The counter argument i've heard is this: "but they'd need to compile a module for the specific kernel/OS they were attacking"
But with vmware, it's not exactly a lot of effort to have VMs for each of the major OSes you're wanting to work with compile remotely and then copy the compromised kernel module to the new host. -- mike On 26 Oct 2007, at 17:36, Ivan Voras wrote: > Cryer,Phil wrote: > >> "The days when you could prevent people from running non-approved >> programs by removing the C compiler from your system ended roughly >> with >> the VAX 11/780 computer." > >> My reply is, if an attacker is on the box and can compile code, you >> already have more problems to worry about. What other arguments >> could I >> use? > > Some of the (trivial, probably) arguments that come to my mind: > > - the attacker can bring his own C compiler to the box > - the attacker can use perl, php, ruby, sh and other interpreters for > almost everything he can use C for (the big exception is probably > kernel > code). > > <ivoras.vcf>_______________________________________________ > varnish-misc mailing list > [email protected] > http://projects.linpro.no/mailman/listinfo/varnish-misc _______________________________________________ varnish-misc mailing list [email protected] http://projects.linpro.no/mailman/listinfo/varnish-misc
