Malicious Input Detection Grate #12
Description
Input Validation: Malicious Input Detection Grate
Creating this issue as a discussion thread for implementation of malicious input detection grate. This grate interposes on the execve() syscall to prevent execution of Windows PE binaries by inspecting magic bytes at the invocation time. The grate registers an execve() handler, copies the pathname argument from the calling cage into the grate’s address space, opens the file, reads the first two bytes, and checks for the MZ header. if a PE signature is detected, execution is blocked by returning -ENOEXEC, else the syscall is allowed to proceed normally.