[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20080814094701.A65372FE89E@pmx1.sophos.com>
Date: Thu, 14 Aug 2008 10:46:55 +0100
From: tvrtko.ursulin@...hos.com
To: Eric Paris <eparis@...hat.com>
Cc: alan@...rguk.ukuu.org.uk, andi@...stfloor.org,
Arjan van de Ven <arjan@...radead.org>, hch@...radead.org,
linux-kernel@...r.kernel.org, malware-list@...ts.printk.net,
malware-list-bounces@...sg.printk.net, peterz@...radead.org,
viro@...IV.linux.org.uk
Subject: Re: [malware-list] TALPA - a threat model? well sorta.
Eric Paris wrote on 13/08/2008 19:57:44:
> > It's clear from the protection model that you described that on 'read'
> > you want to wait until the scan is done before you give the data to
the
> > process asking for it... and that's totally reasonable: "Do not give
> > out bad data" is a very clear line in terms of security.
> >
> > for the "dirty" case it gets muddy. You clearly want to scan "some
> > time" after the write, from the principle of getting rid of malware
> > that's on the disk, but it's unclear if this HAS to be synchronous.
> > (obviously, synchronous behavior hurts performance bigtime so lets do
> > as little as we can of that without hurting the protection).
> > One advantage of doing the dirty case async (and a little time
delayed)
> > is that repeated writes will get lumped up into one scan in practice,
> > saving a ton of performance.
> > (scan-on-close is just another way of implementing "delay the dirty
> > scan").
> > Based on Alans comments, to me this sounds like we should have an
> > efficient mechanism to notify userspace of "dirty events"; this is not
> > virus scan specific in any way or form. And this mechanism likely will
> > need to allow multiple subscribers.
>
> I'm certainly willing to go down the inotify'ish path for async
> notification of 'dirty' inodes instead of implement my own async
> mechanism if I can find a way to do it.
Do I understand correctly that everyone agrees scanning whenever an inode
gets dirty would be a terrible thing for performance?
Another thing we have here is that malware could not be neccessariliy
identified until the very last write (one example where it will always be
the case are PDF files (I think)).
So the whole question is at which point should be performing an async
scan. Close seems like a natural point which should be ideal for majority
of applications, I don't see how any time-based lumping/delaying scheme
can be better than close?
> > for the open() case, I would argue that you don't need synchronous
> > behavior as long as the read() case is synchronous. I can imagine that
> > open() kicks off an async scan, and if it's done by the time the first
> > read() happens, no blocking at all happens.
>
> An interesting addition. Trying to keep these queues of events gets
> much more complex, but if people really think the open to read race is
> that important I've always said it wasn't impossible to close.
This really sounds pretty interesting. Not necessariliy so much as a
performance optimisation, because I am not sure there are so many programs
where first read comes long after the first open, but as closing the
open-read race.
Could the implementation be not so complicated after all? If we generated
the same (roughly) event on reads and pass it for scanning if cache has
been invalidated in the mean time? The only thing is this could be a big
performance hit so some benchmarking might be in order depending on which
the read hook could be made run-time optional.
--
Tvrtko A. Ursulin
Senior Software Engineer, Sophos
"Views and opinions expressed in this email are strictly those of the
author.
The contents has not been reviewed or approved by Sophos."
Sophos Plc, The Pentagon, Abingdon Science Park, Abingdon,
OX14 3YP, United Kingdom.
Company Reg No 2096520. VAT Reg No GB 348 3873 20.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists