From owner-freebsd-hackers@FreeBSD.ORG  Thu Feb 21 16:41:18 2008
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 4255416A400
	for <freebsd-hackers@freebsd.org>; Thu, 21 Feb 2008 16:41:18 +0000 (UTC)
	(envelope-from des@des.no)
Received: from tim.des.no (tim.des.no [194.63.250.121])
	by mx1.freebsd.org (Postfix) with ESMTP id F249813C447
	for <freebsd-hackers@freebsd.org>; Thu, 21 Feb 2008 16:41:17 +0000 (UTC)
	(envelope-from des@des.no)
Received: from tim.des.no (localhost [127.0.0.1])
	by spam.des.no (Postfix) with ESMTP id A8DF02087;
	Thu, 21 Feb 2008 17:41:14 +0100 (CET)
X-Spam-Tests: AWL
X-Spam-Learn: disabled
X-Spam-Score: -0.3/3.0
X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on tim.des.no
Received: from ds4.des.no (des.no [80.203.243.180])
	by smtp.des.no (Postfix) with ESMTP id 9A4C42085;
	Thu, 21 Feb 2008 17:41:14 +0100 (CET)
Received: by ds4.des.no (Postfix, from userid 1001)
	id 6AA318448A; Thu, 21 Feb 2008 17:41:14 +0100 (CET)
From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no>
To: ari edelkind <edelkind-freebsd-hackers@episec.com>
References: <86068e730802181718s1ad50d3axeae0dde119ddcf92@mail.gmail.com>
	<47BA3334.4040707@andric.com>
	<86068e730802181954t52e4e05ay65e04c5f6de9b78a@mail.gmail.com>
	<20080219040912.GA14809@kobe.laptop>
	<f8e3d83f0802200451r463f188bn881268b9b2768846@mail.gmail.com>
	<47BCD34F.7010309@freebsd.org> <20080221023902.GI79355@episec.com>
Date: Thu, 21 Feb 2008 17:41:14 +0100
In-Reply-To: <20080221023902.GI79355@episec.com> (ari edelkind's message of
	"Wed\, 20 Feb 2008 21\:39\:03 -0500")
Message-ID: <86hcg25kk5.fsf@ds4.des.no>
User-Agent: Gnus/5.110006 (No Gnus v0.6) Emacs/22.1 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Cc: freebsd-hackers@freebsd.org
Subject: Re: encrypted executables
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Feb 2008 16:41:18 -0000

ari edelkind <edelkind-freebsd-hackers@episec.com> writes:
> Keep in mind that ptrace(PT_ATTACH,...) will fail if a process is
> already being traced.  As for core files, a process can use
> setrlimit(RLIMIT_CORE,...) to disable core dumps, and individual memory
> pages may be encrypted or unloaded, to be decrypted or loaded on
> demand.

The person running the application can trivially replace ktrace(),
ptrace() and setrlimit() with non-functional stubs using LD_PRELOAD.

Ensuring that LD_PRELOAD is invisible to the application is left as an
exercise to the reader.

DES
--=20
Dag-Erling Sm=C3=B8rgrav - des@des.no