Re: [Full-Disclosure] EFC Released

From: Balwinder Singh (balwinder_at_gmx.net)
Date: 03/05/04

  • Next message: petard: "Re: [Full-Disclosure] Re: Multiple issues with Mac OS X AFP client"
    To: full-disclosure@lists.netsys.com
    Date: Fri, 05 Mar 2004 12:52:20 +0530
    
    

    > Seems very interesting, but how does it affect performance/stability of the system/kernel?

    EFC was quite stable when testing was made on hack us box(around 8
    months back). But this is a major rewrite of original code, hence more
    testing needs to be done.
    As efc is going to add one more layer performance will suffer,
    benchmarking will reveal exact performance loss, which is yet to be
    done.

    EFC Components
    --------------
    1. Generate and enforce behavior model of a program.
    2. Hook with pam lib to let kernel know when each authentication takes
    place. Supposed to be useful for sshd,ftpd like programs.
    3. Define some critical calls with which must require authentication
    from kernel. eg open(/etc/shadow) request by program other than sshd.
    4. Define general rule set which might help performance gain. Also might
    help in case where behavior model will miss particular call, such as
    exception/error handling which might occur occasionally.

    As we are far away from a perfect model (and I don't see it happening
    unless govt enforces), there will always be some false positives. You
    can edit behavior model by hand and add entries in general rules to keep
    false positives at minimum.

    regards

    bal

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: petard: "Re: [Full-Disclosure] Re: Multiple issues with Mac OS X AFP client"