>> I agree that you can design a user-land scheme that's a lot better than >> a simple file, but there are enough tools available for grovelling through >> a user-level daemon's memory that I would prefer to have something better. >> Again, it's not 100%, but it's all a matter of degree. > >One tool name: DTrace. > >Ok, two: kmdb. > >Well, let's make it three and stop there: Xen. > >Sorry, I don't buy this line of argument.
I guess I don't follow you (and isn't Xen a virtual machine? How does that apply?). I did say "matter of degree". Sure, you can look through the whole kernel, and tools exist to do that today; but it's a harder task than looking through one process. (I don't seem to have kmdb or Dtrace on any Solaris systems here; I don't know if they cost extra, but if an attacker would need those tools, they'd be out of luck here, assuming they didn't get a license from someone else). Anyway, I guess we're not going to agree on this one. --Ken ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
