| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20080813221348.7198434c@lxorguk.ukuu.org.uk> Date: Wed, 13 Aug 2008 22:13:48 +0100 From: Alan Cox <alan@...rguk.ukuu.org.uk> To: "Press, Jonathan" <Jonathan.Press@...com> Cc: "Eric Paris" <eparis@...hat.com>, <peterz@...radead.org>, <linux-kernel@...r.kernel.org>, <malware-list@...ts.printk.net>, <hch@...radead.org>, <andi@...stfloor.org>, <viro@...IV.linux.org.uk>, <arjan@...radead.org> Subject: Re: [malware-list] TALPA - a threat model? well sorta. > I may be missing something about your suggestion, but I don't see how > this would work. Who does the chmod? > > Here's a sequence: > > - Application opens file > - AV scanner notified in some way without blocking > - Application reads file into memory The discussion has been about scanning on write. > - AV scanner determines file is infected. > - AV scanner chmod's file -- oops, too late. > - Application sends file over the wire to another machine with a more > vulnerable OS > > How would this be prevented? I don't think you can. In your case how does your AV scanner deal with the case where the application opens the file while another user has it open and the other user (or even other task with the same handle) changes the content possibly via mmap. Content may also directly be shared between users of a file using the mmap interfaces so your scan on read model is rather dysfunctional. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists