RE: [malware-list] [RFC 0/5] [TALPA] Intro to a linux interface foron access scanning

!MAILaRCHIVE_VOTE_RePLACE
Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
To: Press, Jonathan <Jonathan.Press@...>
Cc: Greg KH <greg@...>, <linux-kernel@...>, <malware-list@...>
Date: Tuesday, August 5, 2008 - 10:56 am

On Tue, 2008-08-05 at 10:41 -0400, Press, Jonathan wrote:

You aren't doing write time scanning anyway.  This exclusion means that
an 'excluded' process can OPEN things that would normally be called
malware.  The model here doesn't talk about adding files with bad
information to the system it talks about stopping that bad information
from being opened and propagated further.  Thread exclusions as they are
written in the patch only weaken security to those processes which
actively choose to read malware, it in no way weakens the security of
the system as a whole...

Wait wit, you'd rather have a 'privileged' process be allowed to exclude
every other process on a system than have a it only be allowed to
exclude itself? and somehow that is safer?

"by name" is right out the window.  You are never going to win 'by name'
on anything to do with the kernel  :)  Maybe you can get me to
eventually buy into 'by pid' or something like that, but setting flags
on other running processes is always going to be racy and scary for me.
Can you show me some code on how to do this cleanly?  And why it needs
to be done in kernel?

What is the goal you are trying to achieve?  A performance win for the
application in question or is this a security aware application that
needs to be able to access 'sensitive' data?

-Eric

--
Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:
RE: [malware-list] [RFC 0/5] [TALPA] Intro to a linux interf..., Eric Paris, (Tue Aug 5, 10:56 am)
Sidebar to [malware-list] [RFC 0/5] [TALPA] Intro to a linux..., David Collier-Brown, (Wed Aug 6, 7:40 am)
Re: [malware-list] [RFC 0/5] [TALPA] Intro to a linuxinterfa..., David Collier-Brown, (Mon Aug 11, 12:11 pm)
Re: [malware-list] [RFC 0/5] [TALPA] Intro to a linuxinterfa..., Arjan van de Ven, (Wed Aug 13, 10:28 am)
Re: [malware-list] [RFC 0/5] [TALPA] Intro to a linux interf..., David Collier-Brown, (Wed Aug 6, 7:31 am)