From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 28051 invoked by alias); 11 Jun 2007 09:25:16 -0000 Received: (qmail 28036 invoked by uid 22791); 11 Jun 2007 09:25:15 -0000 X-Spam-Check-By: sourceware.org Received: from mx01.microblue.de (HELO mail.microblue.de) (212.18.24.200) by sourceware.org (qpsmtpd/0.31) with ESMTP; Mon, 11 Jun 2007 09:25:13 +0000 Received: (qmail 5883 invoked by uid 210); 11 Jun 2007 09:25:10 -0000 Received: from 129.187.105.91 (mail@oliwel.de@129.187.105.91) by mail.microblue.de (envelope-from , uid 201) with qmail-scanner-2.01st (clamdscan: 0.90.2/3398. spamassassin: 3.1.8. perlscan: 2.01st. Clear:RC:1(129.187.105.91):. Processed in 0.023554 secs); 11 Jun 2007 09:25:10 -0000 Received: from unknown (HELO ?129.187.105.91?) (mail@oliwel.de@129.187.105.91) by 0 with ESMTPA; 11 Jun 2007 09:25:10 -0000 Message-ID: <466D14D5.4020007@oliwel.de> Date: Mon, 11 Jun 2007 09:25:00 -0000 From: Oliver Welter User-Agent: Thunderbird 2.0.0.0 (X11/20070420) MIME-Version: 1.0 To: Tavis Ormandy CC: gdb@sourceware.org Subject: Re: How to protect a file from debugging References: <466D04E1.4010905@oliwel.de> <20070611091627.GB8386@sdf.lonestar.org> In-Reply-To: <20070611091627.GB8386@sdf.lonestar.org> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig88CEC95D7BB39EA0075D8263" X-IsSubscribed: yes Mailing-List: contact gdb-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: gdb-owner@sourceware.org X-SW-Source: 2007-06/txt/msg00070.txt.bz2 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig88CEC95D7BB39EA0075D8263 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-length: 1106 Hi Tavis > The short answer is no, any tricks you attempt to use to prevent > ptrace() can be defeated (some more easily than others), however if you > explain what the "troubles" are there may be a better solution. >=20 damn ;) Ok here is what I am planing: I have an application, lets say a simple text editor, that is used to read/write sensitive information. Now I start gdb, attach it to the process and call "gcore" which - for my understanding - dumps the entire memory of the process to a file. So the core dump reveals my secret data. What I want to do is, to either prevent gdb from attaching and capturing the memory or at least find a way to recognize when a program attaches another. I am a noob regarding the internal system structure, so I dont know exactly what gdb does to attach to a program, but I guess there is a syscall or similar that is used to pass the memory location to gdb and if I block/supervise that, I might find a way around.... Oliver --=20 Protect your environment - close windows and adopt a penguin! PGP-Key: 3B2C 8095 A7DF 8BB5 2CFF 8168 CAB7 B0DD 3985 1721 --------------enig88CEC95D7BB39EA0075D8263 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" Content-length: 189 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (GNU/Linux) iD8DBQFGbRTVyrew3TmFFyERAoJpAJ9EMglKZ4PwAoM6Ld1e+Eflh9gipgCfdJO/ R4cBsDl+r4WWmhx7bMtBucE= =06P7 -----END PGP SIGNATURE----- --------------enig88CEC95D7BB39EA0075D8263--