In message <87vg94dmq8.fsf@snark.piermont.com>, "Perry E. Metzger" writes:
>
>"Steven M. Bellovin" <smb@research.att.com> writes:
>> In message <87y9e0jnwe.fsf@snark.piermont.com>, "Perry E. Metzger" writes:
>> >This looks way too cool. I want it!
>> >
>> >http://www.citi.umich.edu/u/provos/systrace/
>> 
>> This is very reminiscent of Stephanie Forrest's work on "immune 
>> systems" for intrusion detection.  See http://www.cs.unm.edu/~forrest/
>> for her papers.
>
>It is also very much in the spirit of POSIX ACLs, only I think it has
>a lot better potential.
>

Yes and no.  I'm very concerned about the false positive rate -- 
programs do all sorts of different things, depending on minor 
environmental changes.  For example, suppose you use nmh and you've 
tweaked /usr/pkg/etc/nmh/mts.conf to add some smtp servers.  Most of 
the time, you'll use the first one in the list -- but if it's down or 
unreachable, you'll use the next one.  For that matter, resolving a 
host name depends heavily on the structure of the DNS and on the 
current cache characteristics.  I'm sure the rule base can handle all of
those things; I'm also sure that getting the right ruleset for a given 
program is going to take a lot more work than you think.

		--Steve Bellovin, http://www.research.att.com/~smb (me)
		http://www.wilyhacker.com ("Firewalls" book)