lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
From: adam.lydick at (Adam Lydick)
Subject: Application level firewall

I don't understand why anyone would bother checking application
checksums for access control. In fact, I'm not sure why anyone would
bother running an "application firewall" at all. Ponder this: as long as
debug privs aren't blocked between processes with the same uid by the
application "firewall" you can just attach to an approved process and
hijack its flow of control (that should be true of both linux and

I believe it is bad idea to rely on such tools to protect your system.
They are easy to work around (and this fact is documented, see my
comment above and the list archives). I think a better solution (as a
start) is to use software from authors that you trust. A even better
(more technical) solution are the various forms of sandboxing -- either
userland with managed code or in kernelspace with tools such as

Trying to audit natively executing code on the fly sounds like a battle
you are going to lose. Maybe a clever developer could do something like
valgrind and jit x86-x86 and intercept syscalls (this could allow for a
somewhat slow systrace implementation in userland).

(Take with a grain of salt, I haven't tested any software such as ZA and
its brethern lately, so they might be doing some more magic that plugs
those holes -- but it seems likely that they cannot fix all of them
without patching a great deal of the OS)

Just my standard complaints. Cheers.

Adam Lydick

On Sat, 2003-10-18 at 08:19, Andriy Bilous wrote:
> Some personal firewalls on windows are using checksums for every application
> trying to access network device. Yesterday i've upgraded mirc and have got a
> warning about this. iptables, unfortunately, doesn't provide such a
> functionality out of the box. luckily, it have an open API and extends well
> over the kernel modules facility. what you speak about has a different name
> - "content filtering"
> Andriy Bilous 


Powered by blists - more mailing lists