The named program from BIND 4.9.6 was traced on
a UNM computer running a modified Linux 2.0.35 kernel
which allows us to collect system call traces.
These data were used in experiments
reported in the
Alternative Data Models paper.
Normal data were collected for one month. This produced a single
daemon trace with approximately 9 million system calls, and 26
subprocess traces (07/98). All are included in a single
The exploit against the named program is a buffer overflow
allowing a remote user to gain root access through a
specially-formulated DNS query.
We have two sample traces of successful
intrusions. In the first,
the user gains root access and then types "id"; in the second, the
user gains root access but does nothing before exiting.
Use the linux 4.2 mapping file for these traces.