Re: [malware-list] TALPA - a threat model? well sorta.

From: david
Date: Fri Aug 15 2008 - 01:29:13 EST

Next message: Jan Harkes: "Re: [RFC] readdir mess"
Previous message: david: "Re: [malware-list] [RFC 0/5] [TALPA] Intro to alinuxinterfaceforonaccess scanning"
In reply to: Johannes Weiner: "Re: [malware-list] TALPA - a threat model? well sorta."
Next in thread: david: "Re: [malware-list] TALPA - a threat model? well sorta."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 15 Aug 2008, Johannes Weiner wrote:

Hi,

david@xxxxxxx writes:

On Thu, 14 Aug 2008, Arjan van de Ven wrote:

On Thu, 14 Aug 2008 22:04:00 -0400
Theodore Tso <tytso@xxxxxxx> wrote:

On Thu, Aug 14, 2008 at 06:44:33PM -0700, david@xxxxxxx wrote:
could you do something like defining a namespace inside posix
attributes and then setting up a mechanism in the kernel to alert
if the attributes change (with the entire namespace getting cleared
if the file gets dirtied)?

According to Eric Paris the clean/dirty state is only stored in
memory. We could use the extended attribute interface as a way of not
defining a new system call, or some other interface, but I'm not sure
it's such a great match given that the extended attributes interface
are designed for persistent data.

I agree that doesn't actually work very well for the tracker use case,
where you the clean/dirty bit to be persistent (in case the tracker is
disabled due to the fact you are running on battery, for example, and
then you reboot).

but we need a "give me all dirty files" solution, not a "is this file
dirty" solution.

I do not want a virus scanner to constantly have to poll the whole fs
for dirty files ;-)

I'm not sure.

there are two situations (with the transition between them)

1. unscanned system, we want to do everything. (this happens
immediatly after a new signature file is deployed)

here you do just want to filter out the files that have been scanned
from the list of everything, and you probably want to check at the
time of scanning the file in case it was opened (and scanned) in the
meantime.

2. mostly scanned system, we only want to scan files that have been
dirtied.

here you don't need to scan everything, you only need to scan in two cases

2a. the file was dirtied (you learn about it and add it to the queue
of files to scan when you get around to it)

2b. an unscanned file is opened (the library detects that the file was
not marked approved by all the current scanners, so it invokes the
scanners on this file before completing the open, or copy for mmap, or
whatever)

2b could also be used as a general lazy scanning mechanism, no? If
there is a new signature or the file is dirty or unknown, scan it.
Always.

So this should all just be one case, no?

this depends on the policy in userspace.

you could:

1. plan on doing all scanning as files are opened (this is going to be noticable to users)

2. run the background scanner continuously as a low priority (as soon as you finish one scan, do the next)

3. do one background scan when you get a new signature, and after you complete that only scan files that change.

and probably others

#3 has the advantage that the only time a user will hit a delay when opening a file is if the file was just recently modified and the scanner daemon(s) haven't had a chance to scan it yet.

David Lang
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Jan Harkes: "Re: [RFC] readdir mess"
Previous message: david: "Re: [malware-list] [RFC 0/5] [TALPA] Intro to alinuxinterfaceforonaccess scanning"
In reply to: Johannes Weiner: "Re: [malware-list] TALPA - a threat model? well sorta."
Next in thread: david: "Re: [malware-list] TALPA - a threat model? well sorta."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]