I don't understand why anyone would bother checking application checksums for access control. In fact, I'm not sure why anyone would bother running an "application firewall" at all. Ponder this: as long as debug privs aren't blocked between processes with the same uid by the application "firewall" you can just attach to an approved process and hijack its flow of control (that should be true of both linux and win32).
I believe it is bad idea to rely on such tools to protect your system. They are easy to work around (and this fact is documented, see my comment above and the list archives). I think a better solution (as a start) is to use software from authors that you trust. A even better (more technical) solution are the various forms of sandboxing -- either userland with managed code or in kernelspace with tools such as systrace. Trying to audit natively executing code on the fly sounds like a battle you are going to lose. Maybe a clever developer could do something like valgrind and jit x86-x86 and intercept syscalls (this could allow for a somewhat slow systrace implementation in userland). (Take with a grain of salt, I haven't tested any software such as ZA and its brethern lately, so they might be doing some more magic that plugs those holes -- but it seems likely that they cannot fix all of them without patching a great deal of the OS) Just my standard complaints. Cheers. -- Adam Lydick On Sat, 2003-10-18 at 08:19, Andriy Bilous wrote: > Some personal firewalls on windows are using checksums for every application > trying to access network device. Yesterday i've upgraded mirc and have got a > warning about this. iptables, unfortunately, doesn't provide such a > functionality out of the box. luckily, it have an open API and extends well > over the kernel modules facility. what you speak about has a different name > - "content filtering" > > Andriy Bilous <trim> _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html