lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4F506EE2.1050705@zytor.com>
Date:	Thu, 01 Mar 2012 22:55:30 -0800
From:	"H. Peter Anvin" <hpa@...or.com>
To:	Indan Zupancic <indan@....nu>
CC:	Will Drewry <wad@...omium.org>, linux-kernel@...r.kernel.org,
	linux-arch@...r.kernel.org, linux-doc@...r.kernel.org,
	kernel-hardening@...ts.openwall.com, netdev@...r.kernel.org,
	x86@...nel.org, arnd@...db.de, davem@...emloft.net,
	mingo@...hat.com, oleg@...hat.com, peterz@...radead.org,
	rdunlap@...otime.net, mcgrathr@...omium.org, tglx@...utronix.de,
	luto@....edu, eparis@...hat.com, serge.hallyn@...onical.com,
	djm@...drot.org, scarybeasts@...il.com, pmoore@...hat.com,
	akpm@...ux-foundation.org, corbet@....net, eric.dumazet@...il.com,
	markus@...omium.org, coreyb@...ux.vnet.ibm.com,
	keescook@...omium.org
Subject: Re: [PATCH v12 06/13] seccomp: add system call filtering using BPF

On 03/01/2012 10:43 PM, Indan Zupancic wrote:
> On Fri, March 2, 2012 06:52, H. Peter Anvin wrote:
>> On 03/01/2012 09:45 PM, Indan Zupancic wrote:
>>>
>>>> + * @nr: the system call number
>>>> + * @arch: indicates system call convention as an AUDIT_ARCH_* value
>>>> + *        as defined in <linux/audit.h>.
>>>> + * @instruction_pointer: at the time of the system call.
>>>
>>> If the vDSO is used this will always be the same, so what good is this?
>>> I haven't gotten an answer to this yet.
>>>
>>
>> And if it isn't, or you're on an architecture which doesn't use the vdso
>> as the launching point, it's not.
> 
> True, but then what?
> 

Ok, fail on my part - I misread the above to refer to @arch, not
@instruction_pointer.

>> -- Pin is a great example.
> Is that http://www.pintool.org/?
> 
> Can you explain how knowing the IP is useful for Pin?
> 
> All I am asking for is just one use case for providing the IP. Is that
> asking for too much?

However, it still applies.  For something like Pin, Pin may want to trap
on all or a subset from the instrumented program, while the
instrumentation code -- which lives in the same address space -- needs
to execute those same instructions.

Yes, it's useless for *security* (unless perhaps if you keep very strict
tabs on the flow of control by using debug registers, dynamic
translation or whatnot), but it can be highly useful for
*instrumentation*, where you want to analyze the behavior of a
non-malicious program.

	-hpa

-- 
H. Peter Anvin, Intel Open Source Technology Center
I work for Intel.  I don't speak on their behalf.

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ