lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 20 Aug 2008 17:42:24 -0700 (PDT)
From:	david@...g.hm
To:	Eric Paris <eparis@...hat.com>
cc:	Jan Harkes <jaharkes@...cmu.edu>,
	Alan Cox <alan@...rguk.ukuu.org.uk>, tvrtko.ursulin@...hos.com,
	Theodore Tso <tytso@....edu>, davecb@....COM,
	Adrian Bunk <bunk@...nel.org>,
	linux-kernel <linux-kernel@...r.kernel.org>,
	malware-list@...ts.printk.net,
	Casey Schaufler <casey@...aufler-ca.com>,
	Arjan van de Ven <arjan@...radead.org>
Subject: Re: [malware-list] scanner interface proposal was: [TALPA] Intro
 linux interface for  for access scanning

On Wed, 20 Aug 2008, Eric Paris wrote:

> On Wed, 2008-08-20 at 10:33 -0700, david@...g.hm wrote:
>
>> if the system package manager says the syslogd binary doesn't match the
>> checksum that it has recorded should it be prevented from running? (a
>> strict policy would say no, but the sysadmin may have recompiled that one
>> binary and just wants a warning to be logged somewhere, not preventing the
>> process from running)
>
> My belief is that if you choose to run a file scanner and that file
> scanner gets the answer wrong you need to look at the file scanner.
> There shouldn't be arbitrary overrides.  If you don't accept the results
> of the scanner what's the point?  Tell you package manager scanner that
> you changed it.

and this is the core disagreement we have. I don't trust the AV vendors 
that much. I want there to be some way for me to disagree with them.

I've had AV false positives a few too many times where it flagged critical 
software as being bad to be comfortable giving them that much control

>> without the kernel support to clear the flags when the file is dirtied how
>> can these programs trust the xattr flags that say they scanned the file
>> before?
>
> I don't understand what you mean about trust.

if a program set an xattr to say that it scanned the file and then the 
system reboots, how can this program know that the file hasn't been 
modified since that xattr was set? your in-memory data is gone, so you 
can't tell from that. the xattr tag is still there.

> This is an argument for
> kernel support now?  What is it that you say needs and what doesn't need
> it?  Can you explain exactly what your perfect solution from top down?

1. a flag mechansim (namespace in xattr or something else) that allows for

1a. scanners to store arbatrary tags in a way that will survive a reboot.

1b. when the file is dirtied the kernel clears all flags that have been 
set on this file.

   especially for mmap access the kernel is in a good position to detect 
that the file has been dirtied, but nothing else is.

1c. when the kernel detect a formerly clean file getting dirtied it sends 
a message to userspace in a way that multiple scanners can receive the 
alerts

1d. to close the race of the file being modified while it's being scanned, 
add a system call (atomic as far as userspace is concerned) that sets a 
new tag IFF an old tag is set

2. on access a check is done against a list of 'required' tags, if not all 
tags are present the master scanning logic is invoked.

   for several reasons I've been thinking that this step could/should be 
done 
in userspace

If done in userspace

2a. define a place to record the 'required' tags.

   one way to do this is to have a directory for it, programs define 
'required' tags by creating a file with that as it's name with the 
contents of the file including the scanner name and the command line to 
execute to perform a scan

2b. define a way of stacking different scanners (being able to define what 
to do if each scanner says "yes", "no", "I don't know", "the file changed 
under me", and "the file changed under me, but I think I found a problem", 
and what to do with the combination of different answers).

   it may be that something resembling the way that pam works would be 
suitable.

3. modify knfsd so that it does the on access checks that the userspace 
library could do for #2 and calls out to the master scanning logic.

   this is new since the last time I wrote up the proposal (the first 
message in this thread), and is definantly more work, but in thinking 
about it I am starting to think that if the userspace solution is a good 
fit for everything but static binaries and knfsd, then the answer is to 
modify knfsd and say that the sysadmin/distro is responsible for making 
the static binaries compiled against the right libraries

when programs get ready to start scanning they can set a tag 
'app-scanning' when they complete the scan they can use the atomic op to 
say "if the tag 'app-scanning' is set, clear it and set the tag 
'app-scanned-gen1234'" (if 'app-scanning' is not set then the file was 
dirtied after the scan started)

if a program is running as part of an on-access scan it would then return 
it's opinion of the file.

it would be up to the master software (2b) to decide what to do if the 
scanners disagree, no scanner voices an opinion, or if a scanner reports 
the file changed while it was scanning it (it may want to kick off the 
scan immediatly, it may want to wait, it may want to limit the number of 
times it tries to scan a file and then either just allow or deny the 
access (all these thing are policy decisions)


>> I'm not saying that xattr is the only way to store the info, it just seems
>> like a convienient place to store them without having to create a
>> completely new API or changing anything in on-disk formats.
>
> And I saying we don't actually need any of this

I know, this is the core of our disagreement.

> and if it is actually
> needed by someone in the real world they can easily build their own
> solution on top of my generic interface.

most stuff could be, but I don't think everything could.

> I'm not making the assertion
> it is race free and don't think it is possible without making every
> sequential (hahahaha.)

I think we can make it race free.

> But I claim in the face of normal operation it's
> fine.  My interface, as proposed, is very generic.  Much more so than
> what I think you are trying to describe.  I couldn't make mine more
> minimal or broad.

and I am thinking that the slight additional step of having the kernel 
clear all tags rather then just having a single 'it was ok' tag is a 
significant advantage.

beyond that I think both approaches can work, the difference is how 
simple/complex we think the result is going to be used.

I think that we both agree that if you are right about how simply it's 
going to be used, you are also correct in putting it all in the kernel. 
however if I'm right about it being used for more complex things, then 
significant parts of it belong in userspace.

based on my beleive that much of this belongs in userspace, I'm then 
saying that it may make sense for all of #2 to be in userspace.

David Lang
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ