From: david@lang.hm
To: Pavel Machek <pavel@suse.cz>
Cc: rmeijer@xs4all.nl, Peter Dolding <oiaohm@gmail.com>,
Theodore Tso <tytso@mit.edu>,
Arjan van de Ven <arjan@infradead.org>,
Alan Cox <alan@lxorguk.ukuu.org.uk>,
capibara@xs4all.nl, Eric Paris <eparis@redhat.com>,
Rik van Riel <riel@redhat.com>,
davecb@sun.com, linux-security-module@vger.kernel.org,
Adrian Bunk <bunk@kernel.org>,
Mihai Don??u <mdontu@bitdefender.com>,
linux-kernel@vger.kernel.org, malware-list@lists.printk.net
Subject: Re: [malware-list] [RFC 0/5] [TALPA] Intro to alinuxinterfaceforon access scanning
Date: Sun, 17 Aug 2008 15:30:10 -0700 (PDT) [thread overview]
Message-ID: <alpine.DEB.1.10.0808171524350.12859@asgard.lang.hm> (raw)
In-Reply-To: <20080817215822.GA21112@atrey.karlin.mff.cuni.cz>
On Sun, 17 Aug 2008, Pavel Machek wrote:
>>>> you are arguing with the wrong people here. we are not trying to define
>>>> the future of anti-virus technologies, we are trying to figure out how to
>>>> provide the hooks so that people and companies can go off and do the
>>>> research and experimentation and try different approaches.
>>>
>>> Given recent demonstrations that show how easy it apparently is to bypass
>>> blacklist base approaches, providing hooks to allow these blacklist
>>> approaches may I feel be rather futile. Focusing only on hooks for white
>>> list approaches in combination with hooks for least authority approaches
>>> like the powerbox would IMHO seem like a much more reasonable approach
>>> given the current state of things and knowledge concerning the blacklist
>>> technologies. Explicitly adding support for technology that is quickly
>>> becoming obsolete would seem like a waste of time and resources.
>>
>> we are not providing hooks for blacklists or whitelists, we are providing
>> hooks for scanning. it's up to the software that doesn the scanning to
>> implement the blacklist or whitelist.
>
> Actually, I don't think so.
>
> If we wanted to whitelist permitted binaries, approach would be
> something like "lets sign them"... and it seems IBM is working on
> something like that with TPM infrastructure.
the structure I proposed would support this as well.
your 'scanner' program would do the signature and store it somewhere and
mark the file as being scanned.
on access the checking software would see that you have marked it as being
scanned and can avoid the overhead of reading the entire file to check
it's signature (or you can configure it to do the full check again)
if the file gets written to the tag would get cleared and the file would
not be used without being blessed by your scanner again (and your scanner
my bless it if what happened was an OS update where the new file matches a
known signature)
not quite as straightforward as you were probably thinking (you were
probably thinking somthing like 'store the signature and have the kernel
check it each time the file is opened'), but this would have the option of
being faster by skipping the signature check if the file was tagged as
already being checked.
David Lang
next prev parent reply other threads:[~2008-08-17 22:30 UTC|newest]
Thread overview: 65+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-08-17 10:33 [malware-list] [RFC 0/5] [TALPA] Intro to alinuxinterfaceforon access scanning Rob Meijer
2008-08-17 10:46 ` david
2008-08-17 21:58 ` Pavel Machek
2008-08-17 22:30 ` david [this message]
-- strict thread matches above, loose matches on Subject: below --
2008-08-15 12:22 Rob Meijer
2008-08-15 13:27 ` Peter Dolding
2008-08-15 17:31 ` david
2008-08-16 3:57 ` Peter Dolding
2008-08-16 4:09 ` Arjan van de Ven
2008-08-16 5:19 ` Peter Dolding
2008-08-16 9:39 ` Theodore Tso
2008-08-16 11:38 ` Peter Dolding
2008-08-16 15:17 ` Theodore Tso
2008-08-17 7:49 ` Peter Dolding
2008-08-17 8:58 ` david
2008-08-18 0:11 ` Peter Dolding
2008-08-18 0:32 ` david
2008-08-18 1:20 ` Peter Dolding
2008-08-18 10:54 ` douglas.leeder
2008-08-18 13:40 ` Peter Dolding
2008-08-16 5:35 ` Valdis.Kletnieks
2008-08-16 7:27 ` david
[not found] ` <alpine.DEB.1.10.0808152115210.12859@asgard.lang.hm>
2008-08-16 9:28 ` Alan Cox
2008-08-16 10:14 ` david
2008-08-17 21:17 ` David Collier-Brown
2008-08-18 1:33 ` Peter Dolding
2008-08-18 1:44 ` david
2008-08-18 2:33 ` Peter Dolding
2008-08-15 14:18 ` Alan Cox
2008-08-15 10:10 Rob Meijer
2008-08-15 11:02 ` Alan Cox
2008-08-13 12:56 [malware-list] [RFC 0/5] [TALPA] Intro to a linuxinterfaceforon " Pavel Machek
2008-08-13 13:52 ` tvrtko.ursulin
2008-08-14 12:54 ` Pavel Machek
2008-08-14 18:37 ` [malware-list] [RFC 0/5] [TALPA] Intro to alinuxinterfaceforon " Press, Jonathan
2008-08-14 22:39 ` Pavel Machek
2008-08-15 0:00 ` Rik van Riel
2008-08-15 0:43 ` Theodore Tso
2008-08-15 1:02 ` Rik van Riel
2008-08-15 3:00 ` Eric Paris
2008-08-15 5:22 ` david
2008-08-15 5:33 ` david
2008-08-15 5:38 ` david
2008-08-17 22:14 ` Pavel Machek
2008-08-17 22:12 ` Pavel Machek
2008-08-17 22:47 ` david
2008-08-17 22:58 ` Pavel Machek
2008-08-17 23:24 ` david
2008-08-18 0:00 ` Casey Schaufler
2008-08-18 0:17 ` david
2008-08-18 0:31 ` Peter Dolding
2008-08-18 0:39 ` david
2008-08-18 0:42 ` Casey Schaufler
2008-08-18 0:07 ` Rik van Riel
2008-08-19 10:41 ` Pavel Machek
2008-08-15 8:35 ` Alan Cox
2008-08-15 11:35 ` Theodore Tso
2008-08-17 22:10 ` Pavel Machek
2008-08-06 0:51 [malware-list] [RFC 0/5] [TALPA] Intro to a linuxinterfaceforon " Rik van Riel
2008-08-06 12:10 ` Press, Jonathan
2008-08-06 15:08 ` Theodore Tso
2008-08-06 15:33 ` [malware-list] [RFC 0/5] [TALPA] Intro to alinuxinterfaceforon " Press, Jonathan
2008-08-06 15:46 ` Rik van Riel
2008-08-06 16:12 ` tvrtko.ursulin
2008-08-06 16:25 ` Rik van Riel
2008-08-06 18:06 ` Eric Paris
2008-08-05 17:38 [malware-list] [RFC 0/5] [TALPA] Intro to a linux interfaceforon " Arjan van de Ven
2008-08-05 18:04 ` Press, Jonathan
2008-08-05 18:11 ` Greg KH
2008-08-05 18:38 ` [malware-list] [RFC 0/5] [TALPA] Intro to a linuxinterfaceforon " Press, Jonathan
2008-08-05 18:54 ` Theodore Tso
2008-08-05 20:37 ` [malware-list] [RFC 0/5] [TALPA] Intro to alinuxinterfaceforon " Press, Jonathan
2008-08-05 21:14 ` Greg KH
2008-08-05 20:18 ` [malware-list] [RFC 0/5] [TALPA] Intro to a linuxinterfaceforon " Greg KH
2008-08-05 20:28 ` [malware-list] [RFC 0/5] [TALPA] Intro to alinuxinterfaceforon " Press, Jonathan
2008-08-05 20:51 ` Eric Paris
2008-08-05 21:08 ` Arjan van de Ven
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=alpine.DEB.1.10.0808171524350.12859@asgard.lang.hm \
--to=david@lang.hm \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=arjan@infradead.org \
--cc=bunk@kernel.org \
--cc=capibara@xs4all.nl \
--cc=davecb@sun.com \
--cc=eparis@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=malware-list@lists.printk.net \
--cc=mdontu@bitdefender.com \
--cc=oiaohm@gmail.com \
--cc=pavel@suse.cz \
--cc=riel@redhat.com \
--cc=rmeijer@xs4all.nl \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).