| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20080814122800.45BA42FE810@pmx1.sophos.com> Date: Thu, 14 Aug 2008 13:27:54 +0100 From: tvrtko.ursulin@...hos.com To: "Press, Jonathan" <Jonathan.Press@...com> Cc: alan@...rguk.ukuu.org.uk, andi@...stfloor.org, "Arjan van de Ven" <arjan@...radead.org>, hch@...radead.org, linux-kernel@...r.kernel.org, linux-kernel-owner@...r.kernel.org, malware-list@...ts.printk.net, malware-list-bounces@...sg.printk.net, peterz@...radead.org, "Theodore Tso" <tytso@....edu>, viro@...IV.linux.org.uk Subject: RE: [malware-list] TALPA - a threat model? well sorta. Jonathan Press wrote on 14/08/2008 13:03:40: > > Hm, maybe by implementing a facility with which a client can register > it's > > interface usage intent? Something like: > > > > register(I_HAVE_NO_INTEREST_IN_CONTENT); > > register(I_WANT_TO_EXAMINE_CONTENT); > > > > All former ones would run first because they only want to have the > > opportunity to block and do something unrelated to file content (like > > HSMs), and later group would be ran last since they want to examine > the > > content. > > > > Ordering inside those two groups is not important because I don't see > how > > a model other than restrictive can make sense with content security > > scanning. > > I'm not sure I understand why "interest in content" means not blocking, > and vice versa. However, I think this is a good idea if made more > explicit, i.e.: Small misunderstanding because both would block. If you go back to Ted's original post I was replying to, he was worried about how would anti-malware scanning interact with HSM since both may end up using the same interface. HSM, as far as I understand it, needs to block on open and "plant" the right file in place, while anti-malware also needs to block and examine the right content. That is why ordering matters, anti-malware needs to run after the content is put in place. And that is what my idea solves (slight overstatement since I spent only seconds on it) by separating them in two groups of clients. First which has no interest in content and second which does. -- Tvrtko A. Ursulin Senior Software Engineer, Sophos "Views and opinions expressed in this email are strictly those of the author. The contents has not been reviewed or approved by Sophos." Sophos Plc, The Pentagon, Abingdon Science Park, Abingdon, OX14 3YP, United Kingdom. Company Reg No 2096520. VAT Reg No GB 348 3873 20. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists