lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <1218734985.9375.5.camel@paris.rdu.redhat.com>
Date:	Thu, 14 Aug 2008 13:29:45 -0400
From:	Eric Paris <eparis@...hat.com>
To:	Theodore Tso <tytso@....edu>
Cc:	tvrtko.ursulin@...hos.com, alan@...rguk.ukuu.org.uk,
	andi@...stfloor.org, Arjan van de Ven <arjan@...radead.org>,
	hch@...radead.org, linux-kernel@...r.kernel.org,
	malware-list@...ts.printk.net,
	malware-list-bounces@...sg.printk.net, peterz@...radead.org,
	viro@...IV.linux.org.uk
Subject: Re: [malware-list] TALPA - a threat model?  well sorta.


On Thu, 2008-08-14 at 11:50 -0400, Theodore Tso wrote:
> On Thu, Aug 14, 2008 at 09:48:33AM -0400, Eric Paris wrote:
> > 
> > There needs to be a way to say that an inode in cache needs to be
> > rescanned.  3 states this flag can be.  Clean, Dirty, Infected.  The
> > current talpa solution involves a global monotomically increasing
> > counter every time you change virus defs or make some "interesting"
> > change.  If global == inode flag we are clean.  If global == negative
> > inode flag we are infected.  if global > inode flag we are dirty and
> > need a scan.
> 
> "Infected" just means to instantly return an error when the file is
> opened or if an already opened file descriptor is read or mmap'ed,
> right?  If file is already mmaped(), what's the plan?  Send a kill -9
> to the process, even if it ends up kill off an emacs or openoffice
> process?

We don't have a revocation mechanism in linux and this isn't about
adding one.  Your trying to turn this into something it isn't.  If you
have it opened and mmap'd you've got that file for as long as you want.
I've already said that given Arjan's belief that we can move it
read/write instead of open/close we are moving the open->read race to a
mmap->fault race.  It isn't perfect at stopping bad data flow, but its
darn sure a lot better than nothing.
> 
> > > That seems fair; if it turns out there is an AV product that wants to
> > > optimize this a bit further, as long as we provide a persistent inode
> > > version/generation number, they can always do their own persistent
> > > database in userspace.
> > 
> > exporting i_version might be useful for better userspace caching,
> > although I've yet to see any reasonable description of how a userspace
> > database can map between data on disk and what they have in userspace.
> > How can a userspace process, given 2 file descriptors know they are
> > actually the same thing on disk?
> > 
> 
> If a userspace database knows that inode X, i_version Y was checked a
> day ago, and inode X still has i_version Y, even if that inode has
> been evicted from memory, the contents will be the same absent root
> messing about with direct access to the block device.  If there was an
> intervening boot, the someone could remove the disk, edit the disk
> block directly -- but that person could also add a backdoor to the
> kernel while they were at it.

is i_version an on disk think?  didn't realize that and just assumed it
was in in core thing.  I wouldn't have an issue sending i_version to the
userspace scanner for them to use as they like.

-Eric

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ