lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <alpine.DEB.1.10.0808160014420.12859@asgard.lang.hm>
Date:	Sat, 16 Aug 2008 00:27:53 -0700 (PDT)
From:	david@...g.hm
To:	Valdis.Kletnieks@...edu
cc:	Arjan van de Ven <arjan@...radead.org>,
	Peter Dolding <oiaohm@...il.com>, rmeijer@...all.nl,
	Alan Cox <alan@...rguk.ukuu.org.uk>, capibara@...all.nl,
	Eric Paris <eparis@...hat.com>, Theodore Tso <tytso@....edu>,
	Rik van Riel <riel@...hat.com>, davecb@....com,
	linux-security-module@...r.kernel.org,
	Adrian Bunk <bunk@...nel.org>,
	Mihai Don??u <mdontu@...defender.com>,
	linux-kernel@...r.kernel.org, malware-list@...ts.printk.net,
	Pavel Machek <pavel@...e.cz>
Subject: Re: [malware-list] [RFC 0/5] [TALPA] Intro to alinuxinterfaceforon
 access scanning

On Sat, 16 Aug 2008, Valdis.Kletnieks@...edu wrote:

> Many security experts believe that a false sense of security is worse than
> no security at all.  In other words, unless the design team is *honest* with
> themselves about what the proposal does and doesn't cover, and has at least
> an *idea* of how the uncovered parts will function, you're not adding to
> the *real* security.

this is why there was so much preasure for them to define their threat 
model. they have donw so. if you disagree with that please suggest a 
different threat model rather then just listing various threats that their 
model doesn't cover.

> The problem with saying stuff like "Oh, our threat model explicitly rules
> out anything done by root" is that all too often, the other part of the
> overall plan - the one that constrains the root user - is never deployed.

it may not be appropriate to lock down root, it depends on what threats 
the box is under.

on the other hand, locking down root perfectly, but readily serving 
windows virii to other systems isn't good in some cases either.

security is not 'one size fits all'

> One of the proponents of the idea told me "so I don't see that as a big
> problem", when the problem in question (the race condition between malware
> arriving and actual scanning with a signature that detects the malware) is one
> of *THE* biggest issue for actual deployments of this sort of stuff.  No, TALPA
> doesn't have to necessarily deal with that race condition itself.

so how _so_ you handle detecting bad data before anyone defines it as bad?

remember, the 'bad data' may be a $propriatary_media format that only 
causes problems when run with $propriatary_software on $proptiatary_OS. Or 
the 'bad data' could be a document in an open format that complies with 
the specs of that format, but a common client doesn't handle the 
legitimate file correctly.

there is no possible way to detect these ahead of someone defineing them 
as bad. you can prevent them from being exploited on the Linux system (or 
limit the damage of the exploit), that's what SELinux aims at.

> But you damn sight well better have a good idea of how you intend to deal
> with it, because if you don't, the end result isn't actually usable for
> anything...

again, that's why the push for a threat model.

>> (nor should we do something that has no value.. but that's not the case;
>> the model that Erik described is quite well defined as
>> "do not give ''bad' content to applications/exec".
>
> The model is *not* "quite well defined" - because "bad content" is a rather
> squishy term (go read Fred Cohen's PhD thesis, where he shows that detecting
> viruses/malware is equivalent to the Turing Halting Problem).  What you
> *really* mean is "that subset of bad content that we can reasonably
> economically catch with pattern matching signatures".

more precisely the model is defined as "do not give 'unchecked' data to 
applications/exec" how they are checked is not defined, providing the 
hooks so that checking can be done is what we are trying to define.

> But yeah, trying to scan data before it's read, to detect some fraction of
> the known threats, *does* close a few holes.  The question is how does it
> fit in as "part of this complete security breakfast"...

one _very_ nice thing about the hooks currently being proposed is that 
they are useful for things besides anti-virus tools, tools that have no 
security implications at all. so even if there were no security benifit 
the hooks are still worth considering. but the fact is there is a threat 
model here that is not addressed well with other mechanisms, that is 
useful to cover.

David Lang
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ