cybersecurity · beginner · ~15 min

Decide whether an fd-target string is suspicious

Heuristic flag for suspicious fd targets.

Challenge

Symlinks under /proc/PID/fd/ resolve to strings like:

/usr/bin/cat — a regular file (normal)
socket:[12345] — a socket
pipe:[12345] — a pipe
anon_inode:[eventfd] — eventfd / timerfd / signalfd
/dev/null — /dev/null
/etc/shadow — a sensitive system file (suspicious!)
/proc/PID/mem — the memory of another process (suspicious!)

Implement int classify_fd_target(const char *target) returning:

1 for /etc/shadow or anything starting with /proc/ that isn't /proc/self/ (other-process forensics is suspicious)
0 for everything else.

Why this matters

/proc/PID/fd/ symlinks point at whatever the process has open — files, sockets, pipes, eventfds. A defender's tool flags any fd that resolves to a suspicious path.

Input format

Symlink target string.

Output format

0/1.

Constraints

String prefix logic.

Starter code

int classify_fd_target(const char *target) { /* TODO */ (void)target; return 0; }

Common mistakes

Flagging /proc/self/* (that's normal — process inspecting itself).

Edge cases to handle

Empty string; exactly '/proc' (no trailing slash).

Complexity

O(strlen).

Background lessons

/proc forensics — a cookbook

Up next

Parse a /proc/net/tcp line and detect a public LISTEN

Solve this exercise in the browser editor — compile and run against the test harness, no setup required.