Re: [malware-list] TALPA - a threat model? well sorta.

From: Alan Cox
Date: Wed Aug 13 2008 - 17:32:02 EST


> I may be missing something about your suggestion, but I don't see how
> this would work. Who does the chmod?
>
> Here's a sequence:
>
> - Application opens file
> - AV scanner notified in some way without blocking
> - Application reads file into memory

The discussion has been about scanning on write.

> - AV scanner determines file is infected.
> - AV scanner chmod's file -- oops, too late.
> - Application sends file over the wire to another machine with a more
> vulnerable OS
>
> How would this be prevented?

I don't think you can. In your case how does your AV scanner deal with
the case where the application opens the file while another user has it
open and the other user (or even other task with the same handle) changes
the content possibly via mmap.

Content may also directly be shared between users of a file using the
mmap interfaces so your scan on read model is rather dysfunctional.

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/