| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 19 Aug 2008 09:31:37 +0100 From: tvrtko.ursulin@...hos.com To: david@...g.hm Cc: Alan Cox <alan@...rguk.ukuu.org.uk>, Arjan van de Ven <arjan@...radead.org>, Adrian Bunk <bunk@...nel.org>, capibara@...all.nl, Casey Schaufler <casey@...aufler-ca.com>, davecb@....com, linux-kernel <linux-kernel@...r.kernel.org>, linux-security-module@...r.kernel.org, malware-list@...ts.printk.net, malware-list-bounces@...sg.printk.net, Mihai Don??u <mdontu@...defender.com>, Peter Dolding <oiaohm@...il.com>, Pavel Machek <pavel@...e.cz>, rmeijer@...all.nl Subject: Re: [malware-list] scanner interface proposal was: [TALPA] Intro to a linux interface for on access scanning david@...g.hm wrote on 18/08/2008 18:02:57: > On Mon, 18 Aug 2008, tvrtko.ursulin@...hos.com wrote: > > > david@...g.hm wrote on 18/08/2008 13:07:47: > > > >>>> 3. have a kernel mechanism to say "set this namespace tag if this > > other > >>>> namespace tag is set" (this allows a scanner to set a 'scanning' tag > >>> when it > >>>> starts and only set the 'blessed' tag if the file was not dirtied > >>>> while it was > >>>> being scanned. without this there is a race condition that could > > cause a > >>> file > >>>> to be marked as good incorrectly, the initial threat model ruled > >>> outworrying > >>>> about race conditions, but this seems like a fairly easy one to close > >>> > >>> I don't think you can use xattrs as some atomic barriers, I suspect > > they > >>> are suspectible to same race conditions as open-write-read. > >> > >> this is why it would require kernel support to turn them into atomic > >> barriers (and the reason for this item). without kernel support there is > > a > >> race (it's debatable if that race i significant enough to require the > >> implementation of kernel support to close it, but that's why I listed > >> this) > > > > Maybe not since there are races with database updates anyway. What would > > be necessary is a method of clearing the whole xattr namespace on fresh > > mount to avoid trusting stale data. That I so far don't see how it can be > > done from userspace safely. > > you don't need to clear the xattr space, you can get the same effect by > having scanners that care increment their generation ID. Not the most efficient way since generation ID is global while we are talking about a single mount/filesystem. So incrementing the generation ID causes all filsystems to be rescanned. Also you need additional hooking in mount, plus you have a race condition unless you block in mount while you do your stuff. And you need to take care about deadlocks. > but this would require some way for them to learn of mounts. > > > Also problem with read-only mounts comes to mind. Ups, yes, this is a big > > problem with this scheme in general. We cannot trust xattr namespace when > > we mount something fresh because it has been potentialy mounted on a > > different system, but if it gets mounted read-only we cannot purge that > > data and we cannot store our scan results. Only option is not to do any > > scanning. > > > > This may not be a common usage scenario so it may not be a problem though. > > this is also a policy question, you may _want_ to trust the scanning done > by a different machine, so it's not always the case that you need to > invalidate the scan results when mounting things. Without additional filesystem/VFS support you won't be able to tell if wherever the filesystem was previously mounted had any scanning done. It may have been mounted on a kernel which does not support the whole scheme so it didn't clear the namespace for modified files. > >> I don't think this tool should require the use of other tools to exempt > >> programs from it, and going that way lies madness (there are too many > >> combinations of different tools, trying to define all of the possible > >> interactions can't work, and saying that you must use SELinux with this > >> and not any of the other options is going to be a sure way to get a lot > > of > >> people to not use your tools) > > > > Then there is still a question of who allows some binary to declare itself > > exempt. If that decision was a mistake, or it gets compromised security > > will be off. A very powerful mechanism which must not be easily > > accessible. With a good cache your worries go away even without a scheme > > like this. > > I disagree. I think the number of binaries on the system that don't need > the scanning is surprisingly large, many programs just treat files they > access as blobs of data and don't try to interpret them. it's only when > the file is interpreted or handed to another system that it needs to be > scanned. In a way this is a slighlty different way of moving protection from core to the border which means you must enumerate all possible entry/exit points and you must not get it wrong. > >>> I think you overcomplicated it both in design and in presentation of > > this > >>> text. I was not able to follow and absorb all your postings so I am > > not > >>> sure what apart from single cache point and non-persistent cache you > >>> dislike in Eric's proposal? > >> > >> single cache point, non-persistant cache, inablility to support scanners > > > >> that don't involve enforcement, inability to do preemptive scanning of > >> changes, inability to have user policy define what priority to put on > >> checks, lack of thought of any use other then anti-virus functions. > > > > So you do have a whole new set of requirements which if agreed on someone > > will need to implement. You skipped this bit where I almost asked you if you are willing to get your hands dirty with implementing all this? :) > >> yes this is more complicated than a single bit in memory as the flag, > > but > >> it's also far more flexible. > > > > True. It would be nice though if we could think of a solution which would > > not have a in-kernel tag parser. I am mostly worried about performance > > because tags would have to be checked on every open/read/whetever and > > compared against the policy set from userspace. If I understand correctly > > how you imagined it. Or if you wanted to go to userspace for all these > > decisions then add even more cost for context switching. In later case you > > would also have some kenrel code dealing with cleaning xattr tags which > > would not be mentioned anywhere else in the kernel and that sounds a bit > > like black magic. > > I don't have an in-kernel tag parser. I have a in-kernel tag clearer, but > the tag parser is in the userspace library. this also avoids all the > context switches that worry you as well. How is that? Context switches which worry me are the ones which happen when for each access to a file we need to go to userspace just to see if it has already been scanned. That is why I was more in favour completely of in-kernel caching scheme. > >>>> are any of the features I list impossible to implement? > >>> > >>> Serialisation and race condition avoidance using extended attributes I > >>> think. > >> > >> why could the kernel not have a command that locked the inode for the > >> read, check, write cycle of changing extended attributes? I agree (and > >> document) that without such support there is a race condition. > > > > We could but I agree that we probably don't need to. Having this would be > > very bad for performance. > > why would this be bad for performance? the atomic version would be a > different function that would only be used when marking a file clean, and > as this locking would only be contended if multiple scanners needed to > mark a file clean at the same instance, it will be a very low-contention, > low-use lock. Maybe you would need to lock when checking if file is clean to avoid races? Don't know, I didn't give this that much thought. -- Tvrtko A. Ursulin Senior Software Engineer, Sophos "Views and opinions expressed in this email are strictly those of the author. The contents has not been reviewed or approved by Sophos." Sophos Plc, The Pentagon, Abingdon Science Park, Abingdon, OX14 3YP, United Kingdom. Company Reg No 2096520. VAT Reg No GB 348 3873 20. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists