Re: [malware-list] [RFC 0/5] [TALPA] Intro to a linux interfacefor on access scanning

From: Greg KH
Date: Wed Aug 06 2008 - 11:40:15 EST

Next message: David Howells: "[PATCH 12/24] CRED: Wrap access to SELinux's task SID [ver #7]"
Previous message: Greg KH: "Re: [malware-list] [RFC 0/5] [TALPA] Intro to a linuxinterfaceforon access scanning"
In reply to: tvrtko . ursulin: "Re: [malware-list] [RFC 0/5] [TALPA] Intro to a linux interface for onaccess scanning"
Next in thread: Eric Paris: "Re: [malware-list] [RFC 0/5] [TALPA] Intro to a linux interfacefor on access scanning"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Aug 06, 2008 at 10:37:06AM +0100, tvrtko.ursulin@xxxxxxxxxx wrote:
> Greg KH wrote on 05/08/2008 21:15:35:
>
> > > > > Perf win, why bothering looking for malware in /proc when it can't
> > > > > exist? It doesn't take longer it just takes time having to do
> > > > >
> > > > > userspace -> kernel -> userspace -> kernel -> userspace
> > > > >
> > > > > just to cat /proc/mounts, all of this could probably be alliviated
> if we
> > > > > cached access on non block backed files but then we have to come
> up with
> > > > > a way to exclude only nfs/cifs. I'd rather list the FSs that
> don't need
> > > > > scanning every time than those that do....
> > > >
> > > > How long does this whole process take? Seriously is it worth the
> added
> > > > kernel code for something that is not measurable?
> > >
> > > Is it worth having 2 context switches for every open when none are
> > > needed? I plan to get numbers on that.
> >
> > Compared to the real time it takes in the "virus engine"? I bet it's
> > totally lost in the noise. Those things are huge beasts with thousands
> > to hundreds of thousands of context switches.
>
> No, because we are talking about a case here where we don't want to do any
> scanning. We want to detect if it is procfs (for example) as quickly as
> possible and don't do anything. Same goes for any other filesystem where
> it is not possible to store arbitrary user data.

See previous messages about namespaces and paths for trying to figure this
kind of information out in a sane way within the kernel.

> > > > > In kernel caching is clearly a huge perf win.
> > > >
> > > > Why? If the cache is also in userspace, it should be the same,
> right?
> > >
> > > In kernel cache has 0 context switches for every open. Userspace
> > > caching has 2. Every open has to block, switch to the context of the
> > > userspace client/cache, get that decisions, and then switch back to
> the
> > > original process.
> >
> > Again, compared to what? If you in userspace are doing big complex
> > things, such an overhead is trivial.
>
> Again similar thing as above - In case of a cache we are not doing complex
> things.

Except for the overhead of keeping a cache :)

> So I think you can't argue that because scanning is slow everything
> else has to go to userspace. On a typical running system scanning is
> exceptional and everything else benefits from being in the fast path.

I really can not judge as we have not seen an implementation yet.

thanks,

greg k-h
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: David Howells: "[PATCH 12/24] CRED: Wrap access to SELinux's task SID [ver #7]"
Previous message: Greg KH: "Re: [malware-list] [RFC 0/5] [TALPA] Intro to a linuxinterfaceforon access scanning"
In reply to: tvrtko . ursulin: "Re: [malware-list] [RFC 0/5] [TALPA] Intro to a linux interface for onaccess scanning"
Next in thread: Eric Paris: "Re: [malware-list] [RFC 0/5] [TALPA] Intro to a linux interfacefor on access scanning"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]