linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Alan Cox <alan@lxorguk.ukuu.org.uk>
To: "Press, Jonathan" <Jonathan.Press@ca.com>
Cc: "Eric Paris" <eparis@redhat.com>, <peterz@infradead.org>,
	<linux-kernel@vger.kernel.org>, <malware-list@lists.printk.net>,
	<hch@infradead.org>, <andi@firstfloor.org>,
	<viro@ZenIV.linux.org.uk>, <arjan@infradead.org>
Subject: Re: [malware-list] TALPA - a threat model?  well sorta.
Date: Wed, 13 Aug 2008 22:13:48 +0100	[thread overview]
Message-ID: <20080813221348.7198434c@lxorguk.ukuu.org.uk> (raw)
In-Reply-To: <2629CC4E1D22A64593B02C43E855530304AE4BC2@USILMS12.ca.com>

> I may be missing something about your suggestion, but I don't see how
> this would work.  Who does the chmod?
> 
> Here's a sequence:
> 
> - Application opens file
> - AV scanner notified in some way without blocking
> - Application reads file into memory

The discussion has been about scanning on write. 

> - AV scanner determines file is infected.
> - AV scanner chmod's file -- oops, too late.
> - Application sends file over the wire to another machine with a more
> vulnerable OS
> 
> How would this be prevented?

I don't think you can. In your case how does your AV scanner deal with
the case where the application opens the file while another user has it
open and the other user (or even other task with the same handle) changes
the content possibly via mmap.

Content may also directly be shared between users of a file using the
mmap interfaces so your scan on read model is rather dysfunctional.


  reply	other threads:[~2008-08-13 21:31 UTC|newest]

Thread overview: 101+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-08-13 16:36 TALPA - a threat model? well sorta Eric Paris
2008-08-13 16:24 ` Alan Cox
2008-08-13 16:47   ` Eric Paris
2008-08-13 16:37     ` Alan Cox
2008-08-13 17:00       ` Eric Paris
2008-08-13 19:59         ` Alan Cox
2008-08-13 21:24           ` [malware-list] " Press, Jonathan
2008-08-13 21:13             ` Alan Cox [this message]
2008-08-13 21:35             ` Rik van Riel
2008-08-13 21:23               ` Alan Cox
2008-08-15  3:25                 ` Eric Paris
2008-08-15 20:16               ` Jan Harkes
2008-08-15 22:05                 ` Arjan van de Ven
2008-08-17 23:19                   ` Eric Paris
2008-08-17 23:26                     ` Arjan van de Ven
2008-08-17 21:11                       ` David Collier-Brown
2008-08-18 15:33                     ` Alan Cox
2008-08-18 16:43                       ` Rik van Riel
     [not found]                         ` <20080819071416.GA14731@elf.ucw.cz>
2008-08-19 16:10                           ` HSM (was Re: [malware-list] TALPA - a threat model? well sorta.) Rik van Riel
2008-08-19 19:20                             ` Pavel Machek
2008-08-19 20:33                               ` Rik van Riel
2008-08-20 17:03                                 ` Pavel Machek
2008-08-13 17:07   ` TALPA - a threat model? well sorta Christoph Hellwig
2008-08-14 13:00   ` Arnd Bergmann
2008-08-13 16:57 ` Greg KH
2008-08-13 17:39 ` Arjan van de Ven
2008-08-13 18:15   ` Theodore Tso
2008-08-13 18:21     ` Arjan van de Ven
2008-08-14  9:18       ` tvrtko.ursulin
2008-08-13 19:02     ` Eric Paris
2008-08-13 19:29       ` Theodore Tso
2008-08-13 21:15         ` [malware-list] " Press, Jonathan
2008-08-14  9:30         ` tvrtko.ursulin
2008-08-14 12:03           ` Press, Jonathan
2008-08-14 12:27             ` tvrtko.ursulin
2008-08-15 14:31               ` Pavel Machek
2008-08-14 13:24           ` Theodore Tso
2008-08-14 13:48             ` Eric Paris
2008-08-14 15:50               ` Theodore Tso
2008-08-14 17:29                 ` Eric Paris
2008-08-14 19:17                   ` Theodore Tso
2008-08-14 19:20                     ` Eric Paris
2008-08-14 19:34                     ` Christoph Hellwig
2008-08-14 19:41                       ` Theodore Tso
2008-08-14 20:20                         ` Christoph Hellwig
2008-08-14 21:21                           ` J. Bruce Fields
2008-08-14 23:34                             ` Theodore Tso
2008-08-19 21:43                               ` J. Bruce Fields
2008-08-15  1:44                         ` david
2008-08-15  2:04                           ` Theodore Tso
2008-08-15  3:41                             ` Arjan van de Ven
2008-08-15  5:05                               ` david
2008-08-15  5:12                                 ` Johannes Weiner
2008-08-15  5:28                                   ` david
2008-08-15  5:36                                 ` david
2008-08-15  4:48                             ` david
2008-08-15  8:51                             ` Alan Cox
2008-08-15 14:37                 ` Pavel Machek
2008-08-13 18:57   ` Eric Paris
2008-08-13 21:39     ` Arjan van de Ven
2008-08-14 14:12       ` Eric Paris
2008-08-14 15:57         ` Arjan van de Ven
2008-08-15 10:07         ` Helge Hafting
2008-08-15 10:37           ` Peter Zijlstra
2008-08-15 13:10             ` [malware-list] " Press, Jonathan
2008-08-15 13:18               ` douglas.leeder
2008-08-15 17:04                 ` Theodore Tso
2008-08-15 18:09                   ` Press, Jonathan
2008-08-18 10:09                     ` Helge Hafting
2008-08-18 10:14                       ` Peter Zijlstra
2008-08-18 10:24                         ` tvrtko.ursulin
2008-08-18 10:25                       ` douglas.leeder
2008-08-15 16:25               ` david
2008-08-15 16:30                 ` Press, Jonathan
2008-08-15 17:33                   ` david
2008-08-15 17:40                     ` Press, Jonathan
2008-08-15 17:47                       ` david
2008-08-15 18:06                         ` Valdis.Kletnieks
2008-08-15 20:05                           ` david
2008-08-15 20:17                           ` Theodore Tso
2008-08-15 18:17                         ` Press, Jonathan
2008-08-15 20:08                           ` david
2008-08-18 10:02               ` Helge Hafting
2008-08-15 10:44           ` tvrtko.ursulin
2008-08-14  9:46     ` [malware-list] " tvrtko.ursulin
2008-08-14 13:46       ` Arjan van de Ven
2008-08-15  1:37       ` david
2008-08-15  1:31   ` david
2008-08-15 16:06   ` Pavel Machek
2008-08-18 12:21     ` david
2008-08-18 13:30       ` Pavel Machek
2008-08-19  0:03         ` david
2008-08-13 18:17 ` Andi Kleen
2008-08-13 18:21   ` H. Peter Anvin
2008-08-13 18:24   ` Arjan van de Ven
2008-08-13 18:40   ` Eric Paris
2008-08-14  0:18   ` Mihai Donțu
2008-08-14 11:58     ` [malware-list] " Press, Jonathan
2008-08-14 12:34       ` Mihai Donțu
2008-08-14  0:14 ` 7v5w7go9ub0o
2008-08-14  2:25   ` 7v5w7go9ub0o

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20080813221348.7198434c@lxorguk.ukuu.org.uk \
    --to=alan@lxorguk.ukuu.org.uk \
    --cc=Jonathan.Press@ca.com \
    --cc=andi@firstfloor.org \
    --cc=arjan@infradead.org \
    --cc=eparis@redhat.com \
    --cc=hch@infradead.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=malware-list@lists.printk.net \
    --cc=peterz@infradead.org \
    --cc=viro@ZenIV.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).