• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: Socket filtering
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Socket filtering

  • Subject: Re: Socket filtering
  • From: Eric Long <email@hidden>
  • Date: Thu, 27 Apr 2006 10:14:27 -0700
> If he's just monitoring data content, though, he should make a local
> copy for however big his buffer size is, and just let it through,
> unless he's trying to catch bad data before it gets in, and wants to
> check data spanning a buffer boundary, rather than just monitoring.
>
> But if the buffer that was swallowed doesn't itself contain the data
> you're trying to stop, then sending a partial buffer, and keeping a
> local copy in the kext for the spanning check, rather than swallowing
> it, is still an OK thing to do (assuming the data isn't malicious
> unless complete - and if it's malicious when incomplete, then the
> check should have matched already on the packet that was swallowed.

That's a bit broad of an assumption.  The previous packet might have just a
couple of bytes that match.  It's hard to say how much data is
quantitatively malicious if its sensitive data.  I can thwart a transaction
when I know I've matched a pattern I'm looking for, but if I don't hold
packets, a partial data transfer might actually be detrimental.

I'm scanning streams that other processes are conducting using an NKE socket
filter.  If I swallow a packet it is only intended to be temporary, until I
can either get more data and determine to reinsert it based on the new data
or arbitrarily set a timeout to reinsert it if no more data was received.
But if the socket closes and I don't get the data back into the stream
before that, the transaction ends up incomplete and its my fault.  I
swallowed the packet only because I found a partial match at the end of its
data holding out the possibility that more data was coming that might
demonstrate a true match.

If I knew there was no more data to come, I wouldn't want to hold the
packet.


Eric


 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-kernel mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
  • Follow-Ups:
    • Re: Socket filtering
      • From: Michael Smith <email@hidden>
    • Re: Socket filtering
      • From: "Justin C. Walker" <email@hidden>
References: 
 >Re: Socket filtering (From: Terry Lambert <email@hidden>)

  • Prev by Date: RE: Socket filtering
  • Next by Date: Re: Socket filtering
  • Previous by thread: Re: Socket filtering
  • Next by thread: Re: Socket filtering
  • Index(es):
    • Date
    • Thread