| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <87vdye6etu.fsf@basil.nowhere.org> Date: Wed, 06 Aug 2008 04:46:05 +0200 From: Andi Kleen <andi@...stfloor.org> To: "Press, Jonathan" <Jonathan.Press@...com> Cc: "Eric Paris" <eparis@...hat.com>, "Greg KH" <greg@...ah.com>, <linux-kernel@...r.kernel.org>, <malware-list@...ts.printk.net> Subject: Re: [malware-list] [RFC 0/5] [TALPA] Intro to a linux interface foron access scanning "Press, Jonathan" <Jonathan.Press@...com> writes: > > Also... I was one of the people who brought up the idea of a process > exclusion when the requirements list was being developed. I intended it > as a way that an AV application could exclude specific OTHER processes > by name (as selected by the AV user) There's no fixed process name in Linux that cannot be easily faked: Use process name -- every process can change that by writing to its own environment. Use comm name -- there's a prctl to change that and there can be collisions Use path name of binary -- breaks with chroot and name spaces. Also existing binaries can be subverted. Use inode of binary -- can be faked with fuse and breaks when the binaries is copied ... Use dev, inode -- breaks when copying binary and when running on network file systems without a device node -Andi -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists