lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20080818162830.F0BAA3F608F@pmx1.sophos.com>
Date:	Mon, 18 Aug 2008 17:28:32 +0100
From:	douglas.leeder@...hos.com
To:	Theodore Tso <tytso@....edu>
Cc:	linux-kernel <linux-kernel@...r.kernel.org>,
	linux-security-module@...r.kernel.org,
	malware-list@...ts.printk.net
Subject: Re: [malware-list] scanner interface proposal was: [TALPA] Intro	to	a linux
 interface for on access scanning

malware-list-bounces@...sg.printk.net wrote on 2008-08-18 15:25:11:

> On Mon, Aug 18, 2008 at 02:15:24PM +0100, tvrtko.ursulin@...hos.com 
wrote:
> > Then there is still a question of who allows some binary to declare 
itself 
> > exempt. If that decision was a mistake, or it gets compromised 
security 
> > will be off. A very powerful mechanism which must not be easily 
> > accessible.  With a good cache your worries go away even without a 
scheme 
> > like this.
> 
> I have one word for you --- bittorrent.  If you are downloading a very
> large torrent (say approximately a gigabyte), and it contains many
> pdf's that are say a few megabytes a piece, and things are coming in
> tribbles, having either a indexing scanner or an AV scanner wake up
> and rescan the file from scratch each time a tiny piece of the pdf
> comes in is going to eat your machine alive....

What size is a tribble? :-)

If we assume that the bittorrent client is closing and re-openning the 
file 
each time it's got a nice piece of the file? (Otherwise I don't think
we'll have a performance problem)

Then there maybe room for a optimisation of the following form:
For a file X.
If X is only a local disk.
If X was written from empty by process A and only process A.
Then don't scan attempts to open by process A.

But that sort of optimisation can either be done in user-space, or in a 
future 
kernel modification.

I haven't fully analysed this - it assumes that reading data into process 
A, that
process A wrote out is safe, regardless of the data. 

-- 
Douglas Leeder

Sophos Plc, The Pentagon, Abingdon Science Park, Abingdon,
OX14 3YP, United Kingdom.

Company Reg No 2096520. VAT Reg No GB 348 3873 20.

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ