lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 6 Aug 2008 11:46:04 -0400
From:	Rik van Riel <riel@...hat.com>
To:	"Press, Jonathan" <Jonathan.Press@...com>
Cc:	"Theodore Tso" <tytso@....EDU>, <linux-kernel@...r.kernel.org>,
	<malware-list@...ts.printk.net>,
	<linux-security-module@...r.kernel.org>,
	"Arjan van de Ven" <arjan@...radead.org>
Subject: Re: [malware-list] [RFC 0/5] [TALPA] Intro to alinuxinterfaceforon
 access scanning

On Wed, 6 Aug 2008 11:33:23 -0400
"Press, Jonathan" <Jonathan.Press@...com> wrote:

> Even so, I don't think your extreme examples are really parallel to what
> we do.  Personally, I think that scanning on open, exec and close is not
> excessive.  
> 
> And in fact, we do go out of our way to avoid scanning when it really
> isn't necessary.  For example, that's the reason that we want a cache --

Disks are slow and files are getting larger by the day.

We can do a lot better than scanning a whole file.  A mechanism
that can notify programs about what file changed and what byte
range in the file changed can reduce scanning overhead by only
needing to scan the part of the file that changed.

More importantly, getting info on which bytes in a file changed
will also help backup programs and disk indexing programs.


Blocking on open can be useful for more than just anti-virus
scanning.  It can also be useful for hierarchical storage
management or simply for using a filesystem while it is being 
restored from backup - an important consideration because
restoring a filesystem from backup can take days with modern
data sizes.

Blocking on exec is similar to blocking on open and useful
in the same scenarios.


What we need to work on is making sure that the interfaces
that go into the kernel are useful not just for anti-virus
programs, but also for other software.

-- 
All Rights Reversed
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ