| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 5 Aug 2008 10:04:57 -0700 From: Greg KH <greg@...ah.com> To: Helge Hafting <helge.hafting@...el.hist.no> Cc: Eric Paris <eparis@...hat.com>, malware-list@...ts.printk.net, linux-kernel@...r.kernel.org Subject: Re: [malware-list] [RFC 0/5] [TALPA] Intro to a linux interface for on access scanning On Tue, Aug 05, 2008 at 01:21:01PM +0200, Helge Hafting wrote: > Greg KH wrote: >> >> >> I don't see anything in the list above that make this a requirement that >> the code to do this be placed within the kernel. >> >> What is wrong with doing it in glibc or some other system-wide library >> (LD_PRELOAD hooks, etc.)? >> > > A linux virus would trivially get around that by doing its own syscalls > instead of using glibc. (It might still link dynamically to glibc so > you don't get suspicious, but won' actually use it when doing bad stuff.) That's fine, then the file is corrupted. It is when the "normal" program goes to load the file that we want to block and determine if we have a problem or not in the data. virus scanners are not a security model in the aspect of SELinux or SMACK. If they were, they would just use the LSM interface. virus scanners are interested in blocking "normal" programs from reading invalid data from disk before acting on it or executing it. thanks, greg k-h -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists