| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 15 Aug 2008 08:57:48 -0400 From: "Press, Jonathan" <Jonathan.Press@...com> To: "Theodore Tso" <tytso@....edu>, "Alan Cox" <alan@...rguk.ukuu.org.uk> Cc: "Rik van Riel" <riel@...hat.com>, "Pavel Machek" <pavel@...e.cz>, <davecb@....com>, "Adrian Bunk" <bunk@...nel.org>, "Mihai Don??u" <mdontu@...defender.com>, <linux-kernel@...r.kernel.org>, <malware-list@...ts.printk.net>, <linux-security-module@...r.kernel.org>, "Arjan van de Ven" <arjan@...radead.org> Subject: RE: [malware-list] [RFC 0/5] [TALPA] Intro to alinuxinterfaceforonaccess scanning > -----Original Message----- > From: Theodore Tso [mailto:tytso@....edu] > Sent: Friday, August 15, 2008 7:35 AM > To: Alan Cox > Cc: Rik van Riel; Pavel Machek; Press, Jonathan; davecb@....com; Adrian Bunk; > Mihai Don??u; linux-kernel@...r.kernel.org; malware-list@...ts.printk.net; linux- > security-module@...r.kernel.org; Arjan van de Ven > Subject: Re: [malware-list] [RFC 0/5] [TALPA] Intro to alinuxinterfaceforonaccess > scanning > > On Fri, Aug 15, 2008 at 09:35:13AM +0100, Alan Cox wrote: > > We shouldn't need to care what people do with good interface. What > > matters is in your airport example is that at the infrastructure level > > there is a point you can choose to do scanning and we agree where. > > Whether people use this to provide a Starbucks or goons with rubber > > gloves who take away babies milk is an application layer problem. An interesting example is (please don't scream everyone -- it's just an illustration of one approach to the problem) NetWare. (In fact, we still have a lot of active NetWare customers, so the fact that it is an archaic OS is not really the issue.) NetWare takes the kitchen-sink approach. It has an interface that allows notification on a whole host of i/o events, way more than we have ever found useful, and the application can register for the ones it wants and go from there. The kernel does not care what the application's inherent logic is, as long as the application passes control back with some appropriate return information (in other words, allow or deny in the context of malware) within a reasonable amount of time. I have no idea what purpose it was written for originally, and there are flaws to be sure, but I know that it is used successfully for HSMs and anti-malware products. > If it's a good interface that also happens to address HSM/DMAPI > functionality, as well as a more efficient way for trackerd to work, I > agree completely. I think you will agree the proposed TALPA interface > is a bit too virus-scanner specific, though? Especially with explicit > talk of specialized (persistent or not) "clean/dirty/infected" bits > that the kernel would store in the inode for the benefit of the AV > scanner? That's rather optimized for the goons-with-rubber-gloves > that-make-mothers-drink-their-own-breast-to-prove-it's-not-explosives > crowd, I think... That may just be a question of terminology. If the bits are construed not as clean/dirty/infected, but as "I care about this file" vs. "I don't care about this file" then the rubber gloves come off. Jon Press -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists