Re: [malware-list] [RFC 0/5] [TALPA] Intro to alinuxinterfaceforon access scanning

From: Pavel Machek
Date: Sun Aug 17 2008 - 18:11:35 EST

Next message: David Miller: "Re: pull request: wireless-2.6 2008-08-17"
Previous message: Pavel Machek: "Re: [malware-list] [RFC 0/5] [TALPA] Intro to alinuxinterfaceforon access scanning"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> > So if that is the threat model, then the only thing libmalware.so
> > doesn't solve is knfsd access, and it should be evaluated on that
>
> And static binaries, and other kernel modular file I/O done on behalf of
> applications, and making a library work well which is *hard*, and
> labelling and scalability, and sharing a cache between users, and
> aggregating events across processes .. and a few other things.

Well, I believe libmalware.so works with threat model I described; of
course it will not protect statically linked sambad (unless you
statically link it with libmalware.so, which you should do). I'm not
actually advocating LD_PRELOAD. There are enough userspace nfsds
around, but yes, you can't use libmalware.so with knfsd.

[You could do something like fuse filesystem linked with libmalware,
and make knfsd export that, and put applications you can't link with
libmalware to use that. But that's a _hack_.]

> There seem so far to be two independent requests
>
> * Noticing a file has recently changed, possibly with information about
> changes and possibly being able to aggregate/time that for scalability.
> This has a need to be able to accurately reference which file. This is
> needed for good content indexing, and virus people want it for certain
> kinds of scanning (post write, background etc). Doing this solely as a
> final close notifier seems to be insufficient (as it may never
> close).

Agreed, we need this.

> * Being able to pause an open pending some action. Examples include HSM
> and dubiously some kinds of virus check. Problems here include the fact
> it can only meaningfully be done for first open (which is fine for HSM)
> and that the notion of an exclusive open, or of repeated clearly defined
> open/read-write/close/done sequences are actually quite foreign to Unix
> like systems.

Do HSMs really get implemented like that? I'd expect HSM to be
something like fuse or unionfs... and when it is confined to one
filesystem, you can use existing solutions.

I don't like blocking at open at all, and I don't think blocking at
open is enough for antivirus scanner.
Pavel
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: David Miller: "Re: pull request: wireless-2.6 2008-08-17"
Previous message: Pavel Machek: "Re: [malware-list] [RFC 0/5] [TALPA] Intro to alinuxinterfaceforon access scanning"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]