I looked into it a while ago; at the time, I was using 2.4, and it hadn't yet been ported (and I didn't have the time to do it). The paper certainly was interesting, though. Cylant ran a contest a while back, with a commercial product that sounded very similar to the St. Jude model (plus a few extras thrown in). Basically, they had a completely unpatched redhat 6.2 box, running every possible service, and w/ their proprietary kernel module installed.
It eventually got cracked; the Cylant kernel module would watch for irregular/unauthorized execs by priviledged processes, and kill the process. There is, however a delay between the initial exec, and the module's reaction to that exec. Someone managed, in that delay, to load another kernel module that rerouted Cylant's reaction. Due to the parallels between St. Jude, I'd always wondered if the same attack could be applied to the St. Jude model. Unfortunately, I never had time to follow up on it. :( (Note: this if from memory. Cylant doesn't seem to exist anymore, or changed names, or something; search google for cylantsecure, and you'll only get stuff that can be accessed via google's caching. Likewise, it's been a loooong time since I read the St. Jude paper, so my description/comparison to Cylant's product might be off.) Overall, it seems like an excellent idea, but I haven't seen any decent papers describing potential attacks/breaking down the security of the model, other than the original publication. If you know of any, let me know.. :) On Mon, Sep 24, 2001 at 01:12:28AM -0400, Brian P. Flaherty wrote: > > Hello, > > Is anyone here familiar with something called the St. Jude model of > root exploit detection (see http://sourceforge.net/projects/stjude)? > There is a paper explaining the idea on the website, as well as a > linux kernel module. It sounds like a good idea, but has anyone here > used it? > > Brian Flaherty > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > -- "Any OS is only as good as its admin, and you obviously suck." -- Ian Gulliver, http://orbz.org/mail/mansunix.txt
