lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 18 Nov 2016 09:56:52 +0100
From:   jmfriedt <jmfriedt@...to-st.fr>
To:     linux-kernel@...r.kernel.org
Subject: why is the sys_close symbol exported ?

Following the various rootkit and system call redirection developments, the current
way of identifying the location of the system call table seems to be brute force scanning 
the memory for the location of one of the system calls. This is only possible from a module
if the symbol is exported: I see that only one system call symbol is still exported, that
is sys_close. Removing this symbol export would hinder one of the ways of finding the 
systam call table: I have not been able to find the reason for exporting this particular
symbol (while sys_open for example is not exported). Can anyone justify why that is ?

Thank you, Jean-Michel

-- 
JM Friedt, FEMTO-ST Time & Frequency/SENSeOR, 26 rue de l'Epitaphe, 25000 Besancon, France

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ