lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Thu, 07 Aug 2008 22:15:38 -0400
From:	Eric Paris <eparis@...hat.com>
To:	Rene Herman <rene.herman@...access.nl>
Cc:	Theodore Tso <tytso@....edu>, Greg KH <greg@...ah.com>,
	Alan Cox <alan@...rguk.ukuu.org.uk>,
	malware-list@...ts.printk.net, linux-kernel@...r.kernel.org
Subject: Re: [malware-list] [RFC 0/5] [TALPA] Intro to a linux
	interface	for on access scanning

On Fri, 2008-08-08 at 04:06 +0200, Rene Herman wrote:
> On 07-08-08 16:16, Eric Paris wrote:
> 
> > Absolutely, I think that our solution needs worry much less about an 
> > actively attacking root process than Windows.
> 
> Note by the way that this assumption is being actively undermined by all 
> those companies releasing software released as big executable blobs that 
> you just have to chmod +x and run; as root if you want them in /opt, or 
> /usr/local/bin, or ...

but you already say that said blob exists on disk?  Therefore by my most
basic of models it won't ever actually get to run since it will get
scanned right as you try to execute it and you will get EPERM instead of
a running evil process.  (all of that is assuming the userspace black
magic is useful, but I don't think that's really up for debate since we
have no way of knowing exactly what these closed source AV vendors
actually are doing....)

It looks in my mind that more and more the only real model that can even
attempt to be addressed is to make disks inhospitable to data which
might be intended to do ill to another machine.

Once the process is running we are talking about an IDS right?

> 
> Even when OpenOffice.org, IBM Lotus Symphony, RealPlayer, Flash, what 
> have you, might generally by themselves not be considered virusses both 
> the precedent they set and the opportunity for infecting systems by 
> offering those for re-download from elsewhere is worrying.
> 
> One of the more useful things the security crowd could do to keep the 
> above assumption valid would be working on a general "external software 
> installer" and getting all distributions to settle on it (which probably 
> needs a common divisor package and distro backends to feed it to the 
> native package manager).

maybe a good idea, but beyond my expertise or ability to push forward...

-Eric

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists