LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Dakuzo doesn't work 100%

Dakuzo doesn't work 100%

Posted Oct 23, 2006 15:59 UTC (Mon) by arjan (subscriber, #36785)
In reply to: Critical Linux security API is still a kludge (Inquirer) by nix
Parent article: Critical Linux security API is still a kludge (Inquirer)

The problem is that IT DOESN'T check every access, but only some.

So not only is that approach they take a root-kit like kludge, it's not even nearly watertight. The don't (and fundamentally cannot) check reads and writes that are done via mmap() for example.

A fundamentally different technical solution is needed, and it probably is going to need changes all over the OS.

A few things that I think are needed:
* An easy, standard way for an application like firefox to ask "I'm about to save/open/... this file, please scan it for me and tell me it's ok". This is needed for Firefox, but also OpenOffice, Evolution and anything else that works with untrusted content. Preventing malware content from entering this system in the first place like this is always going to be better than finding it later on (that doesn't mean that the other one isn't needed per se, just that if you can filter it earlier that's obviously superior).
This way needs to be standardized (glibc?) and easy to use, while the admin can plug in policies and tools.
* SAMBA and NFS need a way of checking stuff before getting/sending it via the network. This may be able to use the previous thing, but maybe not.
* Wine and the other stuff this guy mentions should use the same hooks as in 1)
* If you want to do kernel level hooks, you CAN. They're called "LSM" today. LSM is superior to syscall hooking because it operates at the ACTION rather than at the ENTRY POINT. (this is similar to putting your money in a safe rather than putting a bigger lock on your door... the later case is vulnerable because a burglar can just come through the window). But even LSM doesn't solve the mmap() gap, that one is going to be fundamentally hard if not impossible to solve in a way that doesn't make performance totally suck

(Log in to post comments)

Dakuzo doesn't work 100%

Posted Oct 23, 2006 16:28 UTC (Mon) by nix (subscriber, #2304) [Link]

Well, they *could* check mmap()ed reads, at least, by scanning the file on every open(). But, no, checking writes is out of the question in the presence of mmap() (imagine the expense! two context switches and some sort of expensive check on every write to an mmap()ed region? Gah.)

scanning on write

Posted Oct 23, 2006 22:55 UTC (Mon) by skitching (subscriber, #36856) [Link]

Is it really necessary to scan on each write operation? It seems to me that scanning on close would be sufficient.

If there are concerns about having to rescan a very large file which has had just a small piece modified then the monitoring layer (FUSE-based or other) could keep a list of modified blocks to be scanned on close. How about an in-kernel module that simply exposes a list of changed block ids which a user-mode module could then check on close?

Of course this is rather asymmetrical to the read scanning, which does need to be done as data is read in order to catch bad data on mounted filesystems such as NFS, so maybe it's not such a good idea..

scanning on write

Posted Oct 24, 2006 16:14 UTC (Tue) by nix (subscriber, #2304) [Link]

- program A mmap()s foo.so
- nasty program B mmap()s foo.so and infects it
- program A now sees the virus-infected pages and so is magically infected too

So yes, you have to scan on each write: at least on each write of a file opened by more than one process.

The Inq is wrong

Posted Oct 24, 2006 4:39 UTC (Tue) by gdt (subscriber, #6284) [Link]

SAMBA and NFS need a way of checking stuff before getting/sending it via the network. This may be able to use the previous thing, but maybe not.

Samba already has the Virtual File System API that can be used for virus scanning (and multilevel storage and other neat stuff). See samba-vscan for an implementation of a virus scanner which uses VFS.

Other applications which handle data on behalf of Windows systems have similar APIs. Sendmail's milter springs to mind. Milter is now in Postfix too, so we are seeking a common API emerge between the various mail transfer agents.

The Inq's complaint is that a API vital to virus scanning files before they are seen by a Window's host is missing. But since Samba, sendmail and other software which passed data to Windows systems have such APIs, what's the beef?

The article is a vendor whinge to a naive journalist dressed up with a page-hit-seeking headline.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds