Critical Linux security API is still a kludge (Inquirer)
Posted Oct 24, 2006 11:53 UTC (Tue) by job
In reply to: Critical Linux security API is still a kludge (Inquirer)
Parent article: Critical Linux security API is still a kludge (Inquirer)
Why WOULD you want to check every file access? I would be surprised if Windows virus scanners this, it would be unbearably slow. What you probably want is to check all files treated as executable code, by hooking the exec call in libc.
Of course, evil code could relocate specific portions in data files, and by directly calling the kernel to execute them bypass the check. But this would be trivial by mmaping those parts in executable space anyway.
It's not very different in nature from self-encrypting code. I think the scanners need to treat them the same way, by checking for the decrypting/execing/mmaping code to begin with. The in-kernel hook described sounds like a flawed design no matter how you look at it, and I am not the least surprised it's difficult to convince the kernel devs to let it in.
to post comments)