Re: [malware-list] [RFC 0/5] [TALPA] Intro to alinuxinterfaceforon access scanning
- From: david@xxxxxxx
- Date: Sun, 17 Aug 2008 15:47:41 -0700 (PDT)
On Mon, 18 Aug 2008, Pavel Machek wrote:
Hi!
And I still don't get this 'mmap problem' that I don't solve that
libmalware magically solves. What? don't use mmap? I certainly hope
not.
Don't use mmap, it is as simple as that. AFAICS mmap(MAP_SHARED) --
which is basically shared memory -- is fundamentally incompatible with
reliable virus scanning.
...or do you have a reasonable solution for mmap?
mmap has a few different problems
1. intercepting reads and writes to take action at that time
2. the fact that two programs can use it as an inter-process communication mechanism.
if you are worried about the IPC aspects, all you can do is forbid it, along with shared memory, pipes, network connections, etc. none of these provide you with a 'final result' that can be scanned, and as others have pointed out there are too many ways to do things that get assembled by the far side to try and catch all malware in them.
as for intercepting reads and writes. the approach I outlined addresses this by having the kernel mark thefile as dirty if any writes happen, and checking the file status at the time of doing the mmap instead of trying to do it when the file is accessed after the mmap.
David Lang
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
- Follow-Ups:
- References:
- Re: [malware-list] [RFC 0/5] [TALPA] Intro to a linuxinterfaceforon access scanning
- From: Pavel Machek
- Re: [malware-list] [RFC 0/5] [TALPA] Intro to a linuxinterfaceforon access scanning
- From: tvrtko . ursulin
- Re: [malware-list] [RFC 0/5] [TALPA] Intro to a linuxinterfaceforon access scanning
- From: Pavel Machek
- RE: [malware-list] [RFC 0/5] [TALPA] Intro to alinuxinterfaceforon access scanning
- From: Press, Jonathan
- Re: [malware-list] [RFC 0/5] [TALPA] Intro to alinuxinterfaceforon access scanning
- From: Pavel Machek
- Re: [malware-list] [RFC 0/5] [TALPA] Intro to alinuxinterfaceforon access scanning
- From: Rik van Riel
- Re: [malware-list] [RFC 0/5] [TALPA] Intro to alinuxinterfaceforon access scanning
- From: Theodore Tso
- Re: [malware-list] [RFC 0/5] [TALPA] Intro to alinuxinterfaceforon access scanning
- From: Eric Paris
- Re: [malware-list] [RFC 0/5] [TALPA] Intro to alinuxinterfaceforon access scanning
- From: Pavel Machek
- Re: [malware-list] [RFC 0/5] [TALPA] Intro to a linuxinterfaceforon access scanning
- Prev by Date: Re: [malware-list] [RFC 0/5] [TALPA] Intro to alinuxinterfaceforon access scanning
- Next by Date: [PATCH] kernel-doc: allow space in macro #define
- Previous by thread: Re: [malware-list] [RFC 0/5] [TALPA] Intro to alinuxinterfaceforon access scanning
- Next by thread: Re: [malware-list] [RFC 0/5] [TALPA] Intro to alinuxinterfaceforon access scanning
- Index(es):
Relevant Pages
|
