From: Jan Harkes <jaharkes@cs.cmu.edu>
To: Eric Paris <eparis@redhat.com>
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>,
tvrtko.ursulin@sophos.com, Theodore Tso <tytso@mit.edu>,
davecb@sun.com, david@lang.hm, Adrian Bunk <bunk@kernel.org>,
linux-kernel <linux-kernel@vger.kernel.org>,
malware-list@lists.printk.net,
Casey Schaufler <casey@schaufler-ca.com>,
Arjan van de Ven <arjan@infradead.org>
Subject: Re: [malware-list] scanner interface proposal was: [TALPA] Intro to a linux interface for on access scanning
Date: Mon, 18 Aug 2008 14:35:40 -0400 [thread overview]
Message-ID: <20080818183540.GA5470@cs.cmu.edu> (raw)
In-Reply-To: <1219082097.15566.82.camel@localhost.localdomain>
On Mon, Aug 18, 2008 at 01:54:57PM -0400, Eric Paris wrote:
> But the file being installed needs to be at least RD for AV/Indexer.
> Particularly of interest to people here would be a file opened O_WRONLY
> and then the indexer wouldn't have the ability to read the data that was
> just written. So we need a new FD, can't just send the old one.
>
> I'd also assume that an HSM would need a WR file descriptor, which isn't
> easy. I've found that (through trial and error not understanding the
> code) trying to make new descriptors for the new process have WR often
> returned with ETXTBUSY....
The devil is in the details, and besides everyone trying to heap other
things on, one thing that keeps getting brought up, and seemingly keeps
getting ignored is the fact that there already is a perfectly reasonable
interface to pass file system events (open, close, read, write, etc) to
userspace applications in the form of FUSE which has already in some
ways solved issues wrt. subtle deadlocks that can happen when you bounce
from an in-kernel context to a userspace application.
Fuse is definitely the way to go for HSM. But even for one of the
various threat models I've read in the past couple of days it would be
perfect. i.e. not allowing Linux servers to be used as a means to
propagate viruses for other machines.
The trick is to have a scanned view on the file storage though a FUSE
mount, and then have samba/knfs/apache/etc. export only the fuse mounted
tree or chroot the daemons under the scanned part of the namespace. This
provides an excellent way to separate 'trusted' applications from
non-trusted by leveraging the namespace. In fact the raw data can easily
be stored in such a way that it is owned and accessible only by fuse's
userspace process (and root) so that even without chroot, local users
can only access the data through the fuse mount/scanning layer.
And the kernel parts are already implemented, doesn't require new
syscalls, or placing policy about which processes happen to be
'priviledged' in the kernel and solves several nasty deadlocks that can
happen when you start blocking processes in their open, close, read,
write or page faulting code paths.
...
> trouble) what would it look like? A scanner constantly calls scan() to
> block for data to be scanned? So an AV, HSM, or indexer all would be
> blocking in scan() just waiting for data? How do they respond? How is
They all block at different places because they all have very different
requirements.
HSM blocks in open before the file data is present because that still
needs to be fetched. AV scan blocks after the file data is accessible
but before returning to the application and the indexer only cares about
being notified after a open for write/mmap releases the last (writing)
reference to the file, since it seems to me to be quite useless indexing
not yet or partially written data.
As far as I am concerned, this thread has been going nowhere fast by
mixing up the various requirements that come from different possible
applications that people imagine this interface being used for. As far
as I was hoping, part of "defining the threat model" line of questioning
was to avoid having discussions spin into the realm of how even with all
the protections someone could still subvert the virus scanner by
bit-flipping memory state with a scanning tunneling microscope or
something.
Jan
next prev parent reply other threads:[~2008-08-18 18:36 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <alpine.DEB.1.10.0808180444390.12859@asgard.lang.hm>
[not found] ` <20080818131628.1C2A22FE82F@pmx1.sophos.com>
2008-08-18 14:25 ` [malware-list] scanner interface proposal was: [TALPA] Intro to a linux interface for on access scanning Theodore Tso
2008-08-18 15:31 ` tvrtko.ursulin
2008-08-18 15:31 ` Alan Cox
2008-08-18 13:42 ` David Collier-Brown
2008-08-18 17:53 ` Alan Cox
2008-08-18 18:13 ` david
2008-08-18 15:58 ` tvrtko.ursulin
2008-08-18 17:13 ` david
2008-08-18 16:15 ` Eric Paris
2008-08-18 16:15 ` Alan Cox
2008-08-18 16:54 ` douglas.leeder
2008-08-18 16:40 ` Alan Cox
2008-08-18 17:28 ` Eric Paris
2008-08-18 17:25 ` Alan Cox
2008-08-18 17:54 ` Eric Paris
2008-08-18 18:30 ` Eric Paris
2008-08-18 18:51 ` Alan Cox
2008-08-18 18:35 ` Jan Harkes [this message]
2008-08-18 18:46 ` Eric Paris
2008-08-18 19:04 ` david
2008-08-20 2:44 ` [malware-list] scanner interface proposal was: [TALPA] Intro linux interface for for " david
2008-08-20 15:15 ` Eric Paris
2008-08-20 17:33 ` david
2008-08-20 19:26 ` Eric Paris
2008-08-21 0:42 ` david
2008-08-20 17:50 ` david
2008-08-21 14:35 ` [malware-list] scanner interface proposal was: [TALPA] Intro linux interface " douglas.leeder
2008-08-21 21:19 ` david
2008-08-22 15:09 ` [malware-list] scanner interface proposal was: [TALPA] Intro linux interface for " Pavel Machek
2008-08-23 7:28 ` david
2008-08-18 19:32 ` [malware-list] scanner interface proposal was: [TALPA] Intro to a linux interface for on " Jan Harkes
2008-08-18 17:38 ` david
2008-08-18 17:29 ` david
2008-08-18 17:39 ` Eric Paris
2008-08-18 18:09 ` david
2008-08-18 18:34 ` Eric Paris
2008-08-18 17:07 ` david
2008-08-19 8:40 ` tvrtko.ursulin
2008-08-18 22:40 ` Pavel Machek
2008-08-18 23:07 ` Eric Paris
2008-08-19 1:15 ` Peter Dolding
2008-08-19 8:09 ` douglas.leeder
2008-08-19 11:08 ` Peter Dolding
[not found] ` <20080819114040.2FD1B336880@pmx1.sophos.com>
2008-08-20 3:03 ` Peter Dolding
2008-08-18 16:28 ` douglas.leeder
[not found] <alpine.DEB.1.10.0808180951470.15109@asgard.lang.hm>
2008-08-19 8:31 ` tvrtko.ursulin
2008-08-19 16:07 ` david
2008-08-19 12:34 ` David Collier-Brown
[not found] <20080818101625.85CA12FE876@pmx1.sophos.com>
2008-08-18 10:35 ` douglas.leeder
2008-08-18 12:13 ` david
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20080818183540.GA5470@cs.cmu.edu \
--to=jaharkes@cs.cmu.edu \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=arjan@infradead.org \
--cc=bunk@kernel.org \
--cc=casey@schaufler-ca.com \
--cc=davecb@sun.com \
--cc=david@lang.hm \
--cc=eparis@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=malware-list@lists.printk.net \
--cc=tvrtko.ursulin@sophos.com \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).