the memory.
    > > Each request by a program is compared with model data base,
    > if request
    > > agrees with model it is permitted else program is killed.
    > >
    > > EFC is a kernel module, and woks on Linux only.
    > >
    > > Sincerely
    > >
    > > Bal
    >
    > Seems very interesting, but how does it affect
    > performance/stability of the system/kernel?
    >
    > Greets,
    >
    > Timothy
    > ----
    >
    > Absolutely nothing should be concluded from these figures except that
    > no conclusion can be drawn from them.
    > -- Joseph L. Brothers, Linux/PowerPC Project)
    >

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Sean Crawford: "RE: [Full-Disclosure] Backdoor not recognized by Kaspersky"

    Relevant Pages

    • Re: [Full-Disclosure] EFC Released
      ... > What is EFC? ... > EFC monitors the execution of a program by observing system calls made ... The moment request for execution of a program is ... kernel also loads program's behavioral model into the memory. ...
      (Full-Disclosure)
    • [Full-Disclosure] EFC Released
      ... What is EFC? ... EFC monitors the execution of a program by observing system calls made ... kernel also loads program's behavioral model into the memory. ... Each request by a program is compared with model data base, ...
      (Full-Disclosure)
    • Re: [Full-Disclosure] EFC Released
      ... > Execution Flow Control is available for download at ... > What is EFC? ... > EFC monitors the execution of a program by observing system calls made ... kernel also loads program's behavioral model into the memory. ...
      (Full-Disclosure)