lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <1217994234.27684.227.camel@localhost.localdomain>
Date:	Tue, 05 Aug 2008 23:43:54 -0400
From:	Eric Paris <eparis@...hat.com>
To:	Andi Kleen <andi@...stfloor.org>
Cc:	malware-list@...ts.printk.net, linux-kernel@...r.kernel.org
Subject: Re: [RFC 0/5] [TALPA] Intro to a linux interface for on access
	scanning

On Wed, 2008-08-06 at 04:35 +0200, Andi Kleen wrote:
> Eric Paris <eparis@...hat.com> writes:
> 
> > 5. Fine-grained caching
> > -----------------------
> > It is necessary to select which filesystems can be safely cached and
> > which must not be. For example it is not a good idea to allow caching of
> > network filesystems because their content can be changed invisibly. Disk
> > based and some virtual filesystems can be cached safely on the other
> > hand.
> 
> Actually local disk file systems can be changed invisibly to the VFS too by 
> directly writing to the block device. This does not change the
> page cache, but the on disk copy and when a page is pruned from
> RAM and reloaded VFS will see the new contents without knowing
> about any change. How would you stop that in your
> proposal? I assume you could always require a special LKM that
> forbids block writes for anything mounted, but that has other problems 
> too and one wuld need to be extremly careful of holes in
> such a protection scheme (e.g. overlapping partitions) 

I didn't consider it.  Most likely at the end of the day the finding
will be, "if you can write directly to the block device you already won
since there as so many other things you can do to subvert the system."

Admittedly its the first technical point brought up on list that I
didn't consider at all (lots of other things brought up on list that
need more thought that weren't exactly technical details, don't let me
seem like I'm downplaying those)

-Eric

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ