Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <4F506EE2.1050705@zytor.com>
Date: Thu, 01 Mar 2012 22:55:30 -0800
From: "H. Peter Anvin" <hpa@...or.com>
To: Indan Zupancic <indan@....nu>
CC: Will Drewry <wad@...omium.org>, linux-kernel@...r.kernel.org,
        linux-arch@...r.kernel.org, linux-doc@...r.kernel.org,
        kernel-hardening@...ts.openwall.com, netdev@...r.kernel.org,
        x86@...nel.org, arnd@...db.de, davem@...emloft.net, mingo@...hat.com,
        oleg@...hat.com, peterz@...radead.org, rdunlap@...otime.net,
        mcgrathr@...omium.org, tglx@...utronix.de, luto@....edu,
        eparis@...hat.com, serge.hallyn@...onical.com, djm@...drot.org,
        scarybeasts@...il.com, pmoore@...hat.com, akpm@...ux-foundation.org,
        corbet@....net, eric.dumazet@...il.com, markus@...omium.org,
        coreyb@...ux.vnet.ibm.com, keescook@...omium.org
Subject: Re: [PATCH v12 06/13] seccomp: add system call filtering using BPF

On 03/01/2012 10:43 PM, Indan Zupancic wrote:
> On Fri, March 2, 2012 06:52, H. Peter Anvin wrote:
>> On 03/01/2012 09:45 PM, Indan Zupancic wrote:
>>>
>>>> + * @nr: the system call number
>>>> + * @arch: indicates system call convention as an AUDIT_ARCH_* value
>>>> + *        as defined in <linux/audit.h>.
>>>> + * @instruction_pointer: at the time of the system call.
>>>
>>> If the vDSO is used this will always be the same, so what good is this?
>>> I haven't gotten an answer to this yet.
>>>
>>
>> And if it isn't, or you're on an architecture which doesn't use the vdso
>> as the launching point, it's not.
> 
> True, but then what?
> 

Ok, fail on my part - I misread the above to refer to @arch, not
@instruction_pointer.

>> -- Pin is a great example.
> Is that http://www.pintool.org/?
> 
> Can you explain how knowing the IP is useful for Pin?
> 
> All I am asking for is just one use case for providing the IP. Is that
> asking for too much?

However, it still applies.  For something like Pin, Pin may want to trap
on all or a subset from the instrumented program, while the
instrumentation code -- which lives in the same address space -- needs
to execute those same instructions.

Yes, it's useless for *security* (unless perhaps if you keep very strict
tabs on the flow of control by using debug registers, dynamic
translation or whatnot), but it can be highly useful for
*instrumentation*, where you want to analyze the behavior of a
non-malicious program.

	-hpa

-- 
H. Peter Anvin, Intel Open Source Technology Center
I work for Intel.  I don't speak on their behalf.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.