Is it time to drop seccomp?

Eric S. Raymond esr at thyrsus.com
Thu Feb 14 05:00:03 UTC 2019


Hal Murray <hmurray at megapathdsl.net>:
> I like the strace idea.  Why don't you collect some data, write the code to 
> process it, and compare the results with our code?  It would be interesting to 
> see how many unused slots we have.

Because that would be silly. At best I could exercise only a tiny random sample
of the potential execution paths.  Any sense of security we got from this
would be false.

On the other hand, static-compiling the binary and enumerating its trap calls
would give correct results for all possible execution paths.  This page

http://projects.cerias.purdue.edu/forensics/old_projects/reverse/analysis.html

describes a technique that shout be applicable.
-- 
		<a href="http://www.catb.org/~esr/">Eric S. Raymond</a>

My work is funded by the Internet Civil Engineering Institute: https://icei.org
Please visit their site and donate: the civilization you save might be your own.




More information about the devel mailing list