Re: St. Jude model?
I looked into it a while ago; at the time, I was using 2.4, and it
hadn't yet been ported (and I didn't have the time to do it). The paper
certainly was interesting, though. Cylant ran a contest a while back,
with a commercial product that sounded very similar to the St. Jude
model (plus a few extras thrown in). Basically, they had a completely
unpatched redhat 6.2 box, running every possible service, and w/ their
proprietary kernel module installed.
It eventually got cracked; the Cylant kernel module would watch for
irregular/unauthorized execs by priviledged processes, and kill the
process. There is, however a delay between the initial exec, and
the module's reaction to that exec. Someone managed, in that delay,
to load another kernel module that rerouted Cylant's reaction. Due
to the parallels between St. Jude, I'd always wondered if the same
attack could be applied to the St. Jude model. Unfortunately, I
never had time to follow up on it. :(
(Note: this if from memory. Cylant doesn't seem to exist anymore,
or changed names, or something; search google for cylantsecure, and
you'll only get stuff that can be accessed via google's caching.
Likewise, it's been a loooong time since I read the St. Jude paper,
so my description/comparison to Cylant's product might be off.)
Overall, it seems like an excellent idea, but I haven't seen any
decent papers describing potential attacks/breaking down the security
of the model, other than the original publication. If you know
of any, let me know.. :)
On Mon, Sep 24, 2001 at 01:12:28AM -0400, Brian P. Flaherty wrote:
> Is anyone here familiar with something called the St. Jude model of
> root exploit detection (see http://sourceforge.net/projects/stjude)?
> There is a paper explaining the idea on the website, as well as a
> linux kernel module. It sounds like a good idea, but has anyone here
> used it?
> Brian Flaherty
> To UNSUBSCRIBE, email to email@example.com
> with a subject of "unsubscribe". Trouble? Contact firstname.lastname@example.org
"Any OS is only as good as its admin, and you obviously suck."
-- Ian Gulliver, http://orbz.org/mail/mansunix.txt