On Tue, Nov 17, 2015 at 11:25:51AM -0600, Seth Forshee wrote:To properly protect against attacks on mounted filesystems, we'd need some new concept of a userspace immutable file (that is, one where nobody can write to it except the kernel, and only the kernel can change it between regular access and this new state), and then have the kernel set an image (or block device) to this state when a filesystem is mounted from it (this introduces all kinds of other issues too however, for example stuff that allows an online fsck on the device will stop working, as will many un-deletion tools).
Shortly after that I plan to follow with support for ext4. I've been
fuzzing ext4 for a while now and it has held up well, and I'm currently
working on hand-crafted attacks. Ted has commented privately (to others,
not to me personally) that he will fix bugs for such attacks, though I
haven't seen any public comments to that effect.
_Static_ attacks, or change-image-under-mounted-fs attacks?
Description: S/MIME Cryptographic Signature