> Seems very interesting, but how does it affect performance/stability of the > system/kernel?
EFC was quite stable when testing was made on hack us box(around 8 months back). But this is a major rewrite of original code, hence more testing needs to be done. As efc is going to add one more layer performance will suffer, benchmarking will reveal exact performance loss, which is yet to be done. EFC Components -------------- 1. Generate and enforce behavior model of a program. 2. Hook with pam lib to let kernel know when each authentication takes place. Supposed to be useful for sshd,ftpd like programs. 3. Define some critical calls with which must require authentication from kernel. eg open(/etc/shadow) request by program other than sshd. 4. Define general rule set which might help performance gain. Also might help in case where behavior model will miss particular call, such as exception/error handling which might occur occasionally. As we are far away from a perfect model (and I don't see it happening unless govt enforces), there will always be some false positives. You can edit behavior model by hand and add entries in general rules to keep false positives at minimum. regards bal _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
