Re: Identifying thread/process termination
On 2020/11/16 05:43, Paul Moore wrote:
The most important thing to keep in mind is that all of the threads
inside a process share the same memory space. It is the lack of a
strong, enforceable boundary between threads which makes it difficult,
if not impossible, to view threads as individual entities from a
security perspective.
---
Depends on how much your security policy relies on recognizing
abnormal behavior. If a program splits function across well defined
areas by a named thread, one may develop a baseline of "normal"
functionality associated with given threads. Determining that
a thread is operating outside it's normal range can allow for a
earlier detection and better monitoring of "safe" and/or secure
operation.
How programs operate, especially in regards to what work is
normal for a given thread can only be done with thread level
monitoring. While given threads _can_ access global-user memory,
that involves how they are coded or programmed to run. That, in
turn, can be used to help define boundaries and integrity levels
of various processes in a system.
For example, even though a logging thread might gather data
from other threads, knowing that it can only write to output
to specific configured destinations would allow swift detection
of aberrations.