Re: [malware-list] TALPA - a threat model? well sorta.

From: tvrtko.ursulin@sophos.com
To: Eric Paris <eparis@redhat.com>
Cc: alan@lxorguk.ukuu.org.uk, andi@firstfloor.org,
	Arjan van de Ven <arjan@infradead.org>,
	hch@infradead.org, linux-kernel@vger.kernel.org,
	malware-list@lists.printk.net,
	malware-list-bounces@dmesg.printk.net, peterz@infradead.org,
	viro@ZenIV.linux.org.uk
Subject: Re: [malware-list] TALPA - a threat model?  well sorta.
Date: Thu, 14 Aug 2008 10:46:55 +0100	[thread overview]
Message-ID: <20080814094701.A65372FE89E@pmx1.sophos.com> (raw)
In-Reply-To: <1218653864.3540.109.camel@localhost.localdomain>

Eric Paris wrote on 13/08/2008 19:57:44:

> > It's clear from the protection model that you described that on 'read'
> > you want to wait until the scan is done before you give the data to 
the
> > process asking for it... and that's totally reasonable: "Do not give
> > out bad data" is a very clear line in terms of security.
> > 
> > for the "dirty" case it gets muddy. You clearly want to scan "some
> > time" after the write, from the principle of getting rid of malware
> > that's on the disk, but it's unclear if this HAS to be synchronous.
> > (obviously, synchronous behavior hurts performance bigtime so lets do
> > as little as we can of that without hurting the protection).
> > One advantage of doing the dirty case async (and a little time 
delayed)
> > is that repeated writes will get lumped up into one scan in practice,
> > saving a ton of performance.
> > (scan-on-close is just another way of implementing "delay the dirty
> > scan").
> > Based on Alans comments, to me this sounds like we should have an
> > efficient mechanism to notify userspace of "dirty events"; this is not
> > virus scan specific in any way or form. And this mechanism likely will
> > need to allow multiple subscribers.
> 
> I'm certainly willing to go down the inotify'ish path for async
> notification of 'dirty' inodes instead of implement my own async
> mechanism if I can find a way to do it.

Do I understand correctly that everyone agrees scanning whenever an inode 
gets dirty would be a terrible thing for performance? 

Another thing we have here is that malware could not be neccessariliy 
identified until the very last write (one example where it will always be 
the case are PDF files (I think)).

So the whole question is at which point should be performing an async 
scan. Close seems like a natural point which should be ideal for majority 
of applications, I don't see how any time-based lumping/delaying scheme 
can be better than close?

> > for the open() case, I would argue that you don't need synchronous
> > behavior as long as the read() case is synchronous. I can imagine that
> > open() kicks off an async scan, and if it's done by the time the first
> > read() happens, no blocking at all happens.
> 
> An interesting addition.  Trying to keep these queues of events gets
> much more complex, but if people really think the open to read race is
> that important I've always said it wasn't impossible to close.

This really sounds pretty interesting. Not necessariliy so much as a 
performance optimisation, because I am not sure there are so many programs 
where first read comes long after the first open, but as closing the 
open-read race. 

Could the implementation be not so complicated after all? If we generated 
the same (roughly) event on reads and pass it for scanning if cache has 
been invalidated in the mean time? The only thing is this could be a big 
performance hit so some benchmarking might be in order depending on which 
the read hook could be made run-time optional.

--
Tvrtko A. Ursulin
Senior Software Engineer, Sophos

"Views and opinions expressed in this email are strictly those of the 
author.
 The contents has not been reviewed or approved by Sophos."

Sophos Plc, The Pentagon, Abingdon Science Park, Abingdon,
OX14 3YP, United Kingdom.

Company Reg No 2096520. VAT Reg No GB 348 3873 20.