Layering an IDS on Linux - prepwork
Steve G
linux_4ever at yahoo.com
Sun Aug 5 15:12:38 UTC 2007
>abort() is the traditional way to abort a program when an assertion
>fails (developers might need the core file in that case),
Which is ok in the debug case. For a production webserver its a different story.
>and SIGABRT terminations are very unlikely to be caused by buffer overflows and
>similar attacks.
Turns out that is the way that glibc stops programs when FORTIFY_SOURCE sees a
runtime error. :) So, it could signal a real attack.
>Changing all software to use some other mechanism to report assertion
>failure is completely impractical (even the POSIX standard requires
>assert() to call abort() on failures); besides, what alternative
>mechanism is available?
I think assert is only valid when NDEBUG is defined. So, there is a way for it to
be used for debugging apps which is legit. And it magically disappears when
compiled for production use.
I've only seen a handful of programs that seem to be calling abort(). So, its not
a rampant problem.
Thanks,
-Steve
____________________________________________________________________________________Ready for the edge of your seat?
Check out tonight's top picks on Yahoo! TV.
http://tv.yahoo.com/
More information about the fedora-devel-list
mailing list