Dakuzo doesn't work 100%
Posted Oct 23, 2006 15:59 UTC (Mon) by arjan
In reply to: Critical Linux security API is still a kludge (Inquirer)
Parent article: Critical Linux security API is still a kludge (Inquirer)
The problem is that IT DOESN'T check every access, but only some.
So not only is that approach they take a root-kit like kludge, it's not even nearly watertight. The don't (and fundamentally cannot) check reads and writes that are done via mmap() for example.
A fundamentally different technical solution is needed, and it probably is going to need changes all over the OS.
A few things that I think are needed:
* An easy, standard way for an application like firefox to ask "I'm about to save/open/... this file, please scan it for me and tell me it's ok". This is needed for Firefox, but also OpenOffice, Evolution and anything else that works with untrusted content. Preventing malware content from entering this system in the first place like this is always going to be better than finding it later on (that doesn't mean that the other one isn't needed per se, just that if you can filter it earlier that's obviously superior).
This way needs to be standardized (glibc?) and easy to use, while the admin can plug in policies and tools.
* SAMBA and NFS need a way of checking stuff before getting/sending it via the network. This may be able to use the previous thing, but maybe not.
* Wine and the other stuff this guy mentions should use the same hooks as in 1)
* If you want to do kernel level hooks, you CAN. They're called "LSM" today. LSM is superior to syscall hooking because it operates at the ACTION rather than at the ENTRY POINT. (this is similar to putting your money in a safe rather than putting a bigger lock on your door... the later case is vulnerable because a burglar can just come through the window). But even LSM doesn't solve the mmap() gap, that one is going to be fundamentally hard if not impossible to solve in a way that doesn't make performance totally suck
to post comments)