> >Would it be possible to extend the db interface to have a "suicide call"
> >that wiped itself clean?  Something that would not interfere with normal
> >db functions, but instead act as an extension?
> 
> It shouldn't be necessary if you protect the core dump, ptrace, kmem, etc
> paths of attacks.  What happens if you core dump in the library or before
> you can call the "cleanup" routine?

You have a smaller window of (potential) risk.  I would assume that the
core dump is protected regardless.  Then it becomes a matter of what 
happens when something you do not anticipate happens, and an exploit
is devised.

(I know, I know, I should think more positively)  :-)

... JG