scanning on write
scanning on write
Posted Oct 23, 2006 22:55 UTC (Mon) by skitching (guest, #36856)In reply to: Dakuzo doesn't work 100% by nix
Parent article: Critical Linux security API is still a kludge (Inquirer)
Is it really necessary to scan on each write operation? It seems to me that scanning on close would be sufficient.
If there are concerns about having to rescan a very large file which has had just a small piece modified then the monitoring layer (FUSE-based or other) could keep a list of modified blocks to be scanned on close. How about an in-kernel module that simply exposes a list of changed block ids which a user-mode module could then check on close?
Of course this is rather asymmetrical to the read scanning, which does need to be done as data is read in order to catch bad data on mounted filesystems such as NFS, so maybe it's not such a good idea..
Posted Oct 24, 2006 16:14 UTC (Tue)
by nix (subscriber, #2304)
[Link]
So yes, you have to scan on each write: at least on each write of a file opened by more than one process.
- program A mmap()s foo.soscanning on write
- nasty program B mmap()s foo.so and infects it
- program A now sees the virus-infected pages and so is magically infected too