Re: [malware-list] scanner interface proposal was: [TALPA] Introlinux interface for for access scanning

From: david
Date: Sat Aug 23 2008 - 03:29:10 EST

Next message: Andi Kleen: "Re: [PATCH 2/2] smp_call_function: use rwlocks on queues rather than rcu"
Previous message: Al Viro: "Re: [git pull] VFS patches, the first series"
In reply to: Pavel Machek: "Re: [malware-list] scanner interface proposal was: [TALPA] Intro linux interface for for access scanning"
Next in thread: Jan Harkes: "Re: [malware-list] scanner interface proposal was: [TALPA] Introto a linux interface for on access scanning"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 22 Aug 2008, Pavel Machek wrote:

To: david@xxxxxxx

Eric is viewing this through the AV point of view,
this means

...
He is thinking that any ability to avoid doing the scan
is a security hole.

That's contrary to the threat model ('it is just a scanner').

(Plus you can't do it. mmap. Of course you can pass viruses between
two cooperating applications... and you can do it through filesystem,
too. And you probably can make un-cooperating network server serve
viruses, as long as the network server uses mmap.)

by the way, sendfile and splice will probably also cause grief (or at least open-only checks like mmap)

This is the thing that makes antivirus ugly, its unique to the
antivirus, plus it can't be done. I.e. bad goal.

the items that I see as the potentially difficult policy decisions

1. when to scan files on access

and the more dificult issue,
2.when to allow access to unscanned files

3. what to do if different scanners disagree with each other

I think Eric's answers would be

1. unless they are already marked as being scanned since rebooting

2. only when a scanner program is doing the access, unless the scanner programs all decide differently.

3. only allow access if all scanners agree.

My answers are

1. unless they have already been marked by the current generation of scanner signatures

2. depends wildly on the environment. some uses will want to follow Eric's very strict policy, others will only want to impose the on-access scanning on software expected to be exposed to windows clients, yet others will want to scan by default, but exempt programs that don't interpret their input (for example 'wc')

I also don't know how the kernel could reliably figure out what program is asking for access. I guess you could try to do something with SELinux tags, but that makes this system dependant on SELinux, plus since you can only have one tag on the program it will potentially double the number if unique tags on the system, with a significant complication to the ruleset to make each of the tags identical, except for this one function.

3. like #2 depends wildly on the environment and what scanners are in use. I could easily see a 'majority vote wins' with three (or more) AV scanners in use. I could also see having a checksum based scanner override the decision of a heristic based scanner

David Lang
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Andi Kleen: "Re: [PATCH 2/2] smp_call_function: use rwlocks on queues rather than rcu"
Previous message: Al Viro: "Re: [git pull] VFS patches, the first series"
In reply to: Pavel Machek: "Re: [malware-list] scanner interface proposal was: [TALPA] Intro linux interface for for access scanning"
Next in thread: Jan Harkes: "Re: [malware-list] scanner interface proposal was: [TALPA] Introto a linux interface for on access scanning"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]