lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-id: <48998DB8.3@sun.com>
Date:	Wed, 06 Aug 2008 07:40:40 -0400
From:	David Collier-Brown <davecb@....com>
To:	Eric Paris <eparis@...hat.com>
Cc:	Arjan van de Ven <arjan@...radead.org>,
	"Press, Jonathan" <Jonathan.Press@...com>,
	Greg KH <greg@...ah.com>, linux-kernel@...r.kernel.org,
	malware-list@...ts.printk.net,
	linux-security-module@...r.kernel.org
Subject: Sidebar to [malware-list] [RFC 0/5] [TALPA] Intro to a linux interface
 for on access scanning

"Press, Jonathan" <Jonathan.Press@...com> wrote:
>>but close is... very limited in value. Open is a discrete event
>>traditionally associated withh permission checks.
>>Close... not so.  (And if you mmap memory, you can then close the file
>>and still write to it via the mmap)

Eric Paris wrote:
> I think we all agree that open is the most interesting time for scanning
> operations, but as Jonathan points out there is some value (even if not
> perfect value) in looking at closes as well.

Open for read is the "traditional" time for scanning, but the
sequence (open for write) -> change -> (time passes or close happens) 
is specifically a good time to do content checking, so as to have the 
answer to the check available for the open for read.

I'd suggest "read" and "write" are the two cases that are interesting,
and that we've been using 'open" an "close" for a not very good
approximation to them (;-))

--dave
-- 
David Collier-Brown            | Always do right. This will gratify
Sun Microsystems, Toronto      | some people and astonish the rest
davecb@....com                 |                      -- Mark Twain
cell: (647) 833-9377, bridge: (877) 385-4099 code: 506 9191#
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ