From owner-freebsd-hackers@FreeBSD.ORG Thu Feb 21 17:11:50 2008 Return-Path: Delivered-To: freebsd-hackers@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3DE4316A401 for ; Thu, 21 Feb 2008 17:11:50 +0000 (UTC) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (unknown [IPv6:2a01:170:102f::2]) by mx1.freebsd.org (Postfix) with ESMTP id A4B3313C45B for ; Thu, 21 Feb 2008 17:11:49 +0000 (UTC) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (localhost [127.0.0.1]) by lurza.secnetix.de (8.14.1/8.14.1) with ESMTP id m1LHBZx5061945; Thu, 21 Feb 2008 18:11:40 +0100 (CET) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.14.1/8.14.1/Submit) id m1LHBZ3b061944; Thu, 21 Feb 2008 18:11:35 +0100 (CET) (envelope-from olli) Date: Thu, 21 Feb 2008 18:11:35 +0100 (CET) Message-Id: <200802211711.m1LHBZ3b061944@lurza.secnetix.de> From: Oliver Fromme To: freebsd-hackers@FreeBSD.ORG, des@des.no, edelkind-freebsd-hackers@episec.com In-Reply-To: <86hcg25kk5.fsf@ds4.des.no> X-Newsgroups: list.freebsd-hackers User-Agent: tin/1.8.3-20070201 ("Scotasay") (UNIX) (FreeBSD/6.2-STABLE-20070808 (i386)) MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.1.2 (lurza.secnetix.de [127.0.0.1]); Thu, 21 Feb 2008 18:11:41 +0100 (CET) Cc: Subject: Re: encrypted executables X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Feb 2008 17:11:50 -0000 Dag-Erling Smørgrav wrote: > ari edelkind writes: > > Keep in mind that ptrace(PT_ATTACH,...) will fail if a process is > > already being traced. As for core files, a process can use > > setrlimit(RLIMIT_CORE,...) to disable core dumps, and individual memory > > pages may be encrypted or unloaded, to be decrypted or loaded on > > demand. > > The person running the application can trivially replace ktrace(), > ptrace() and setrlimit() with non-functional stubs using LD_PRELOAD. Right. And for a static binary (which doesn't respect LD_PRELOAD), it's fairly trivial to patch the syscalls so they're a no-op when called from the binary. Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M. Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung: secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün- chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd In my experience the term "transparent proxy" is an oxymoron (like jumbo shrimp). "Transparent" proxies seem to vary from the distortions of a funhouse mirror to barely translucent. I really, really dislike them when trying to figure out the corrective lenses needed with each of them. -- R. Kevin Oberman, Network Engineer