lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20080805201535.GC27192@kroah.com>
Date:	Tue, 5 Aug 2008 13:15:35 -0700
From:	Greg KH <greg@...ah.com>
To:	Eric Paris <eparis@...hat.com>
Cc:	malware-list@...ts.printk.net, linux-kernel@...r.kernel.org
Subject: Re: [malware-list] [RFC 0/5] [TALPA] Intro to a linux interface
	for on access scanning

On Tue, Aug 05, 2008 at 03:46:03PM -0400, Eric Paris wrote:
> On Mon, 2008-08-04 at 17:51 -0700, Greg KH wrote:
> > On Mon, Aug 04, 2008 at 08:32:54PM -0400, Eric Paris wrote:
> 
> > Oh, and after that, not using a binary interface, have we not learned
> > from the ioctl mess?  I sure thought we had...
> 
> I don't see a reason why we can't use strings and key=value pairs for
> any metadata being sent back and forth.  That seem more reasonable?

Sure, but do you really want to put a parser in the kernel (well, make
that, yet-another-parser-in-the-kernel...)?

> > > > Heh, so if you want to write a "virus" for Linux, just implement this
> > > > flag.  What's to keep a "rogue" program from telling the kernel that all
> > > > programs on the system are to be excluded?
> > > 
> > > Processes can only get this flag one of 2 ways.
> > > 
> > > 1) register as a client to make access decisions
> > 
> > How do you do that?
> 
> open the magic "vetting" file RW and you are a client who can answer
> access decisions.

What's to keep anyone from doing this?

> > > Perf win, why bothering looking for malware in /proc when it can't
> > > exist?  It doesn't take longer it just takes time having to do
> > > 
> > > userspace -> kernel -> userspace -> kernel -> userspace
> > > 
> > > just to cat /proc/mounts, all of this could probably be alliviated if we
> > > cached access on non block backed files but then we have to come up with
> > > a way to exclude only nfs/cifs.  I'd rather list the FSs that don't need
> > > scanning every time than those that do....
> > 
> > How long does this whole process take?  Seriously is it worth the added
> > kernel code for something that is not measurable?
> 
> Is it worth having 2 context switches for every open when none are
> needed?  I plan to get numbers on that.

Compared to the real time it takes in the "virus engine"?  I bet it's
totally lost in the noise.  Those things are huge beasts with thousands
to hundreds of thousands of context switches.

> > > In kernel caching is clearly a huge perf win.
> > 
> > Why?  If the cache is also in userspace, it should be the same, right?
> 
> In kernel cache has 0 context switches for every open.  Userspace
> caching has 2.  Every open has to block, switch to the context of the
> userspace client/cache, get that decisions, and then switch back to the
> original process.

Again, compared to what?  If you in userspace are doing big complex
things, such an overhead is trivial.

And again, realize that Linux has the fastest context switches _by far_
of any other operating system.  It is ok to do things in userspace, we
are used to that :)

thanks,

greg k-h
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ