I have seen many articles on LWN about allowing for dynamically loadable Linux security modules (LSM), but it is impossible to find concrete information on how it can be done. The LSM hooks (I don't know if this is the right term) aren't exported in the kernel anymore, but their addresses can be retrieved with kallsyms_lookup_name and then assigned to function declarations.
There are some mentions of LSM hooks not being unloadable, but is this true? What does it even mean? If a Linux loadable kernel module registers some hooks, is it unable to unregister them later? Why is this case? Is there a workaround or a way to force them to unload?
Do dynamically loadable LSMs have to be written differently than built-in LSMs? Or do both use the same conventions and interfaces?
It's technically possible to hotpatch the kernel to add hooks to anything. https://stackoverflow.com/a/6742086/2079814
Another possibility is to leverage kpatch to inject an LSM.
Neither of these options would be considered best practice, but should work in theory. I haven't seen the latter method (kpatch) done before.
Related
EDIT: through another question on the forum, I learned that DeviceIoControl can be async, so question 4 is now just question 2
The extensive Windows driver documentation says little, that I've found, about how a client user-mode app can communicate directly to a specific device. I understand that normally such operations are managed by the Win32 api, but in the case of specific devices or (what I'm interested in) software drivers, I don't know many ways in which it can be done
The docs say that one can use CreateFile, ReadFile, WriteFile etc. to "open" the driver as a "file" and then r/w from/to it, maybe asynchronously if you want. That sounds good but it feels like that can't be the best option for everything, nor is it the only option. DeviceIoControl can have specific control codes and you can command a driver like that, but I can't see any async capabilities in the docs there.
In the driver docs, it's clear a driver must write its callbacks routines for dispatch calls which are sent to it, but I don't understand where these dispatch calls come from, or how a user-mode client might interact with that directly.
Using Valorant's Vanguard as an example software driver, I highly doubt it just r/w'd from a "file" in operation - it seems too abstract to be fast, or not specific enough for a complex system, as all you can do in fileapi.h is read, and write, without any real parametrisation - right?
My questions are:
Must a software driver write routines for all dispatch calls that the docs recommend even though they have nothing to do with hardware?
Are there other techniques than the R/W file api and the DeviceIoControl function to communicate with a specific (software) driver?
Are there efficient, "lean and mean" solutions, when our software driver is entirely custom to the targeted user app, as Vanguard was?
(ignore) Are the async R/W file operations the only way to get this done in a multi-threaded async manner, where the client submits many possibly overlapping calls, or can DeviceIoControl leverage threading and asynchronicity?
To answer your questions
No. Not all dispatch calls needs to be implemented for a software driver. I think only CREATE/CLOSE/DEVICE CONTROL needs to be implemented. You dont even need to implement unload but then you will not be able to unload the driver, which is required for testing. If there are any other required dispatch methods, you can simply return not implemented from those implementation.
Yes. You can use named pipe between driver and application as another way to communicate.
Not sure how much more lean can you get than just implementing the minimum dispatch methods.
You can use multiple threads and synchronous operations OR you can use single thread and asynchronous operation. Depends on what model is best for you.
Would it be technically possible to build a general purpose XSLT transform service (using the Saxon XSLT engine) delivered as an Amazon AWS Lambda function? How would you go about implementing it? Would there be a way to avoid initialising the Java VM each time the lambda function was called?
This is more of a brain-storming question. I am unlikely to attempt to implement it.
How would licensing work? There is no way for the developer to know on how many machines Saxon XSLT is installed. Probably, that is something that has to be negotiated with the vendor?
I can't see any intrinsic reason why it shouldn't work, but I have no idea about the implementation details.
Since Amazon support Java as the implementation language, one assumes they have a mechanism to avoid JVM initialization costs.
There's a distinction between having a Lambda that supports one particular defined transformation, and having one that executes an arbitrary user-defined stylesheet. I'm not sure that providing a service to execute untrusted code is ever a particularly good idea even if it's heavily sandboxed in terms of resource access.
As regards licensing, our general approach in Saxonica is that we try to ensure that licensing doesn't get in the way of doing something that makes technical sense. If there's value in doing it, we'll find a way of sharing the value that works for all parties.
If this is about executing one predefined stylesheet, as a spin-off from the Saxon-JS development we already have mechanisms that allow a developer to acquire a license that can be redistributed with the compiled stylesheet, meaning essentially that if you acquire the right kind of development license, the run-time is free.
Suppose that I have a Java program that uses JRuby to allow the user to use Ruby scripting to control the behaviour of some funny character in a window.
Users can share their Ruby code with the community, so others can execute the snippets on their own copy of the program and see the funny character do stuff.
I have a security concern with this, though, as users may contribute malicious Ruby code to the community.
The obvious precaution is that users shouldn't run the snippets of untrusted users. However, due to the nature of the community, the point is to check out the creations of strangers.
So, it has occurred to me that maybe I can restrict the capabilities of JRuby.
There may be other things, but some of the restrictions off of my head would be:
Do not allow any sort of networking.
No access to the filesystem.
Do not permit system DOS calls.
Can't require/import ruby code/gems/etc.
Can't create new processes etc.
Is there a reasonable way to restrict JRuby functionality?
I have thought of, perhaps, redefining several constants that are required for that sort of operations. For instance,
File = nil
But I am unsure of what constants to nullify exactly, and whether this is effective at all.
since your requirements are concrete you would likely need to implement those restrictions yourself ... some pointers :
rubygems can be disable within JRuby - assuming it's fine for you to boot that way, otherwise chaing load/require is a good option
same for system and similar calls that create a new process
instead of doing File = nil early on you might end up needing to review File/IO methods one by one
undefine Java constant and java methods to disallow smart cheating with Java APIs
I saw some anti-virus software notice me that some other process was trying to modify my registry entry and ask me whether to allow it. How can this anti-virus software hang that process up and stop if from modifying my registry until I make a decision? I fail to find any API that could do such things, which is crucial for my project.
Thanks,
Feng
Consider properly securing your applications registry keys using RegSetKeySecurity (MSDN).
Alternately, you could also construct a registry filter kernel mode driver. Such a driver can utilize the CmRegisterCallback/Ex() service to filter registry events. This is a big job (tm), but is the only documented/supported method to accomplish this that I am aware of.
This is done with games too. They hijack function calls which render objects in a 3D scene, they then tell the game engine to render all characters on top of every other object, which results in a wallhack.
An API you could use for this (not anymore since anti-cheat software blocks it now) is the detours API. You can still use it for your own purposes ofcourse.
There's alot of information about this API on the web.
http://research.microsoft.com/en-us/projects/detours/
The antivirus is most likely hooking the registry functions so it's own code gets called first before passing the requests to the real functions.
Note that doing this in anything but a few very specific circumstances can be suspicious behaviour.
I guess you could have a look at RegNotifyChangeKeyValue, but I think a antivirus won't use this approach. This does not block changes made to the registry, but could be used to get notified when a key is modified.
I'm working on a program that read arp cache from machine. I'm using Cocoa. There's a library called libdnet (libdnet.sourceforge.net) which has arp reading function. But I don't know how to write a code to use that function. Please help.
You'll need to know C and apply that knowledge to call the library's functions. See this question for links to C-learning resources.
Objective-C is a superset of C, so you'll be able to integrate the C code to call those functions into your Objective-C methods just fine once you know both languages.