lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20080805123136.0073e52f@lxorguk.ukuu.org.uk>
Date:	Tue, 5 Aug 2008 12:31:36 +0100
From:	Alan Cox <alan@...rguk.ukuu.org.uk>
To:	Christoph Hellwig <hch@...radead.org>
Cc:	Eric Paris <eparis@...hat.com>,
	Christoph Hellwig <hch@...radead.org>,
	Greg KH <greg@...ah.com>, malware-list@...ts.printk.net,
	linux-kernel@...r.kernel.org
Subject: Re: [malware-list] [RFC 0/5] [TALPA] Intro to a linux interface for
 on access scanning

> No, I want a sane security policy in kernelsapce that doesn't look
> at the content because doing security by content properly is equivalent
> to solving the halting problem.  I couldn't give a rats a** about
> windows viruses as they can't actually cause any harm on a Linux
> machine.

Go on then.. post patches.

I think your are being incredibly naïve. Our memory debugging is not 100%
solid but work by heuristic. Our lock analysis doesn't solve the halting
problem but is extremely useful and so on.

> Well, data can change all the time, as can the path name.  This whole
> content scanning thing doesn't make any sense at all.

Phone numbers change all the time, shall we burn all the phone books ?

> So make this opt-in and in userspace.  Just LD_PRELOAD some monster lib
> doing all the horrible things you propose and use it wherever you want.

Rather tricky as the needed hooks don't exist and you need to get ahead
of even ld.so as well as protect suid apps. You've clearly not even
thought about the problem space before sounding off because there are
more elegant ways of tackling it even if you want to push it at
userspace, and ones that aren't implausible like LD_PRELOAD.

If you'd applied even 30 seconds thought you would at least be pointing
people at FUSE or a stacking fs.

Alan
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ