linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: david@lang.hm
To: Pavel Machek <pavel@suse.cz>
Cc: Eric Paris <eparis@redhat.com>, Jan Harkes <jaharkes@cs.cmu.edu>,
	Alan Cox <alan@lxorguk.ukuu.org.uk>,
	tvrtko.ursulin@sophos.com, Theodore Tso <tytso@mit.edu>,
	davecb@sun.com, Adrian Bunk <bunk@kernel.org>,
	linux-kernel <linux-kernel@vger.kernel.org>,
	malware-list@lists.printk.net,
	Casey Schaufler <casey@schaufler-ca.com>,
	Arjan van de Ven <arjan@infradead.org>
Subject: Re: [malware-list] scanner interface proposal was: [TALPA] Intro linux interface for  for access scanning
Date: Sat, 23 Aug 2008 00:28:18 -0700 (PDT)	[thread overview]
Message-ID: <alpine.DEB.1.10.0808230009530.25127@asgard.lang.hm> (raw)
In-Reply-To: <20080822150917.GA8152@ucw.cz>

On Fri, 22 Aug 2008, Pavel Machek wrote:

> To: david@lang.hm
>
>> Eric is viewing this through the AV point of view,
>>   this means
> ...
>> He is thinking that any ability to avoid doing the scan
>> is a security hole.
>
> That's contrary to the threat model ('it is just a scanner').
>
> (Plus you can't do it. mmap. Of course you can pass viruses between
> two cooperating applications... and you can do it through filesystem,
> too. And you probably can make un-cooperating network server serve
> viruses, as long as the network server uses mmap.)

by the way, sendfile and splice will probably also cause grief (or at 
least open-only checks like mmap)

> This is the thing that makes antivirus ugly, its unique to the
> antivirus, plus it can't be done. I.e. bad goal.

the items that I see as the potentially difficult policy decisions

1. when to scan files on access

and the more dificult issue,
2.when to allow access to unscanned files

3. what to do if different scanners disagree with each other


I think Eric's answers would be

1. unless they are already marked as being scanned since rebooting

2. only when a scanner program is doing the access, unless the scanner 
programs all decide differently.

3. only allow access if all scanners agree.


My answers are

1. unless they have already been marked by the current generation of 
scanner signatures

2. depends wildly on the environment. some uses will want to follow Eric's 
very strict policy, others will only want to impose the on-access scanning 
on software expected to be exposed to windows clients, yet others will 
want to scan by default, but exempt programs that don't interpret their 
input (for example 'wc')

I also don't know how the kernel could reliably figure out what program is 
asking for access. I guess you could try to do something with SELinux 
tags, but that makes this system dependant on SELinux, plus since you can 
only have one tag on the program it will potentially double the number if 
unique tags on the system, with a significant complication to the ruleset 
to make each of the tags identical, except for this one function.

3. like #2 depends wildly on the environment and what scanners are in use. 
I could easily see a 'majority vote wins' with three (or more) AV scanners 
in use. I could also see having a checksum based scanner override the 
decision of a heristic based scanner

David Lang

  reply	other threads:[~2008-08-23  7:29 UTC|newest]

Thread overview: 45+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <alpine.DEB.1.10.0808180444390.12859@asgard.lang.hm>
     [not found] ` <20080818131628.1C2A22FE82F@pmx1.sophos.com>
2008-08-18 14:25   ` [malware-list] scanner interface proposal was: [TALPA] Intro to a linux interface for on access scanning Theodore Tso
2008-08-18 15:31     ` tvrtko.ursulin
2008-08-18 15:31       ` Alan Cox
2008-08-18 13:42         ` David Collier-Brown
2008-08-18 17:53           ` Alan Cox
2008-08-18 18:13           ` david
2008-08-18 15:58         ` tvrtko.ursulin
2008-08-18 17:13           ` david
2008-08-18 16:15       ` Eric Paris
2008-08-18 16:15         ` Alan Cox
2008-08-18 16:54           ` douglas.leeder
2008-08-18 16:40             ` Alan Cox
2008-08-18 17:28           ` Eric Paris
2008-08-18 17:25             ` Alan Cox
2008-08-18 17:54               ` Eric Paris
2008-08-18 18:30                 ` Eric Paris
2008-08-18 18:51                   ` Alan Cox
2008-08-18 18:35                 ` Jan Harkes
2008-08-18 18:46                   ` Eric Paris
2008-08-18 19:04                     ` david
2008-08-20  2:44                       ` [malware-list] scanner interface proposal was: [TALPA] Intro linux interface for for " david
2008-08-20 15:15                         ` Eric Paris
2008-08-20 17:33                           ` david
2008-08-20 19:26                             ` Eric Paris
2008-08-21  0:42                               ` david
2008-08-20 17:50                           ` david
2008-08-21 14:35                           ` [malware-list] scanner interface proposal was: [TALPA] Intro linux interface " douglas.leeder
2008-08-21 21:19                             ` david
2008-08-22 15:09                         ` [malware-list] scanner interface proposal was: [TALPA] Intro linux interface for " Pavel Machek
2008-08-23  7:28                           ` david [this message]
2008-08-18 19:32                     ` [malware-list] scanner interface proposal was: [TALPA] Intro to a linux interface for on " Jan Harkes
2008-08-18 17:38             ` david
2008-08-18 17:29         ` david
2008-08-18 17:39           ` Eric Paris
2008-08-18 18:09             ` david
2008-08-18 18:34               ` Eric Paris
2008-08-18 17:07       ` david
2008-08-19  8:40         ` tvrtko.ursulin
2008-08-18 22:40       ` Pavel Machek
2008-08-18 23:07         ` Eric Paris
2008-08-19  1:15           ` Peter Dolding
2008-08-19  8:09             ` douglas.leeder
2008-08-19 11:08               ` Peter Dolding
     [not found]                 ` <20080819114040.2FD1B336880@pmx1.sophos.com>
2008-08-20  3:03                   ` Peter Dolding
2008-08-18 16:28     ` douglas.leeder

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=alpine.DEB.1.10.0808230009530.25127@asgard.lang.hm \
    --to=david@lang.hm \
    --cc=alan@lxorguk.ukuu.org.uk \
    --cc=arjan@infradead.org \
    --cc=bunk@kernel.org \
    --cc=casey@schaufler-ca.com \
    --cc=davecb@sun.com \
    --cc=eparis@redhat.com \
    --cc=jaharkes@cs.cmu.edu \
    --cc=linux-kernel@vger.kernel.org \
    --cc=malware-list@lists.printk.net \
    --cc=pavel@suse.cz \
    --cc=tvrtko.ursulin@sophos.com \
    --cc=tytso@mit.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).