Is it time to drop seccomp?
Eric S. Raymond
esr at thyrsus.com
Thu Feb 14 05:00:03 UTC 2019
Hal Murray <hmurray at megapathdsl.net>:
> I like the strace idea. Why don't you collect some data, write the code to
> process it, and compare the results with our code? It would be interesting to
> see how many unused slots we have.
Because that would be silly. At best I could exercise only a tiny random sample
of the potential execution paths. Any sense of security we got from this
would be false.
On the other hand, static-compiling the binary and enumerating its trap calls
would give correct results for all possible execution paths. This page
http://projects.cerias.purdue.edu/forensics/old_projects/reverse/analysis.html
describes a technique that shout be applicable.
--
<a href="http://www.catb.org/~esr/">Eric S. Raymond</a>
My work is funded by the Internet Civil Engineering Institute: https://icei.org
Please visit their site and donate: the civilization you save might be your own.
More information about the devel
mailing list