Re: [malware-list] [RFC 0/5] [TALPA] Intro to a linux interface for on access scanning

From: Kyle Moffett
Date: Tue Aug 05 2008 - 01:49:19 EST

Next message: Paul Menage: "Re: Too many I/O controller patches"
Previous message: Rusty Russell: "Re: [PATCH 1/2] Export get_user_pages_fast"
In reply to: Christoph Hellwig: "Re: [malware-list] [RFC 0/5] [TALPA] Intro to a linux interfacefor on access scanning"
Next in thread: Alan Cox: "Re: [malware-list] [RFC 0/5] [TALPA] Intro to a linux interface foron access scanning"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Aug 4, 2008 at 8:54 PM, Christoph Hellwig <hch@xxxxxxxxxxxxx> wrote:
> On Mon, Aug 04, 2008 at 08:47:04PM -0400, Eric Paris wrote:
>> On Mon, 2008-08-04 at 20:26 -0400, Christoph Hellwig wrote:
>> > NACK, this kind of policy should be done in kernelspace.
>>
>> What? You want to write and in kernel scanner for Window viruses?
>
> No, I want a sane security policy in kernelsapce that doesn't look
> at the content because doing security by content properly is equivalent
> to solving the halting problem. I couldn't give a rats a** about
> windows viruses as they can't actually cause any harm on a Linux
> machine.

Much better solution:

Use SELinux or another similar Mandatory Access Control labeling
system. Mark some things as "trusted" or "privileged" or whatever
your particular labeling methodology requires. Mark other things as
"untrusted", "unprivileged", "internet file", etc. Disallow most
interaction between "trusted" and "untrusted" things. Configure your
userspace virus-scanner which is allowed to read "untrusted" files and
create "semi-trusted" files in a particular directory, where they can
then be picked up by "trusted" programs.

Problem solved. Untrusted and possibly-compromised files can't be
executed, or even if they could be they can't do anything
interesting/harmful. In order to execute some junk you just
downloaded from the internet you have to click "Yes I accept the
security risk" and run it through whatever virus-scanner you want.
Then you copy it from the virus-scanner output directory into
somewhere else and run it.

You can do the same thing with software updates downloaded from the
internet, just replace "trusted" with "installed package",
"semi-trusted" with "valid package", "untrusted" with "just-downloaded
package file", and "virus scanner" with "package signature
verification tool".

I could easily come up with a bunch more examples if you really care that much.

Cheers,
Kyle Moffett
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Paul Menage: "Re: Too many I/O controller patches"
Previous message: Rusty Russell: "Re: [PATCH 1/2] Export get_user_pages_fast"
In reply to: Christoph Hellwig: "Re: [malware-list] [RFC 0/5] [TALPA] Intro to a linux interfacefor on access scanning"
Next in thread: Alan Cox: "Re: [malware-list] [RFC 0/5] [TALPA] Intro to a linux interface foron access scanning"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]