Yes, I understand points you provide. > but a royal pain to sandbox malicious code My idea is to get some assistance from kernel on it (possible with source patch or kernel module), but I would like to implement POC [proof-of-concept] myself, before showing it to the community. Let me return back to the original question (injection of code/data) LD_PRELOAD is quite a briliant way, but will not work on statically-linked code. However it may be enough for POC. 03.01.2017, 22:40, "valdis.kletnieks@xxxxxx" <valdis.kletnieks@xxxxxx>: > On Tue, 03 Jan 2017 22:24:11 +0300, Sayutin Dmitry said: > >> (If you want to know motivation for this -- I want to implement some new idea on sandboxing). > > There's pretty much nothing you can do inside the process to do sandboxing > against code that doesn't want to be sandboxed. In other words, it's > easy to sandbox possibly buggy code, but a royal pain to sandbox malicious > code. > > Hint: You can lead a horse to code, but you can't force it to call it. > > For instance, using LD_PRELOAD is a good way to front-end calls to glibc > code - but it doesn't do squat against malware that issues its own syscalls > inline to avoid your front end. Sayutin Dmitry <cdkrot@xxxxxxxxxx> _______________________________________________ Kernelnewbies mailing list Kernelnewbies@xxxxxxxxxxxxxxxxx https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
