From: douglas.leeder@sophos.com
To: Theodore Tso <tytso@mit.edu>
Cc: linux-kernel <linux-kernel@vger.kernel.org>,
linux-security-module@vger.kernel.org,
malware-list@lists.printk.net
Subject: Re: [malware-list] scanner interface proposal was: [TALPA] Intro to a linux interface for on access scanning
Date: Mon, 18 Aug 2008 17:28:32 +0100 [thread overview]
Message-ID: <20080818162830.F0BAA3F608F@pmx1.sophos.com> (raw)
In-Reply-To: <20080818142511.GC8184@mit.edu>
malware-list-bounces@dmesg.printk.net wrote on 2008-08-18 15:25:11:
> On Mon, Aug 18, 2008 at 02:15:24PM +0100, tvrtko.ursulin@sophos.com
wrote:
> > Then there is still a question of who allows some binary to declare
itself
> > exempt. If that decision was a mistake, or it gets compromised
security
> > will be off. A very powerful mechanism which must not be easily
> > accessible. With a good cache your worries go away even without a
scheme
> > like this.
>
> I have one word for you --- bittorrent. If you are downloading a very
> large torrent (say approximately a gigabyte), and it contains many
> pdf's that are say a few megabytes a piece, and things are coming in
> tribbles, having either a indexing scanner or an AV scanner wake up
> and rescan the file from scratch each time a tiny piece of the pdf
> comes in is going to eat your machine alive....
What size is a tribble? :-)
If we assume that the bittorrent client is closing and re-openning the
file
each time it's got a nice piece of the file? (Otherwise I don't think
we'll have a performance problem)
Then there maybe room for a optimisation of the following form:
For a file X.
If X is only a local disk.
If X was written from empty by process A and only process A.
Then don't scan attempts to open by process A.
But that sort of optimisation can either be done in user-space, or in a
future
kernel modification.
I haven't fully analysed this - it assumes that reading data into process
A, that
process A wrote out is safe, regardless of the data.
--
Douglas Leeder
Sophos Plc, The Pentagon, Abingdon Science Park, Abingdon,
OX14 3YP, United Kingdom.
Company Reg No 2096520. VAT Reg No GB 348 3873 20.
next prev parent reply other threads:[~2008-08-18 16:28 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <alpine.DEB.1.10.0808180444390.12859@asgard.lang.hm>
[not found] ` <20080818131628.1C2A22FE82F@pmx1.sophos.com>
2008-08-18 14:25 ` [malware-list] scanner interface proposal was: [TALPA] Intro to a linux interface for on access scanning Theodore Tso
2008-08-18 15:31 ` tvrtko.ursulin
2008-08-18 15:31 ` Alan Cox
2008-08-18 13:42 ` David Collier-Brown
2008-08-18 17:53 ` Alan Cox
2008-08-18 18:13 ` david
2008-08-18 15:58 ` tvrtko.ursulin
2008-08-18 17:13 ` david
2008-08-18 16:15 ` Eric Paris
2008-08-18 16:15 ` Alan Cox
2008-08-18 16:54 ` douglas.leeder
2008-08-18 16:40 ` Alan Cox
2008-08-18 17:28 ` Eric Paris
2008-08-18 17:25 ` Alan Cox
2008-08-18 17:54 ` Eric Paris
2008-08-18 18:30 ` Eric Paris
2008-08-18 18:51 ` Alan Cox
2008-08-18 18:35 ` Jan Harkes
2008-08-18 18:46 ` Eric Paris
2008-08-18 19:04 ` david
2008-08-20 2:44 ` [malware-list] scanner interface proposal was: [TALPA] Intro linux interface for for " david
2008-08-20 15:15 ` Eric Paris
2008-08-20 17:33 ` david
2008-08-20 19:26 ` Eric Paris
2008-08-21 0:42 ` david
2008-08-20 17:50 ` david
2008-08-21 14:35 ` [malware-list] scanner interface proposal was: [TALPA] Intro linux interface " douglas.leeder
2008-08-21 21:19 ` david
2008-08-22 15:09 ` [malware-list] scanner interface proposal was: [TALPA] Intro linux interface for " Pavel Machek
2008-08-23 7:28 ` david
2008-08-18 19:32 ` [malware-list] scanner interface proposal was: [TALPA] Intro to a linux interface for on " Jan Harkes
2008-08-18 17:38 ` david
2008-08-18 17:29 ` david
2008-08-18 17:39 ` Eric Paris
2008-08-18 18:09 ` david
2008-08-18 18:34 ` Eric Paris
2008-08-18 17:07 ` david
2008-08-19 8:40 ` tvrtko.ursulin
2008-08-18 22:40 ` Pavel Machek
2008-08-18 23:07 ` Eric Paris
2008-08-19 1:15 ` Peter Dolding
2008-08-19 8:09 ` douglas.leeder
2008-08-19 11:08 ` Peter Dolding
[not found] ` <20080819114040.2FD1B336880@pmx1.sophos.com>
2008-08-20 3:03 ` Peter Dolding
2008-08-18 16:28 ` douglas.leeder [this message]
[not found] <alpine.DEB.1.10.0808180951470.15109@asgard.lang.hm>
2008-08-19 8:31 ` tvrtko.ursulin
2008-08-19 16:07 ` david
2008-08-19 12:34 ` David Collier-Brown
[not found] <20080818101625.85CA12FE876@pmx1.sophos.com>
2008-08-18 10:35 ` douglas.leeder
2008-08-18 12:13 ` david
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20080818162830.F0BAA3F608F@pmx1.sophos.com \
--to=douglas.leeder@sophos.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=malware-list@lists.printk.net \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).