Layering an IDS on Linux - prepwork

Steve G linux_4ever at
Sun Aug 5 15:12:38 UTC 2007

>abort() is the traditional way to abort a program when an assertion
>fails (developers might need the core file in that case),

Which is ok in the debug case. For a production webserver its a different story.

>and SIGABRT terminations are very unlikely to be caused by buffer overflows and
>similar attacks.

Turns out that is the way that glibc stops programs when FORTIFY_SOURCE sees a
runtime error.  :)  So, it could signal a real attack.

>Changing all software to use some other mechanism to report assertion
>failure is completely impractical (even the POSIX standard requires
>assert() to call abort() on failures); besides, what alternative
>mechanism is available?

I think assert is only valid when NDEBUG is defined. So, there is a way for it to
be used for debugging apps which is legit. And it magically disappears when
compiled for production use.

I've only seen a handful of programs that seem to be calling abort(). So, its not
a rampant problem.


____________________________________________________________________________________Ready for the edge of your seat? 
Check out tonight's top picks on Yahoo! TV.

More information about the fedora-devel-list mailing list