Re: [malware-list] TALPA - a threat model? well sorta.

On Thursday 14 August 2008, Press, Jonathan wrote:
On Wednesday 13 August 2008, Andi Kleen wrote:
On Wed, Aug 13, 2008 at 12:36:15PM -0400, Eric Paris wrote:

I miss a clear answer to the question: is this
supposed to protect against malware injected as root or not?

I honestly don't think we should worry about root. Sure, if the AV
scanner happens to catch something (as a consequence of it's
implementation), then very well. But designing an antimalware solution
which assumes the root is compromised will throw us into security talks
for years and I don't think we'll live to hear the end of them.

We should focus on the regular users and fix (if needed) the current
userland apps (ie. the ones that need root access to do their job). For
anymore than that we'll need a super user that supervises root. And then
another one.

I think that some people are missing the important point of Eric's recent
original statement of the "threat model". Whether we move further in the
direction of other security protections or not, we are currently talking
about providing a mechanism for basic AV product to do their job, and the
job we are talking about is scanning files when they are about to be used
and might cause harm, or have just been created and we want to make sure
they are OK. That is, the AV products that we are talking about in this
context don't do anything else other than scan files.

I see. Well, as long as everyone sticks to _just_ the file scan. To be honest,
the only immediate use of the patch that is/was in question, is a "natural"
scanner for file servers (Samba, NFS etc). 7v5w7go9ub0o, however, might have
some more ideas. :)

I admit and I apologize, I got pretty worked up when people started asking
questions like: "how do we protect the file scanner", when the answer should
have been obvious: the way we protect any other daemon (service) today, by
means of chmod/chown.

With that in mind, there is no difference between scanning files being
accessed/executed/created by root and the same for any other users. And in
fact, to the extent that we claim at all to have a somewhat complete
protection in that realm, excluding root will completely blow that protect
out of the water and make it essentially useless.

I think we need to define the 'desktop user' and provide a decent
protection mechanism for his common activities (edit documents, listen
music, navigate the web, see movies, run scripts which change the IM
status etc). For the rest, there are two possibilities:

1. education (_extremely_ important);

It's like abstinence education...it sounds good, at least to some, but it
doesn't work. In a way, that's the whole point. There are millions of
users. It doesn't take many who missed the class to create an outbreak
that does real damage. It goes back to the medical analogy. Do you spray
the swamps for the mosquitoes that carry Eastern Equine Encephalitis, or do
you knock on everyone's door and tell them not to go near the swamps, and
hope that everyone's home when you're in their neighborhood?

I don't think there will ever be an AV product using the marketing line:
"it allows you to run your favorite rootkit and enjoy the pretty text it
shows, with no worries".

You are right... Complete rootkit protection is a whole other area not
fundamentally addressed by a scan. So let's not create a straw man about
the things we don't claim to do and then knock the products because we
don't do them.

--
Mihai Donțu
Again, this mail == my own opinion
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Relevant Pages

  • Re: TALPA - a threat model? well sorta.
    ... Assuming it wants to protect against root: ... But you need some LSM like protections to be able to protect the file ... the integrity of the file scanner against root. ...
    (Linux-Kernel)
  • Re: TALPA - a threat model? well sorta.
    ... I honestly don't think we should worry about root. ... Sure, if the AV scanner ... But you need some LSM like protections to be able to protect the file ...
    (Linux-Kernel)
  • Re: TALPA - a threat model? well sorta.
    ... protections against maliciously attacking programs be they root or not. ... happen is that the scanner is going to scan the trojan.rpm when yum ... Stop thinking this is an LSM or as a new security model. ... But you need some LSM like protections to be able to protect the file ...
    (Linux-Kernel)
  • Re: Regarding sudo
    ... A normal user cannot damage the critical system files. ... etc.) The root account is capable of causing great damage ... Protect system backups. ...
    (comp.os.linux.setup)
  • Re: UPDATE: Missing South Carolina/Hilton Head Couple
    ...  looked at every year to protect  against this happening? ...  With a scanner and a printer, ... are not a means of uncovering fraud. ... accounts have much lower balances than the doctored statements indicate).. ...
    (alt.true-crime)