RE: [malware-list] TALPA - a threat model? well sorta.

[Press, Jonathan]

> -----Original Message-----
> From: malware-list-bounces@xxxxxxxxxxxxxxxx [mailto:malware-list-
> bounces@xxxxxxxxxxxxxxxx] On Behalf Of Alan Cox
> Sent: Wednesday, August 13, 2008 3:59 PM
> To: Eric Paris
> Cc: peterz@xxxxxxxxxxxxx; linux-kernel@xxxxxxxxxxxxxxx; malware-
> list@xxxxxxxxxxxxxxxx; hch@xxxxxxxxxxxxx; andi@xxxxxxxxxxxxxx;
> viro@xxxxxxxxxxxxxxxxxx; arjan@xxxxxxxxxxxxx
> Subject: Re: [malware-list] TALPA - a threat model? well sorta.
> 
> > > I don't think you need to be blocking if you passed up a file
handle ?
> >
> > Without blocking and waiting how do you deny access?  Maybe I needed
> > another thing they do.  "They do file scanning and deny access to
bad
> > files."
> 
> Denying access is easy enough - chmod it or set an SELinux label on
it.

I may be missing something about your suggestion, but I don't see how
this would work.  Who does the chmod?

Here's a sequence:

- Application opens file
- AV scanner notified in some way without blocking
- Application reads file into memory
- AV scanner determines file is infected.
- AV scanner chmod's file -- oops, too late.
- Application sends file over the wire to another machine with a more
vulnerable OS

How would this be prevented?


Jon Press
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/