Critical Linux security API is still a kludge (Inquirer)
Posted Oct 23, 2006 18:29 UTC (Mon) by bluefoxicy
In reply to: Critical Linux security API is still a kludge (Inquirer)
Parent article: Critical Linux security API is still a kludge (Inquirer)
Actions like read() and mmap() can go through FUSE; and if you mmap() a file on a FUSE file system the kernel has to ask FUSE what to do with it. Once the filter extensions hit FUSE mainline (Miklos says they will), you'll be able to reliably determine when a file has changed.
For network file systems like NFS or SMB, you'll have to scan accessed data each time it's pulled over; but incremental scanning is possible. Picture scanning an executable that adds viral code to .text called by _main(). The relocation pages are pulled over, relocations are done, functions in .init are run, some of .text is pulled over, _main() is entered. Now _main() tries to execute virus in a page that hasn't yet been accessed. As that page is brought over, it is scanned for a virus, which is located; the system refuses to give that page to the application, and the application segfaults.
Of course the whole incremental scanning part is conjecture; a proof of concept implementation would be nice.
to post comments)