This sounds somewhat similar to our SubDomain <http://immunix.org/subdomain.html> product, which profiles applications in terms of what files they may access. It sounds very similar to the approach taken by Systrace <http://www.citi.umich.edu/u/provos/systrace/>, Okena <http://newsroom.cisco.com/dlls/corp_012403.html> and Entercept <http://www.entercept.com/>, which like EFC, profile applications in terms of which system calls they may invoke.I have developed an application, which I believe can provide 100% security against various attacks.I can hear people laughing. Hmm.. The applications is called Execution Flow Control (EFC). Details of software can be found at http://203.197.88.14/efc
At least Systrace also allows you to profile the arguments presented to syscalls, so you can fake SubDomain's file access control paradigm. This is important, because "touch /etc/pointless" is rather different from "touch /etc/hosts.allow". It is unclear from the EFC documents if EFC supports argument profiling.
The advantages of syscall access control:
* more expressive: if you know that application Foo has no business
calling e.g. mkdir, then you can catch exploits that try to
leverage that kind of thing.The advantages of SubDomain:
* It is easier to generate a file access profile for an application
than a syscall profile. Instead, SubDomain just has a long list of
prohibited/dangerous syscalls for confined applications, letting
the admin think about important stuff (which files to grant access
to) and ignore less important stuff (who cares if *this* app calls
getpid?).
* Syscall mediation is prone to race conditions inside the kernel if
it is implemented using syscall interposition.Crispin
-- Crispin Cowan, Ph.D. http://immunix.com/~crispin/ Chief Scientist, Immunix http://immunix.com http://www.immunix.com/shop/
