| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 5 Aug 2008 01:49:01 -0400 From: "Kyle Moffett" <kyle@...fetthome.net> To: "Christoph Hellwig" <hch@...radead.org> Cc: "Eric Paris" <eparis@...hat.com>, "Greg KH" <greg@...ah.com>, malware-list@...ts.printk.net, linux-kernel@...r.kernel.org Subject: Re: [malware-list] [RFC 0/5] [TALPA] Intro to a linux interface for on access scanning On Mon, Aug 4, 2008 at 8:54 PM, Christoph Hellwig <hch@...radead.org> wrote: > On Mon, Aug 04, 2008 at 08:47:04PM -0400, Eric Paris wrote: >> On Mon, 2008-08-04 at 20:26 -0400, Christoph Hellwig wrote: >> > NACK, this kind of policy should be done in kernelspace. >> >> What? You want to write and in kernel scanner for Window viruses? > > No, I want a sane security policy in kernelsapce that doesn't look > at the content because doing security by content properly is equivalent > to solving the halting problem. I couldn't give a rats a** about > windows viruses as they can't actually cause any harm on a Linux > machine. Much better solution: Use SELinux or another similar Mandatory Access Control labeling system. Mark some things as "trusted" or "privileged" or whatever your particular labeling methodology requires. Mark other things as "untrusted", "unprivileged", "internet file", etc. Disallow most interaction between "trusted" and "untrusted" things. Configure your userspace virus-scanner which is allowed to read "untrusted" files and create "semi-trusted" files in a particular directory, where they can then be picked up by "trusted" programs. Problem solved. Untrusted and possibly-compromised files can't be executed, or even if they could be they can't do anything interesting/harmful. In order to execute some junk you just downloaded from the internet you have to click "Yes I accept the security risk" and run it through whatever virus-scanner you want. Then you copy it from the virus-scanner output directory into somewhere else and run it. You can do the same thing with software updates downloaded from the internet, just replace "trusted" with "installed package", "semi-trusted" with "valid package", "untrusted" with "just-downloaded package file", and "virus scanner" with "package signature verification tool". I could easily come up with a bunch more examples if you really care that much. Cheers, Kyle Moffett -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists