[thedance]

What's the threat model being addressed here? If someone is trying to act maliciously there must be a thousand ways around calling exec (for example just mapping a program and jumping to its main function accomplishes the same thing).

[russjones]

We're trying to raise structured behavioral information about what is happening in a session to the cluster administrator.

That means we don't just provide information about what's executing, but also what files are being opened and TCP connections being established. Other avenues of expansion you may see this feature venture into: how were files changed, support for other protocols, support for other events (bind, listen, accept).

However we are not claiming this approach is not subvertable, but we do want to raise the bar for attackers and make it easier for cluster administrators to understand what is happening within their system.

[jsjohnst]

This product is more for compliance (like PCI-DSS) than it is for “real” security.

[Rapzid]

> for example just mapping a program and jumping to its main function accomplishes the same thing

Without a syscall? Perhaps to open()..

[ghostpepper]

Those two are functionally equivalent but they aren't really the same level of difficulty, are they?

[saagarjha]

Here's how you'd exec:

  execv("/path/to/binary", (char *[]){"binary", NULL});

And here's a way to do that without exec:

  (((int (*)(int, char **))dlsym(dlopen("/path/to/binary", RTLD_LAZY), "main")))(1, (char *[]){"binary", NULL});

A bit uglier, but not all that much harder.

[Rapzid]

> dlopen

Doesn't that just end up calling open() and mmap()? Might not have access to the args passed through at that point, but that's going to leave a trail and of course anything interesting the mapped program does will end up going through syscalls(opening other "files").

[saagarjha]

Trying to get stuff into your memory that wasn't there before is going to require at least one syscall.

[cyphar]

Though it should be noted that's not quite the same thing as execve. Execve does a lot of things in addition to running the main function (privilege transitions like setuid being just one example).

[saagarjha]

Of course; in addition to kernel setup this will also skip over initializers in the binary and other things that the C runtime does before main. Needless to say, this is mostly only useful as a fun side effect of PIE executables.