lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <2629CC4E1D22A64593B02C43E855530304AE4BC2@USILMS12.ca.com>
Date:	Wed, 13 Aug 2008 17:24:28 -0400
From:	"Press, Jonathan" <Jonathan.Press@...com>
To:	"Alan Cox" <alan@...rguk.ukuu.org.uk>,
	"Eric Paris" <eparis@...hat.com>
Cc:	<peterz@...radead.org>, <linux-kernel@...r.kernel.org>,
	<malware-list@...ts.printk.net>, <hch@...radead.org>,
	<andi@...stfloor.org>, <viro@...IV.linux.org.uk>,
	<arjan@...radead.org>
Subject: RE: [malware-list] TALPA - a threat model?  well sorta.

> -----Original Message-----
> From: malware-list-bounces@...sg.printk.net [mailto:malware-list-
> bounces@...sg.printk.net] On Behalf Of Alan Cox
> Sent: Wednesday, August 13, 2008 3:59 PM
> To: Eric Paris
> Cc: peterz@...radead.org; linux-kernel@...r.kernel.org; malware-
> list@...ts.printk.net; hch@...radead.org; andi@...stfloor.org;
> viro@...IV.linux.org.uk; arjan@...radead.org
> Subject: Re: [malware-list] TALPA - a threat model? well sorta.
> 
> > > I don't think you need to be blocking if you passed up a file
handle ?
> >
> > Without blocking and waiting how do you deny access?  Maybe I needed
> > another thing they do.  "They do file scanning and deny access to
bad
> > files."
> 
> Denying access is easy enough - chmod it or set an SELinux label on
it.

I may be missing something about your suggestion, but I don't see how
this would work.  Who does the chmod?

Here's a sequence:

- Application opens file
- AV scanner notified in some way without blocking
- Application reads file into memory
- AV scanner determines file is infected.
- AV scanner chmod's file -- oops, too late.
- Application sends file over the wire to another machine with a more
vulnerable OS

How would this be prevented?


Jon Press
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ