New Section: TODO for 09.05.23, and add more questions.

doc/dev_journal.md

@@ -20,4 +20,13 @@ Possible flow if it is clearly a user program:
 For either path this cannot be the final functionality. It is unclear what is and isn't feasible at this point.
 #### Open Questions:
 1. What is the main difference between a user space keylogger (operating as root) and a keyloger which initself is a kernel module? What are the essential differences, and is ti really feasible to implement a kernel module that detects malicious kernel activity? Would't we loose usefull abstractions like /dev/ipnut/event* etc. which make it easier to track where I/O goes?
-2. 
+2. What datastructures would a kernel keylogger even use, if it is not storeing the info in user space  ( a log file say). Furthermore, how would it send the info via network? How would we be able to uncover such a datastructure and make it available to a system admin. 
+3. How would a kernel keylogger send smth over the network, without any user space component being able to see that (aka not even an admin)?
+4. What artifacts besides kernel logs does a kernel module produce. Are any visible in userspace?
+5. Would it be possible to expose kernel datastructures to userface without comprimising security?
+6. Maybe the app/module is only to be run once as a scan, then one removes the malicous software component, and then returns the OS to a safe state without leakage to user space...
+7. Do this questions assume the right underlying model of the linux kernel?
+...? more certainly ...
+#### TODOs:
+1. Install both keyloggers in a VM and see how their functionality works, and how we would detect them  using system programs. This especially applies to the user space keylogger.
+2. Really need to figure out where the effect of kernel module would be seen. If its just logging to a logfile then it's basically as good as a user space program and a system admin could find it.