| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <alpine.DEB.1.10.0808181110040.15109@asgard.lang.hm> Date: Mon, 18 Aug 2008 11:13:26 -0700 (PDT) From: david@...g.hm To: David Collier-Brown <davecb@....com> cc: Alan Cox <alan@...rguk.ukuu.org.uk>, tvrtko.ursulin@...hos.com, Theodore Tso <tytso@....edu>, Arjan van de Ven <arjan@...radead.org>, Adrian Bunk <bunk@...nel.org>, capibara@...all.nl, Casey Schaufler <casey@...aufler-ca.com>, linux-kernel <linux-kernel@...r.kernel.org>, linux-security-module@...r.kernel.org, malware-list@...ts.printk.net, malware-list-bounces@...sg.printk.net, Mihai Don??u <mdontu@...defender.com>, Peter Dolding <oiaohm@...il.com>, Pavel Machek <pavel@...e.cz>, rmeijer@...all.nl Subject: Re: [malware-list] scanner interface proposal was: [TALPA] Intro to a linux interface for on access scanning On Mon, 18 Aug 2008, David Collier-Brown wrote: > tvrtko.ursulin wrote: >>> Huh? I was never advocating re-scan after each modification and I even >>> explicitly said it does not make sense for AV not only for performance but >>> because it will be useless most of the time. I thought sending out >>> modified notification on close makes sense because it is a natural point, >>> unless someone is trying to subvert which is out of scope. Other have >>> suggested time delay and lumping up. > > Alan Cox wrote: >> You need a bit more than close I imagine, otherwise I can simply keep the >> file open forever. There are lots of cases where that would be natural >> behaviour - eg if I was to attack some kind of web forum and insert a >> windows worm into the forum which was database backed the file would >> probably never be closed. That seems to be one of the more common attack >> vectors nowdays. > > I suspect we're saying "on close" when what's really meant is > "opened for write". In the latter case, the notification would tell > the user-space program to watch for changes, possibly by something as > simple as doing a stat now and another when it gets around to deciding if it > should scan the file. I see lots of room for > user-space alternatives for change detection, depending on how much > state it keeps. Rsync-like, perhaps? trying to have every scanner program monitor every file that any program opens for write by doing periodic stat commands on it sounds like a very inefficiant process (and unless they then get notified on close as well, how do they know when to stop monitoring?) getting a notification on the transition from scanned -> dirty is much less of a load (yes, it does leave open the possiblilty of a file getting scanned multiple times as it keeps getting dirtied, but that's a policy question of how aggressive the scanner is set to be in scanning files) David Lang -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists