Dakuzo doesn't work 100%
Dakuzo doesn't work 100%
Posted Oct 23, 2006 16:28 UTC (Mon) by nix (subscriber, #2304)In reply to: Dakuzo doesn't work 100% by arjan
Parent article: Critical Linux security API is still a kludge (Inquirer)
Well, they *could* check mmap()ed reads, at least, by scanning the file on every open(). But, no, checking writes is out of the question in the presence of mmap() (imagine the expense! two context switches and some sort of expensive check on every write to an mmap()ed region? Gah.)
Posted Oct 23, 2006 22:55 UTC (Mon)
by skitching (guest, #36856)
[Link] (1 responses)
If there are concerns about having to rescan a very large file which has had just a small piece modified then the monitoring layer (FUSE-based or other) could keep a list of modified blocks to be scanned on close. How about an in-kernel module that simply exposes a list of changed block ids which a user-mode module could then check on close?
Of course this is rather asymmetrical to the read scanning, which does need to be done as data is read in order to catch bad data on mounted filesystems such as NFS, so maybe it's not such a good idea..
Posted Oct 24, 2006 16:14 UTC (Tue)
by nix (subscriber, #2304)
[Link]
So yes, you have to scan on each write: at least on each write of a file opened by more than one process.
Is it really necessary to scan on each write operation? It seems to me that scanning on close would be sufficient. scanning on write
- program A mmap()s foo.soscanning on write
- nasty program B mmap()s foo.so and infects it
- program A now sees the virus-infected pages and so is magically infected too