Explaining the need for a C compiler - to a security group
Mike Wallis
mike at dubdubdub.co.uk
Sat Oct 27 11:13:48 CEST 2007
The counter argument i've heard is this:
"but they'd need to compile a module for the specific kernel/OS they
were attacking"
But with vmware, it's not exactly a lot of effort to have VMs for each
of the major OSes you're wanting to work with compile remotely and
then copy the compromised kernel module to the new host.
-- mike
On 26 Oct 2007, at 17:36, Ivan Voras wrote:
> Cryer,Phil wrote:
>
>> "The days when you could prevent people from running non-approved
>> programs by removing the C compiler from your system ended roughly
>> with
>> the VAX 11/780 computer."
>
>> My reply is, if an attacker is on the box and can compile code, you
>> already have more problems to worry about. What other arguments
>> could I
>> use?
>
> Some of the (trivial, probably) arguments that come to my mind:
>
> - the attacker can bring his own C compiler to the box
> - the attacker can use perl, php, ruby, sh and other interpreters for
> almost everything he can use C for (the big exception is probably
> kernel
> code).
>
> <ivoras.vcf>_______________________________________________
> varnish-misc mailing list
> varnish-misc at projects.linpro.no
> http://projects.linpro.no/mailman/listinfo/varnish-misc
More information about the varnish-misc
mailing list