Re: TALPA - a threat model? well sorta.

From: 7v5w7go9ub0o
Date: Wed Aug 13 2008 - 22:26:21 EST

Next message: Dave Chinner: "Re: [PATCH 4/6] Replace inode flush semaphore with a completion"
Previous message: Andrew Morton: "Re: [patch 2/2] [PATCH 2/2] x86: Fixed NULL function pointerdereference in AMD microcode patch loader."
In reply to: 7v5w7go9ub0o: "Re: TALPA - a threat model? well sorta."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

7v5w7go9ub0o wrote:

4. Again, my hope for libmalware.so/dazuko is a realtime
integrity-management link.

<end posts>

HTH

p.s. The question has developed, should this monitor root activities. IMHO, the answer is a definite YES! We are most vulnerable during software updating; AntiMailware signatures may stop the compilation or installation of a Trojan - by root.

I just noticed a separate discussion about integrity-checking LKMs and LSMs.

Obviously, a libmalware.so or Dazuko based integrity-checker would block a kernel from loading in a Trojaned LKM - noting that the MD5 had changed, and asking you to block, temporarily allow, or permanently allow the changed module.

Another security benefit of your pursuit.

HTH

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Dave Chinner: "Re: [PATCH 4/6] Replace inode flush semaphore with a completion"
Previous message: Andrew Morton: "Re: [patch 2/2] [PATCH 2/2] x86: Fixed NULL function pointerdereference in AMD microcode patch loader."
In reply to: 7v5w7go9ub0o: "Re: TALPA - a threat model? well sorta."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]