So after about a week of trying to squeeze information out of
anti-malware companies I'm starting to feel like I can better speak for
their needs (although they probably don't like what I have to say). I
would like to point out that many enterprises are going to run this
stuff on their machines. Period. End of story. Personally I'd rather
support a clean interface than have to try to support support problems
my customers have when their hacked fragile systems have trouble.
So, what is it that anti-malware companies do? They scan files. That's
it. Many of the arguments they make and marketing speak we hear or
think we hear claim more grandious things. But from what I've seen they
aren't the real deal. Most of the security model descriptions that
people on list want actually are framed under the belief that these
products need to or attempt to completely block some class of attacks.
They don't. If you think they do you need to fix your frame of
reference. The only class of attacks this interface is supposed to
address is those that can be found by scanning files. This is NOT an
LSM. This is NOT an IDS. This is a file scanner. There may be all
sorts of marketing material or general beliefs that they provide
security against all sorts of wide and varied threats (and they do),
but in all reality the only threats they provide any help against are
those that can be found by scanning files. Simple as that. Some may
argue this isn't "good" security and I'm not going to make a strong
argument to the contrary, I can stand here for days and show cases where
this is highly useful but no one can provide a threat model more than to
say, "we attempt to locate files which may be harmful somewhere in the
digital ecosystem and try to deny access to that data."
It can be easily shown (and I can come up with LOTS of example) that
this is of value. Lets consider a simple Linux worm:
http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=47869
This worm needs 4 vulnerabilities for it to work and a default RHEL
SELinux policy would likely, although I haven't verified this fact, also
stop the propagation. I believe that the right way to "fix" this is to
patch your software and to run an LSM. But notice that 'scanning files'
is also enough to break the chain. When the download is completed
nothing would be able to execute the file in question since the
anti-malware software would prevent it. Assuming some new vulnerability
was found to replace one of the patched problems its possible the
anti-malware code could still recognize enough of the binary to stop it.
I'm told by one AV company that they look for 95 Linux-specific threats
composed of 42 trojans and 53 viruses or worms. At least 2 other
companies specifically stated that they look for malware which targets
Linux systems although didn't give hard numbers. All three vendors who
have spoken with me also admit that most of their threats are found on
Windows.
I also gave a previous example how file scanning can help with subverted
distro repos. That one is purely theoretical as opposed to the real
attack shown above, but clearly value can be easily demonstrated.
The value of a file scanning interface is not in stopping active
attacks. Its in making the Linux platform a more difficult location for
the storage and propagation of bad data. I think its reasonable to
think that we all agree we don't want to be the preferred hosting
platforms for trojan binaries intended to attack other non-Linux
systems. Why would one want consciencely choose to leave Linux as a
safe haven for the existence of malware? Even though the malware is not
attacking the Linux platform do we as the Linux community really want to
be a breeding and hosting ground as long as the costs are not too high?
(yes Ted, I'm talking directly to you here)
Assuming the costs are not too high, we should add this file scanning
subsystem to help prevent the storage and dissemination of malware
across our systems. If I'm running a hosting company I wouldn't want
people to be able to upload their trojans and host them on my Linux
server even if those trojans will only ever be downloaded by another OS.
We are part of the larger computing ecosystem. If we can make our
systems inhospitable to malware like data we help ourselves a little,
but the greater computing community a lot.
The real goal is to get files into to some userspace scanner and let
them do whatever they want. Remember, this isn't a new LSM. The goal
isn't to provide perfect security. The goal isn't to stop already
running malicious programs. The one and only goal is to scan files. We
should not be considering timing attacks, we should not be considering
processes actively trying to get around the system for small periods of
time. We should certainly not be considering root processes being able
to sneak things by. The idea is that a file exists on disk and we want
some userspace program to give a best effort at scanning it. Yes, we
might be able to prevent a root process from doing bad things, but a bad
root process already won.
Now costs:
1) Kernel or userspace. If we actually want a relatively robust
ecosystem of malware storage hardening it needs to be in kernel. knfsd
makes it plainly obvious that userspace scanners will leave big gaping
holes. Not to mention there cannot be any checks for files opened by
suid apps in userspace. And while no specific claims are being made
about intentionally malicious code, putting this in kernel makes
programs which call syscalls directly much more difficult to be used to
circumvent the scanning.
2) I think the "best" time to do scanning is at read and write. Any
disagreements there? But what's the cost? The cost is lots of scanning
and a huge performance hit on concurrent file access. I'm willing to
put hard numbers behind this, but it does seem quite obvious that open
and close happen a lot less than read and write. Sure that means
between open and read data may have become bad. We aren't an LSM. We
aren't and IDS. We aren't making solid claims about local system
security. We are claiming to harden the machine's storage and
propagation of 'bad' files.
3) code maintenance. I'm here. Sophos appears to be willing to help
and one of the other AV vendors said they may be willing to commit to
helping with support. If nothing else we know the AV vendors will hop
to get stuff fixed every time an enterprise distro is about to release
*smile*
I've yet to hear a technical argument against my patch set (although I
do plan some changes like using the audit system and changing the
kernel->userspace interface) Andi pointed out that I completely didn't
consider rawio on the block device but I have decided to just accept
that as a "you've already lost" condition. I've explained my mmap
support about 10 times, no one has said I'm wrong yet (I assume people
who can't read) keep talking about mmap.
No, this is not a new security system. This is not some great wonderful
panacea that's going to stop every exploit. Its a file scanner. It's
not bad. It clearly can help. This isn't just a pipe dream, I've got
code. Where's the problem?
-Eric
> So, what is it that anti-malware companies do? They scan files. That's
> it.
Good so lets instead have a discussion about making the file event
notification more scalable. That is the same thing I want for content
indexing. It is the same thing you want for certain kinds of smart
archiving, for on-line asynchronous backup and other stuff.
It ought to be a simple clean syscall interface.
Alan
On Wed, 2008-08-13 at 17:24 +0100, Alan Cox wrote:
> > So, what is it that anti-malware companies do? They scan files. That's
> > it.
>
> Good so lets instead have a discussion about making the file event
> notification more scalable. That is the same thing I want for content
> indexing. It is the same thing you want for certain kinds of smart
> archiving, for on-line asynchronous backup and other stuff.
>
> It ought to be a simple clean syscall interface.
Are you willing to make it blocking? I'm not sure how to make what we
have capable of assuring that the object you got a notification about is
actually the object you are acting on. Thoughts on how to accomplish
that? I'm here to code and I'm willing to throw all my work in the
garbage if someone can show me how to actually do it better.
-Eric
On Wed, 13 Aug 2008 12:47:45 -0400
Eric Paris <[email protected]> wrote:
> On Wed, 2008-08-13 at 17:24 +0100, Alan Cox wrote:
> > > So, what is it that anti-malware companies do? They scan files. That's
> > > it.
> >
> > Good so lets instead have a discussion about making the file event
> > notification more scalable. That is the same thing I want for content
> > indexing. It is the same thing you want for certain kinds of smart
> > archiving, for on-line asynchronous backup and other stuff.
> >
> > It ought to be a simple clean syscall interface.
>
> Are you willing to make it blocking? I'm not sure how to make what we
> have capable of assuring that the object you got a notification about is
> actually the object you are acting on. Thoughts on how to accomplish
> that? I'm here to code and I'm willing to throw all my work in the
> garbage if someone can show me how to actually do it better.
I don't think you need to be blocking if you passed up a file handle ?
fd = fileeventmumble(somestuff);
do_stuff
close(fd);
[taking care not to end up recursing as a result]
On Wed, Aug 13, 2008 at 12:36:15PM -0400, Eric Paris wrote:
> No, this is not a new security system. This is not some great wonderful
> panacea that's going to stop every exploit. Its a file scanner. It's
> not bad. It clearly can help. This isn't just a pipe dream, I've got
> code. Where's the problem?
Just repost your patches, with a description of what is happening with
them, taking into account the previously mentioned comments and we can
review it again :)
No problem at all, just a normal patch lifecycle...
thanks,
greg k-h
On Wed, 2008-08-13 at 17:37 +0100, Alan Cox wrote:
> On Wed, 13 Aug 2008 12:47:45 -0400
> Eric Paris <[email protected]> wrote:
>
> > On Wed, 2008-08-13 at 17:24 +0100, Alan Cox wrote:
> > > > So, what is it that anti-malware companies do? They scan files. That's
> > > > it.
> > >
> > > Good so lets instead have a discussion about making the file event
> > > notification more scalable. That is the same thing I want for content
> > > indexing. It is the same thing you want for certain kinds of smart
> > > archiving, for on-line asynchronous backup and other stuff.
> > >
> > > It ought to be a simple clean syscall interface.
> >
> > Are you willing to make it blocking? I'm not sure how to make what we
> > have capable of assuring that the object you got a notification about is
> > actually the object you are acting on. Thoughts on how to accomplish
> > that? I'm here to code and I'm willing to throw all my work in the
> > garbage if someone can show me how to actually do it better.
>
> I don't think you need to be blocking if you passed up a file handle ?
Without blocking and waiting how do you deny access? Maybe I needed
another thing they do. "They do file scanning and deny access to bad
files."
async scanning on close/write is great. but you need blocking/access
control on open/read.....
> fd = fileeventmumble(somestuff);
> do_stuff
> close(fd);
>
> [taking care not to end up recursing as a result]
[you pointed out the whole point of process exclusions in the original
work]
On Wed, Aug 13, 2008 at 05:24:37PM +0100, Alan Cox wrote:
> > So, what is it that anti-malware companies do? They scan files. That's
> > it.
>
> Good so lets instead have a discussion about making the file event
> notification more scalable. That is the same thing I want for content
> indexing. It is the same thing you want for certain kinds of smart
> archiving, for on-line asynchronous backup and other stuff.
Also for hierachial storage management, which also shares they other
requirement with the AV crowd that it want to be able to block the
calling process until the notification is ACKed (for recalling data
from offline media).
> It ought to be a simple clean syscall interface.
I was wondering whether to piggy-back on the audit code was the best
idea here..
On Wed, 13 Aug 2008 12:36:15 -0400
Eric Paris <[email protected]> wrote:
[finally good description snipped]
>
> 1) Kernel or userspace.
this is kind of the last question to ask, not the first ;)
> Not to mention there cannot be any checks for files
> opened by suid apps in userspace.
setuid apps do not use glibc? news to me.
> And while no specific claims are
> being made about intentionally malicious code, putting this in kernel
> makes programs which call syscalls directly much more difficult to be
> used to circumvent the scanning.
[so lets ignore this one]
> 2) I think the "best" time to do scanning is at read and write. Any
> disagreements there?
I agree about the "read" case.
"write" is tricky... because there's many vectors to write, from
write() system call to mmap() system call to truncate() system call.
(yes you can write a stream of bytes that passes virus scan, and then
truncate to be suddenly a live virus)
I would propose to use the word "dirty" instead, we all know what we
mean by that (it's all of them) and doesn't tie our thinking to the
write() system call.
I would like to introduce a concept in your discussion you did not
mention yet in this email: the difference between synchronous scanning
and asynchronous scanning.
It's clear from the protection model that you described that on 'read'
you want to wait until the scan is done before you give the data to the
process asking for it... and that's totally reasonable: "Do not give
out bad data" is a very clear line in terms of security.
for the "dirty" case it gets muddy. You clearly want to scan "some
time" after the write, from the principle of getting rid of malware
that's on the disk, but it's unclear if this HAS to be synchronous.
(obviously, synchronous behavior hurts performance bigtime so lets do
as little as we can of that without hurting the protection).
One advantage of doing the dirty case async (and a little time delayed)
is that repeated writes will get lumped up into one scan in practice,
saving a ton of performance.
(scan-on-close is just another way of implementing "delay the dirty
scan").
Based on Alans comments, to me this sounds like we should have an
efficient mechanism to notify userspace of "dirty events"; this is not
virus scan specific in any way or form. And this mechanism likely will
need to allow multiple subscribers.
for the open() case, I would argue that you don't need synchronous
behavior as long as the read() case is synchronous. I can imagine that
open() kicks off an async scan, and if it's done by the time the first
read() happens, no blocking at all happens.
For efficiency the kernel ought to keep track of which files have been
declared clean, and it needs to track of a 'generation' of the scan
with which it has been found clean (so that if you update your virus
definitions, you can invalidate all previous scanning just by bumping
the 'generation' number in whatever format we use).
Clearly the kernel needs to wipe this clean generation number on any
modification to the file (inode) of any kind. And clearly this needs to
be done inside the kernel because tracking dirty operations in any
other way is just insane.
Now this to me we have a few basic building blocks:
1) We need an efficient mechanism to notify userspace of files that get
dirtied. Virus scanners will subscribe to this for the async dirty
scanning; indexing agents also will subscribe to this.
2) We very likely should have a mechanism for a userspace app to
request a scan on a file, both sync or async (O_SYNC flag?). This is
useful regardless because it allows the source of many things to do the
right thing.
3) we need a mechanism in the kernel to track "scanned with generation
X of signatures" that invalidates on any dirty operation. The syscall
from 2) will use this as a cache to be quick.
I think few people will disagree about this.
Open questions now are
4) do we have the kernel kick off an async scan in open() or do we have
glibc do this
5) do we have the kernel do the sync scan on read/mmap/.. or do we have
glibc do this
I think this is where the whole debate is about now.
And a few hard ones
6) how do we deal with multiple scanning agents in parallel
7) how do we prevent malware from pretending to be a virus scanner
--
If you want to reach me at my work email, use [email protected]
For development, discussion and tips for power savings,
visit http://www.lesswatts.org
On Wed, Aug 13, 2008 at 12:36:15PM -0400, Eric Paris wrote:
I miss a clear answer to the question: is this
supposed to protect against malware injected as root or not?
Assuming it wants to protect against root:
> think we hear claim more grandious things. But from what I've seen they
> aren't the real deal. Most of the security model descriptions that
> people on list want actually are framed under the belief that these
> products need to or attempt to completely block some class of attacks.
> They don't. If you think they do you need to fix your frame of
> reference. The only class of attacks this interface is supposed to
> address is those that can be found by scanning files. This is NOT an
> LSM.
But you need some LSM like protections to be able to protect the file
scanner? Like the block device or kernel memory protection.
> The real goal is to get files into to some userspace scanner and let
> them do whatever they want. Remember, this isn't a new LSM. The goal
> isn't to provide perfect security. The goal isn't to stop already
> running malicious programs. The one and only goal is to scan files. We
> should not be considering timing attacks, we should not be considering
> processes actively trying to get around the system for small periods of
> time. We should certainly not be considering root processes being able
> to sneak things by.
This means you need significant LSM components simply to protect
the integrity of the file scanner against root. It's even
unclear it's possible in the general case (e.g. X server doing
arbitary DMA and no IOMMU -- how do you protect the file scanner?)
> The idea is that a file exists on disk and we want
> some userspace program to give a best effort at scanning it. Yes, we
Ok so you're implying it's ok to not protect against root?
In the later case that means that you don't have to scan anything
that only root can touch and you can trust file permissions,
which makes a lot of things easier.
I would suggest again to clarify this important point first. It has
significant impact on the whole design.
Personally I would think not protecting against root would be quite
limiting (e.g. it would mean that e.g. if some worm trojans rpms
people download then they wouldn't be caught because rpms are
installed as root), but on the other hand if you protect against
root you need most of selinux/aa/other lsm functionality simply
to guarantee the integrity of the scanner. Also it has impact
on some apps, e.g. X server running as root would be usually out due to
the arbitary DMA issue. Also protect block devices could theoretically
have significant impact on some sysadmin tasks.
-Andi
On Wed, Aug 13, 2008 at 10:39:51AM -0700, Arjan van de Ven wrote:
> for the "dirty" case it gets muddy. You clearly want to scan "some
> time" after the write, from the principle of getting rid of malware
> that's on the disk, but it's unclear if this HAS to be synchronous.
> (obviously, synchronous behavior hurts performance bigtime so lets do
> as little as we can of that without hurting the protection).
Something else to think about is what happens if the file is naturally
written in pieces. For example, I've been playing with bittorrent
recently, and it appears that trackerd will do something... not very
intelligent in that it will repeatedly try to index a file which is
being written in pieces, and in some cases, it will do things like
call pdftext that aren't exactly cheap. A timeout *can* help (i.e.,
don't try to scan/index this file until 15 minutes after the last
write), but it won't help if the torrent is very large, or the
download bitrate is very slow. One very simple workaround is to
disable trackerd altogether while you are downloading the file, but
that's not very pleasant solution; it's horribly manual.
Most of this may end up being outside of the kernel (i.e.,some kind of
interface where a bittorrent client can say, "look this file is still
being downloaded, so it's don't bother scanning it unless some process
*other* than the bittorrent client tries to access the file". And
maybe there should be some other more complex policies, such as the
bittorrent client explicitly telling the indexer/scanner that the file
is has been completely downloaded, so it's safe to index it now.
But what this points out is that if you want a good solution, (a) it
probably shouldn't all be in the kernel, since trying to get all of
this complexity into the kernel will be painful, and (b) the policy
about whether or not a bittorrent client should be allowed to say,
"it's OK not to check the file until it's completely downloaded, even
if I am handing out pieces to other people over the network --- after
all the entire file has its own SHA checksum for data integrity
verification --- is very much a policy question where different system
administrators will come down on different sides about what should and
shouldn't be allowed --- and therefore this kind of policy decision
should ****NOT**** be in the kernel.
> For efficiency the kernel ought to keep track of which files have been
> declared clean, and it needs to track of a 'generation' of the scan
> with which it has been found clean (so that if you update your virus
> definitions, you can invalidate all previous scanning just by bumping
> the 'generation' number in whatever format we use).
We have an i_version support for NFSv4, so we have that already as far
as the version of the file. We can have a single bit which means
"block on open" that is stored on a file, and some kind of policy
which dictates whether or not any modification to the file contens
should automatically set the bit.
However, questions of which version of virus database was used to scan
a particular file should be stored outside of the filesystem, since
each product will have its own version namespace, and the questions of
what happens if a user switches from one version checker to another is
going to be messy. So better that this be done in userspace, and that
this information be stored in some on-disk database.
- Ted
On Wed, 13 Aug 2008 14:15:49 -0400
Theodore Tso <[email protected]> wrote:
> On Wed, Aug 13, 2008 at 10:39:51AM -0700, Arjan van de Ven wrote:
> > for the "dirty" case it gets muddy. You clearly want to scan "some
> > time" after the write, from the principle of getting rid of malware
> > that's on the disk, but it's unclear if this HAS to be synchronous.
> > (obviously, synchronous behavior hurts performance bigtime so lets
> > do as little as we can of that without hurting the protection).
>
> Something else to think about is what happens if the file is naturally
> written in pieces. For example, I've been playing with bittorrent
> recently, and it appears that trackerd will do something... not very
> intelligent in that it will repeatedly try to index a file which is
> being written in pieces, and in some cases, it will do things like
> call pdftext that aren't exactly cheap. A timeout *can* help (i.e.,
> don't try to scan/index this file until 15 minutes after the last
> write), but it won't help if the torrent is very large, or the
> download bitrate is very slow. One very simple workaround is to
> disable trackerd altogether while you are downloading the file, but
> that's not very pleasant solution; it's horribly manual.
>
> Most of this may end up being outside of the kernel (i.e.,some kind of
> interface where a bittorrent client can say, "look this file is still
> being downloaded, so it's don't bother scanning it unless some process
> *other* than the bittorrent client tries to access the file". And
> maybe there should be some other more complex policies, such as the
> bittorrent client explicitly telling the indexer/scanner that the file
> is has been completely downloaded, so it's safe to index it now.
>
> verification --- is very much a policy question where different system
> administrators will come down on different sides about what should and
> shouldn't be allowed --- and therefore this kind of policy decision
> should ****NOT**** be in the kernel.
exactly. Even more, since this is async work, the scheduling of the
order of work also is a policy.. and userland is again the right place
for that.
>
> > For efficiency the kernel ought to keep track of which files have
> > been declared clean, and it needs to track of a 'generation' of the
> > scan with which it has been found clean (so that if you update your
> > virus definitions, you can invalidate all previous scanning just by
> > bumping the 'generation' number in whatever format we use).
>
> We have an i_version support for NFSv4, so we have that already as far
> as the version of the file. We can have a single bit which means
> "block on open" that is stored on a file, and some kind of policy
> which dictates whether or not any modification to the file contens
> should automatically set the bit.
>
> However, questions of which version of virus database was used to scan
> a particular file should be stored outside of the filesystem, since
well I was assuming we only store this in memory (say in the inode) and
just rescan the file if we destroy the in memory inode.
I don't see the need for this to be persistent data; in fact I assume
(Eric, please confirm) that this data is not *supposed* to be
persistent.
> each product will have its own version namespace, and the questions of
> what happens if a user switches from one version checker to another is
yes that's a hard question; what if you have 2 virus scanners active.
(they could register a version of the database with the kernel, and the
in kernel version-cookie could be a hash of all registered versions I
suppose.. if anything changes ever we just rehash and scan as if we
have to do that)
--
If you want to reach me at my work email, use [email protected]
For development, discussion and tips for power savings,
visit http://www.lesswatts.org
On Wed, 13 Aug 2008 20:17:14 +0200
Andi Kleen <[email protected]> wrote:
>
> I would suggest again to clarify this important point first. It has
> significant impact on the whole design.
agreed.
>
> Personally I would think not protecting against root would be quite
> limiting (e.g. it would mean that e.g. if some worm trojans rpms
> people download then they wouldn't be caught because rpms are
> installed as root),
on argument could be that root apps like that could/should do explicit
scanning regardless.
(if we have an explicit interface to scan a file that's not too hard)
--
If you want to reach me at my work email, use [email protected]
For development, discussion and tips for power savings,
visit http://www.lesswatts.org
Andi Kleen wrote:
>
> This means you need significant LSM components simply to protect
> the integrity of the file scanner against root. It's even
> unclear it's possible in the general case (e.g. X server doing
> arbitary DMA and no IOMMU -- how do you protect the file scanner?)
>
Without Treacherous Computing, it isn't possible, even in kernel space.
In Treacherous Computing you can put it in the hypervisor, which of
course just means the hypervisor is now much bigger and likely to
contain security holes.
-hpa
On Wed, 2008-08-13 at 10:39 -0700, Arjan van de Ven wrote:
> On Wed, 13 Aug 2008 12:36:15 -0400
> Eric Paris <[email protected]> wrote:
>
> [finally good description snipped]
>
> >
> > 1) Kernel or userspace.
>
> this is kind of the last question to ask, not the first ;)
>
> > Not to mention there cannot be any checks for files
> > opened by suid apps in userspace.
>
> setuid apps do not use glibc? news to me.
I was thinking about LD_PRELOAD. you're right for most things it could
be glibc. I still have knfsd on my side though.
> > And while no specific claims are
> > being made about intentionally malicious code, putting this in kernel
> > makes programs which call syscalls directly much more difficult to be
> > used to circumvent the scanning.
>
> [so lets ignore this one]
/me doesn't want to ignore things that help his argument, even if they
are weak. :)
> > 2) I think the "best" time to do scanning is at read and write. Any
> > disagreements there?
>
> I agree about the "read" case.
> "write" is tricky... because there's many vectors to write, from
> write() system call to mmap() system call to truncate() system call.
> (yes you can write a stream of bytes that passes virus scan, and then
> truncate to be suddenly a live virus)
>
> I would propose to use the word "dirty" instead, we all know what we
> mean by that (it's all of them) and doesn't tie our thinking to the
> write() system call.
>
> I would like to introduce a concept in your discussion you did not
> mention yet in this email: the difference between synchronous scanning
> and asynchronous scanning.
I already have that concept! my open time scanning is sync and can
return an EACCESS. my close time scanning is async and only updates the
in inode clean/dirty mark. It makes no access decisions. That way on
the next open we are good to go! And yes yes, mmap write after close
invalides the async clean mark.
> It's clear from the protection model that you described that on 'read'
> you want to wait until the scan is done before you give the data to the
> process asking for it... and that's totally reasonable: "Do not give
> out bad data" is a very clear line in terms of security.
>
> for the "dirty" case it gets muddy. You clearly want to scan "some
> time" after the write, from the principle of getting rid of malware
> that's on the disk, but it's unclear if this HAS to be synchronous.
> (obviously, synchronous behavior hurts performance bigtime so lets do
> as little as we can of that without hurting the protection).
> One advantage of doing the dirty case async (and a little time delayed)
> is that repeated writes will get lumped up into one scan in practice,
> saving a ton of performance.
> (scan-on-close is just another way of implementing "delay the dirty
> scan").
> Based on Alans comments, to me this sounds like we should have an
> efficient mechanism to notify userspace of "dirty events"; this is not
> virus scan specific in any way or form. And this mechanism likely will
> need to allow multiple subscribers.
I'm certainly willing to go down the inotify'ish path for async
notification of 'dirty' inodes instead of implement my own async
mechanism if I can find a way to do it.
> for the open() case, I would argue that you don't need synchronous
> behavior as long as the read() case is synchronous. I can imagine that
> open() kicks off an async scan, and if it's done by the time the first
> read() happens, no blocking at all happens.
An interesting addition. Trying to keep these queues of events gets
much more complex, but if people really think the open to read race is
that important I've always said it wasn't impossible to close.
> For efficiency the kernel ought to keep track of which files have been
> declared clean, and it needs to track of a 'generation' of the scan
> with which it has been found clean (so that if you update your virus
> definitions, you can invalidate all previous scanning just by bumping
> the 'generation' number in whatever format we use).
> Clearly the kernel needs to wipe this clean generation number on any
> modification to the file (inode) of any kind. And clearly this needs to
> be done inside the kernel because tracking dirty operations in any
> other way is just insane.
I agree! i_talpa_seq_no I added to struct inode is exactly that!
> Now this to me we have a few basic building blocks:
> 1) We need an efficient mechanism to notify userspace of files that get
> dirtied. Virus scanners will subscribe to this for the async dirty
> scanning; indexing agents also will subscribe to this.
> 2) We very likely should have a mechanism for a userspace app to
> request a scan on a file, both sync or async (O_SYNC flag?). This is
> useful regardless because it allows the source of many things to do the
> right thing.
This means what exactly? Some new syscall? You want some program to
say "notify userspace about this inode" and then every userspace thing
that wants the notification gets it? Not sure how much brains I want to
build into generic userspace apps. I certainly wouldn't want to make
any userspace app easily be able to avoid AV scanning even if I make no
promises about malicious apps. Just because I don't make gurantees
doesn't mean I should make it easy. Just because I can't be 100% that a
fence won't keep the kids from falling in the pool doesn't mean I
shouldn't build it. Differentiating between don't AV scan and don't
index is going to be hard in a single interface, but not unsolvable.
> 3) we need a mechanism in the kernel to track "scanned with generation
> X of signatures" that invalidates on any dirty operation. The syscall
> from 2) will use this as a cache to be quick.
i_talpa_seq_no
> I think few people will disagree about this.
>
> Open questions now are
> 4) do we have the kernel kick off an async scan in open() or do we have
> glibc do this
> 5) do we have the kernel do the sync scan on read/mmap/.. or do we have
> glibc do this
scan on mmap read? How do I implement this? Do we update atime on mmap
read? can I do it there like I do for writes with mtime?
> I think this is where the whole debate is about now.
>
>
> And a few hard ones
> 6) how do we deal with multiple scanning agents in parallel
My first suggestion is we don't, and worry about it as soon as we have
the first parallel users.
> 7) how do we prevent malware from pretending to be a virus scanner
We don't. Let the LSM do its job?
On Wed, 2008-08-13 at 20:17 +0200, Andi Kleen wrote:
> On Wed, Aug 13, 2008 at 12:36:15PM -0400, Eric Paris wrote:
>
> I miss a clear answer to the question: is this
> supposed to protect against malware injected as root or not?
I thought I had summed that up. We are not interested in providing
protections against maliciously attacking programs be they root or not.
We are interested in scanning files read and written by root. We are
especially interested in programs run by root.
yum (as root) downloads trojan.rpm from youareanidiot.repo. We aren't
worried about yum maliciously attacking the system. What's going to
happen is that the scanner is going to scan the trojan.rpm when yum
calls rpm and rpm is going to be denied access to that file. Doesn't
matter how you download it, its going to get scanned when you try to
exec it.
Stop thinking this is an LSM or as a new security model. It's a file
scanner and "it ain't perfect security." But its very useful and
practical. If some malicious root application wants to turn it off it
can and I make no claims otherwise. This isn't supposed to help once
root has been subverted, you've already lost as you admit, its supposed
to help keep root form getting subverted.
-Eric
>
> > think we hear claim more grandious things. But from what I've seen they
> > aren't the real deal. Most of the security model descriptions that
> > people on list want actually are framed under the belief that these
> > products need to or attempt to completely block some class of attacks.
> > They don't. If you think they do you need to fix your frame of
> > reference. The only class of attacks this interface is supposed to
> > address is those that can be found by scanning files. This is NOT an
> > LSM.
>
> But you need some LSM like protections to be able to protect the file
> scanner? Like the block device or kernel memory protection.
>
> > The real goal is to get files into to some userspace scanner and let
> > them do whatever they want. Remember, this isn't a new LSM. The goal
> > isn't to provide perfect security. The goal isn't to stop already
> > running malicious programs. The one and only goal is to scan files. We
> > should not be considering timing attacks, we should not be considering
> > processes actively trying to get around the system for small periods of
> > time. We should certainly not be considering root processes being able
> > to sneak things by.
>
> This means you need significant LSM components simply to protect
> the integrity of the file scanner against root. It's even
> unclear it's possible in the general case (e.g. X server doing
> arbitary DMA and no IOMMU -- how do you protect the file scanner?)
>
> > The idea is that a file exists on disk and we want
> > some userspace program to give a best effort at scanning it. Yes, we
>
> Ok so you're implying it's ok to not protect against root?
>
> In the later case that means that you don't have to scan anything
> that only root can touch and you can trust file permissions,
> which makes a lot of things easier.
>
> I would suggest again to clarify this important point first. It has
> significant impact on the whole design.
>
> Personally I would think not protecting against root would be quite
> limiting (e.g. it would mean that e.g. if some worm trojans rpms
> people download then they wouldn't be caught because rpms are
> installed as root), but on the other hand if you protect against
> root you need most of selinux/aa/other lsm functionality simply
> to guarantee the integrity of the scanner. Also it has impact
> on some apps, e.g. X server running as root would be usually out due to
> the arbitary DMA issue. Also protect block devices could theoretically
> have significant impact on some sysadmin tasks.
>
> -Andi
On Wed, 2008-08-13 at 14:15 -0400, Theodore Tso wrote:
> On Wed, Aug 13, 2008 at 10:39:51AM -0700, Arjan van de Ven wrote:
> > for the "dirty" case it gets muddy. You clearly want to scan "some
> > time" after the write, from the principle of getting rid of malware
> > that's on the disk, but it's unclear if this HAS to be synchronous.
> > (obviously, synchronous behavior hurts performance bigtime so lets do
> > as little as we can of that without hurting the protection).
>
> Something else to think about is what happens if the file is naturally
> written in pieces. For example, I've been playing with bittorrent
> recently, and it appears that trackerd will do something... not very
> intelligent in that it will repeatedly try to index a file which is
> being written in pieces, and in some cases, it will do things like
> call pdftext that aren't exactly cheap. A timeout *can* help (i.e.,
> don't try to scan/index this file until 15 minutes after the last
> write), but it won't help if the torrent is very large, or the
> download bitrate is very slow. One very simple workaround is to
> disable trackerd altogether while you are downloading the file, but
> that's not very pleasant solution; it's horribly manual.
>
> Most of this may end up being outside of the kernel (i.e.,some kind of
> interface where a bittorrent client can say, "look this file is still
> being downloaded, so it's don't bother scanning it unless some process
> *other* than the bittorrent client tries to access the file". And
> maybe there should be some other more complex policies, such as the
> bittorrent client explicitly telling the indexer/scanner that the file
> is has been completely downloaded, so it's safe to index it now.
>
> But what this points out is that if you want a good solution, (a) it
> probably shouldn't all be in the kernel, since trying to get all of
> this complexity into the kernel will be painful, and (b) the policy
> about whether or not a bittorrent client should be allowed to say,
> "it's OK not to check the file until it's completely downloaded, even
> if I am handing out pieces to other people over the network --- after
> all the entire file has its own SHA checksum for data integrity
> verification --- is very much a policy question where different system
> administrators will come down on different sides about what should and
> shouldn't be allowed --- and therefore this kind of policy decision
> should ****NOT**** be in the kernel.
I never suggested putting a scanner in kernel. Sound like you want the
"allow don't cache" response from your userspace scanner while this is
going on. The kernel doesn't need to be making decisions about when to
send events, nor should userspace tell the kernel not to send events.
Its up to whatever the scanner is to agree not to actually do any
scanning...
> However, questions of which version of virus database was used to scan
> a particular file should be stored outside of the filesystem, since
> each product will have its own version namespace, and the questions of
> what happens if a user switches from one version checker to another is
> going to be messy. So better that this be done in userspace, and that
> this information be stored in some on-disk database.
No. How in the heck can some out of kernel database store information
about what inodes have been scanned in any even slightly sane way? And
people think the race between open and read is too large and you suggest
moving clean/dirty marking to a userspace database? I MUCH prefer my
(and it sounds like arjan agrees) clean/dirty versioned flag in inode.
-Eris
On Wed, Aug 13, 2008 at 03:02:48PM -0400, Eric Paris wrote:
> I never suggested putting a scanner in kernel. Sound like you want the
> "allow don't cache" response from your userspace scanner while this is
> going on. The kernel doesn't need to be making decisions about when to
> send events, nor should userspace tell the kernel not to send events.
> Its up to whatever the scanner is to agree not to actually do any
> scanning...
And if the system isn't running a virus checker, but just a file
indexer (ala tracker), it shouldn't go to userspace at all. In that
case all that is necessary is an asynchronous notification.
Also something else that is needed is support for multiple clients.
(i.e., what happens if the user runs two virus checkers, or a virus
checker plus a hierarchical storage manager driving a tape robot, or
all of the above plus trackerd --- where some clients need to block
open(2) access, and some do not need block open(2) --- and in the case
of HSM, ordering becomes important; you want to retrieve the file from
the tape robot first, *then* scan it using the virus checker. :-)
> No. How in the heck can some out of kernel database store information
> about what inodes have been scanned in any even slightly sane way? And
> people think the race between open and read is too large and you suggest
> moving clean/dirty marking to a userspace database? I MUCH prefer my
> (and it sounds like arjan agrees) clean/dirty versioned flag in inode.
Don't ask me; I think most AV checkers for linux are security theater
and not very much use (other than making money for the AV company's
shareholders) anyway. I thought you were the one who wanted to record
information about which version of the virus db a particular file had
been scanned against. The place where I can see this being useful is
what happens you get a new virus DB, and so you need to start scanning
all of the files in your 5TB enterprise file server --- and then the
system crashes or it needs to be taken down for scheduled maintenance.
You want to have *some* off-line database for storing this
information, since it would be silly to want to have the first thing
that happens after a new virus DB gets downloaded is to interate over
the entire filesystem, clearing a persistent the "clean" bit --- that
would take *forever* on a 5TB filerserver; and what happens if you
crash in the middle of clearing the "clean" bit.. And if the system
gets shutdown in the middle of the scan, you need some way of
remembering which inodes have been scanned using the "new" db, and
which ones haven't yet been scanned via the new virus db. All of this
should be kept in userpsace, and is strictly speaking Not Our Problem.
I'm just arguing that there should be absolutely *no* support in the
kernel for solving this particular problem, since the question of
whether a file has been scanned with a particular version of the virus
DB is purely a userspace problem.
- Ted
> > I don't think you need to be blocking if you passed up a file handle ?
>
> Without blocking and waiting how do you deny access? Maybe I needed
> another thing they do. "They do file scanning and deny access to bad
> files."
Denying access is easy enough - chmod it or set an SELinux label on it.
There are a limited number of useful arrangements I can see here
'opened for write deny [some set of] access until verified'
Thats an selinux state transition on open for write, and one from the
user space end on the other
'run around after things'
Which is simply a notifier and a relabel as 'contaminated' or similar (or
a chmod or mv ...) by the daemon end of things.
Now I can see why you might want a 'has been open for a write and dirty
for a while' notifier - again for indexing as well as virus scanners and
the like.
What other semantic do you have in mind given that you have to deal with
open by me, open by writer, content modified.. after I have it open
anyway ? It seems the rest is a discussion about time intervals ?
> -----Original Message-----
> From: [email protected] [mailto:malware-list-
> [email protected]] On Behalf Of Theodore Tso
> Sent: Wednesday, August 13, 2008 3:29 PM
> To: Eric Paris
> Cc: [email protected]; [email protected]; malware-
> [email protected]; [email protected]; [email protected];
> [email protected]; [email protected]; Arjan van de Ven
> Subject: Re: [malware-list] TALPA - a threat model? well sorta.
>
> Also something else that is needed is support for multiple clients.
> (i.e., what happens if the user runs two virus checkers, or a virus
> checker plus a hierarchical storage manager driving a tape robot, or
> all of the above plus trackerd --- where some clients need to block
> open(2) access, and some do not need block open(2) --- and in the case
> of HSM, ordering becomes important; you want to retrieve the file from
> the tape robot first, *then* scan it using the virus checker. :-)
The issue of multiple clients does need to be accounted for. However, I
will mention that it is unusual (at least in my experience) to actually
run two AV products at the same time in "realtime" mode. We strongly
recommend that anyone who installs our product should remove any other
AV product on the system -- for technical reasons, not financial --
since they've already paid for ours by the time they get to this point.
I am not aware of anyone objecting to that idea.
> I'm just arguing that there should be absolutely *no* support in the
> kernel for solving this particular problem, since the question of
> whether a file has been scanned with a particular version of the virus
> DB is purely a userspace problem.
Caching of previous results can be done in either user space or kernel
space. We have seen it both ways. Wherever it is done, I would say
that rather than record AV signature file version numbers, there should
be a mechanism for the application to invalidate or flush the cache
whenever a signature update is done. There are other circumstances
where that would also be useful -- such as if the user changes a
scanning option in a way that increases the strictness of the scan. In
other words, a file that was marked as clean based on one level of
strictness may not be clean under a stricter scan. You wouldn't want
the cache to prevent it from being scanned under such circumstances.
Jon Press
> -----Original Message-----
> From: [email protected] [mailto:malware-list-
> [email protected]] On Behalf Of Alan Cox
> Sent: Wednesday, August 13, 2008 3:59 PM
> To: Eric Paris
> Cc: [email protected]; [email protected]; malware-
> [email protected]; [email protected]; [email protected];
> [email protected]; [email protected]
> Subject: Re: [malware-list] TALPA - a threat model? well sorta.
>
> > > I don't think you need to be blocking if you passed up a file
handle ?
> >
> > Without blocking and waiting how do you deny access? Maybe I needed
> > another thing they do. "They do file scanning and deny access to
bad
> > files."
>
> Denying access is easy enough - chmod it or set an SELinux label on
it.
I may be missing something about your suggestion, but I don't see how
this would work. Who does the chmod?
Here's a sequence:
- Application opens file
- AV scanner notified in some way without blocking
- Application reads file into memory
- AV scanner determines file is infected.
- AV scanner chmod's file -- oops, too late.
- Application sends file over the wire to another machine with a more
vulnerable OS
How would this be prevented?
Jon Press
> I may be missing something about your suggestion, but I don't see how
> this would work. Who does the chmod?
>
> Here's a sequence:
>
> - Application opens file
> - AV scanner notified in some way without blocking
> - Application reads file into memory
The discussion has been about scanning on write.
> - AV scanner determines file is infected.
> - AV scanner chmod's file -- oops, too late.
> - Application sends file over the wire to another machine with a more
> vulnerable OS
>
> How would this be prevented?
I don't think you can. In your case how does your AV scanner deal with
the case where the application opens the file while another user has it
open and the other user (or even other task with the same handle) changes
the content possibly via mmap.
Content may also directly be shared between users of a file using the
mmap interfaces so your scan on read model is rather dysfunctional.
On Wed, 13 Aug 2008 17:24:28 -0400
"Press, Jonathan" <[email protected]> wrote:
> I may be missing something about your suggestion, but I don't see how
> this would work. Who does the chmod?
Chmod is also not a solution to the hierarchical storage (or incremental
restore from backup) problem.
I believe we really do need the block-on-open.
--
All Rights Reversed
On Wed, 13 Aug 2008 14:57:44 -0400
Eric Paris <[email protected]> wrote:
> > for the open() case, I would argue that you don't need synchronous
> > behavior as long as the read() case is synchronous. I can imagine
> > that open() kicks off an async scan, and if it's done by the time
> > the first read() happens, no blocking at all happens.
>
> An interesting addition. Trying to keep these queues of events gets
> much more complex, but if people really think the open to read race is
> that important I've always said it wasn't impossible to close.
it's not "just" about open-to-read race.
it's about open being non-blocking, and if read is not immediate, never
hitting the latency at all.
The real point is that "read" is the actual point you want to
intercept, not "open" (you even wrote that in your description).. so
why not just do that ?
The open case then is just a performance optimization.
> > Open questions now are
> > 4) do we have the kernel kick off an async scan in open() or do we
> > have glibc do this
> > 5) do we have the kernel do the sync scan on read/mmap/.. or do we
> > have glibc do this
>
> scan on mmap read? How do I implement this?
on calling mmap(); not at fault time.
--
If you want to reach me at my work email, use [email protected]
For development, discussion and tips for power savings,
visit http://www.lesswatts.org
On Wed, 13 Aug 2008 17:35:29 -0400
Rik van Riel <[email protected]> wrote:
> On Wed, 13 Aug 2008 17:24:28 -0400
> "Press, Jonathan" <[email protected]> wrote:
>
> > I may be missing something about your suggestion, but I don't see how
> > this would work. Who does the chmod?
>
> Chmod is also not a solution to the hierarchical storage (or incremental
> restore from backup) problem.
>
> I believe we really do need the block-on-open.
The block on open is orthogonal really. Useful for HSM, useful for
certain very primitive scanning but not much else that I can see.
And its a minor mod to the security hooks to allow it as far as I can see
On Wednesday 13 August 2008, Andi Kleen wrote:
> On Wed, Aug 13, 2008 at 12:36:15PM -0400, Eric Paris wrote:
>
> I miss a clear answer to the question: is this
> supposed to protect against malware injected as root or not?
I honestly don't think we should worry about root. Sure, if the AV scanner
happens to catch something (as a consequence of it's implementation), then
very well. But designing an antimalware solution which assumes the root is
compromised will throw us into security talks for years and I don't think
we'll live to hear the end of them.
We should focus on the regular users and fix (if needed) the current userland
apps (ie. the ones that need root access to do their job). For anymore than
that we'll need a super user that supervises root. And then another one.
> Assuming it wants to protect against root:
> > think we hear claim more grandious things. But from what I've seen they
> > aren't the real deal. Most of the security model descriptions that
> > people on list want actually are framed under the belief that these
> > products need to or attempt to completely block some class of attacks.
> > They don't. If you think they do you need to fix your frame of
> > reference. The only class of attacks this interface is supposed to
> > address is those that can be found by scanning files. This is NOT an
> > LSM.
>
> But you need some LSM like protections to be able to protect the file
> scanner? Like the block device or kernel memory protection.
>
> > The real goal is to get files into to some userspace scanner and let
> > them do whatever they want. Remember, this isn't a new LSM. The goal
> > isn't to provide perfect security. The goal isn't to stop already
> > running malicious programs. The one and only goal is to scan files. We
> > should not be considering timing attacks, we should not be considering
> > processes actively trying to get around the system for small periods of
> > time. We should certainly not be considering root processes being able
> > to sneak things by.
>
> This means you need significant LSM components simply to protect
> the integrity of the file scanner against root. It's even
> unclear it's possible in the general case (e.g. X server doing
> arbitary DMA and no IOMMU -- how do you protect the file scanner?)
>
> > The idea is that a file exists on disk and we want
> > some userspace program to give a best effort at scanning it. Yes, we
>
> Ok so you're implying it's ok to not protect against root?
>
> In the later case that means that you don't have to scan anything
> that only root can touch and you can trust file permissions,
> which makes a lot of things easier.
>
> I would suggest again to clarify this important point first. It has
> significant impact on the whole design.
>
> Personally I would think not protecting against root would be quite
> limiting (e.g. it would mean that e.g. if some worm trojans rpms
> people download then they wouldn't be caught because rpms are
> installed as root)
If GPG signatures don't work, then please fix the rpm design and if the user
willingly installs a .rpm which is not signed (not from a known trusted host)
and somehow doges the basic antimalware scanner, then too bad. We've done all
we could.
> , but on the other hand if you protect against
> root you need most of selinux/aa/other lsm functionality simply
> to guarantee the integrity of the scanner. Also it has impact
> on some apps, e.g. X server running as root would be usually out due to
> the arbitary DMA issue. Also protect block devices could theoretically
> have significant impact on some sysadmin tasks.
I think we need to define the 'desktop user' and provide a decent protection
mechanism for his common activities (edit documents, listen music, navigate
the web, see movies, run scripts which change the IM status etc). For the
rest, there are two possibilities:
1. education (_extremely_ important);
2. SELinux (or similar);
I don't think there will ever be an AV product using the marketing line: "it
allows you to run your favorite rootkit and enjoy the pretty text it shows,
with no worries".
In conclusion: everything AV related should stop at the user root. Popular
distro-s already provide a way to do your daily office tasks without super
user rights, which _is_ the correct thing to do.
--
Mihai Donțu
(this was posted in linux.kernel, before I realized there was a
linux.kernel.malware. Hope it helps your discussion)
(FYI. Dazuko may have trailblazed some of the issues now under
discussion re: libmalware.so. It has worked well for me. It used to be
an LKM, it is now a source patch. It is used in a number of commercial
products)
<http://dazuko.dnsalias.org/wiki/index.php/Main_Page>
"A Virtual Device Driver to Allow Online File Access Control
A common interface is needed, which allows userland applications to
perform online file access control. Dazuko aims to provide that interface."
FWIW, I'm not associated with Dazuko or Antivir; I've been happily using
Dazuko with AntiVir for a year or so.
1. AntiVir includes numerous Linux signatures as well as Windows. So I
scan both 'ix downloads, as well as the process of compiling new software.
2. Other AntiMalwares are using Dazuko, though many are scanning for
Windows malware only.
3. The AntiVir/Dazuko combination with full heuristics has blocked
access to clearly dangerous JS scripts in my browser cache.
4. IMHO, what is needed is a Dazuko or libmalware/Integrity database
link. If an md5 of an executable or script is new or has changed, access
is blocked 'til a response to a popup is given. Access can be blocked;
one-time allowed; or permanently allowed, in which case the md5 is updated.
Hope This Helps.
<next msg>
Andi Kleen wrote:
> 7v5w7go9ub0o <[email protected]> writes:
>
>> (FYI. Dazuko may have trailblazed some of the issues now under
>> discussion re: libmalware.so. It has worked well for me.
>
> Against what exactly did it protect you? Please give a concrete example.
>
> -Andi
>
1. This came in a few minutes ago:
Aug 13 14:56:31 tux antivir[6381]: AntiVir ALERT: [EML/FakeLink.F]
/jail/tbird/root/.thunderbird/0r2957kg.default/Mail/L
ocal Folders/Junk.XXX <<< Contains detection pattern of EML/FakeLink.F
in EML form
2. I have not retained the logs of "suspicious scripts" in my browser,
but have come across perhaps 4 blocked scripts within the last month.
Admittedly at dodgy sites.
XSS attacks are platform independent, and are a significant concern.
Please note that when I say it has worked well for me, I am not saying
that it has saved my bacon! :-)
1. I am referring to the mechanics of having the Kernel/userland app
stop processing when it finds a malware signature or heuristic detection.
2. Am also referring to the totally manageable (IMHO) overhead.
I've mentioned my experience with Dazuko/antivir only because it may be
useful to the ongoing discussion about the nature of libmalware.so.
3. I am frankly waiting for a bug to get into my upstream distribution
chain - through a hijacking or some wonderful DNS prank - at which point
I ..hope.. a signature or heuristic will block my root-enabled make install.
4. Again, my hope for libmalware.so/dazuko is a realtime
integrity-management link.
<end posts>
HTH
p.s. The question has developed, should this monitor root activities.
IMHO, the answer is a definite YES! We are most vulnerable during
software updating; AntiMailware signatures may stop the compilation or
installation of a Trojan - by root.
7v5w7go9ub0o wrote:
>
> 4. Again, my hope for libmalware.so/dazuko is a realtime
> integrity-management link.
>
> <end posts>
>
> HTH
>
> p.s. The question has developed, should this monitor root activities.
> IMHO, the answer is a definite YES! We are most vulnerable during
> software updating; AntiMailware signatures may stop the compilation or
> installation of a Trojan - by root.
>
I just noticed a separate discussion about integrity-checking LKMs and LSMs.
Obviously, a libmalware.so or Dazuko based integrity-checker would block
a kernel from loading in a Trojaned LKM - noting that the MD5 had
changed, and asking you to block, temporarily allow, or permanently
allow the changed module.
Another security benefit of your pursuit.
HTH
Arjan van de Ven wrote on 13/08/2008 19:21:49:
> > However, questions of which version of virus database was used to scan
> > a particular file should be stored outside of the filesystem, since
>
> well I was assuming we only store this in memory (say in the inode) and
> just rescan the file if we destroy the in memory inode.
> I don't see the need for this to be persistent data; in fact I assume
> (Eric, please confirm) that this data is not *supposed* to be
> persistent.
Correct.
> > each product will have its own version namespace, and the questions of
> > what happens if a user switches from one version checker to another is
>
> yes that's a hard question; what if you have 2 virus scanners active.
>
> (they could register a version of the database with the kernel, and the
> in kernel version-cookie could be a hash of all registered versions I
> suppose.. if anything changes ever we just rehash and scan as if we
> have to do that)
It is in fact really simple with the proposed inode versioning approach.
Any client which wants to invalidate the cache just needs to bump the
global version number which will force a rescan on next access.
Tvrtko
Sophos Plc, The Pentagon, Abingdon Science Park, Abingdon,
OX14 3YP, United Kingdom.
Company Reg No 2096520. VAT Reg No GB 348 3873 20.
Theodore Tso wrote on 13/08/2008 20:29:22:
> On Wed, Aug 13, 2008 at 03:02:48PM -0400, Eric Paris wrote:
> > I never suggested putting a scanner in kernel. Sound like you want
the
> > "allow don't cache" response from your userspace scanner while this is
> > going on. The kernel doesn't need to be making decisions about when
to
> > send events, nor should userspace tell the kernel not to send events.
> > Its up to whatever the scanner is to agree not to actually do any
> > scanning...
>
> And if the system isn't running a virus checker, but just a file
> indexer (ala tracker), it shouldn't go to userspace at all. In that
> case all that is necessary is an asynchronous notification.
>
> Also something else that is needed is support for multiple clients.
> (i.e., what happens if the user runs two virus checkers, or a virus
> checker plus a hierarchical storage manager driving a tape robot, or
> all of the above plus trackerd --- where some clients need to block
> open(2) access, and some do not need block open(2) --- and in the case
> of HSM, ordering becomes important; you want to retrieve the file from
> the tape robot first, *then* scan it using the virus checker. :-)
Hm, maybe by implementing a facility with which a client can register it's
interface usage intent? Something like:
register(I_HAVE_NO_INTEREST_IN_CONTENT);
register(I_WANT_TO_EXAMINE_CONTENT);
All former ones would run first because they only want to have the
opportunity to block and do something unrelated to file content (like
HSMs), and later group would be ran last since they want to examine the
content.
Ordering inside those two groups is not important because I don't see how
a model other than restrictive can make sense with content security
scanning.
> > No. How in the heck can some out of kernel database store information
> > about what inodes have been scanned in any even slightly sane way? And
> > people think the race between open and read is too large and you
suggest
> > moving clean/dirty marking to a userspace database? I MUCH prefer my
> > (and it sounds like arjan agrees) clean/dirty versioned flag in inode.
>
> Don't ask me; I think most AV checkers for linux are security theater
> and not very much use (other than making money for the AV company's
> shareholders) anyway. I thought you were the one who wanted to record
> information about which version of the virus db a particular file had
> been scanned against. The place where I can see this being useful is
> what happens you get a new virus DB, and so you need to start scanning
> all of the files in your 5TB enterprise file server --- and then the
> system crashes or it needs to be taken down for scheduled maintenance.
>
> You want to have *some* off-line database for storing this
> information, since it would be silly to want to have the first thing
> that happens after a new virus DB gets downloaded is to interate over
> the entire filesystem, clearing a persistent the "clean" bit --- that
> would take *forever* on a 5TB filerserver; and what happens if you
> crash in the middle of clearing the "clean" bit.. And if the system
> gets shutdown in the middle of the scan, you need some way of
> remembering which inodes have been scanned using the "new" db, and
> which ones haven't yet been scanned via the new virus db. All of this
> should be kept in userpsace, and is strictly speaking Not Our Problem.
>
> I'm just arguing that there should be absolutely *no* support in the
> kernel for solving this particular problem, since the question of
> whether a file has been scanned with a particular version of the virus
> DB is purely a userspace problem.
The thing is the idea never was for clean-dirty "database" to be
persistent but to have the same lifetime as the inode (in memory one). And
once the cache/database gets invalidated re-scanning happens on-demand so
the 5TB problem does not exist. Concerns about multiple clients where
every has a different versioning scheme are also not relevant with the
proposed versioning scheme (see my reply to Arjan).
So this problem can be solved in kernel in a much more performant and
secure way than it would be possible in userspace and all that with just a
handfull of lines of code.
--
Tvrtko A. Ursulin
Senior Software Engineer, Sophos
"Views and opinions expressed in this email are strictly those of the
author.
The contents has not been reviewed or approved by Sophos."
Sophos Plc, The Pentagon, Abingdon Science Park, Abingdon,
OX14 3YP, United Kingdom.
Company Reg No 2096520. VAT Reg No GB 348 3873 20.
Eric Paris wrote on 13/08/2008 19:57:44:
> > It's clear from the protection model that you described that on 'read'
> > you want to wait until the scan is done before you give the data to
the
> > process asking for it... and that's totally reasonable: "Do not give
> > out bad data" is a very clear line in terms of security.
> >
> > for the "dirty" case it gets muddy. You clearly want to scan "some
> > time" after the write, from the principle of getting rid of malware
> > that's on the disk, but it's unclear if this HAS to be synchronous.
> > (obviously, synchronous behavior hurts performance bigtime so lets do
> > as little as we can of that without hurting the protection).
> > One advantage of doing the dirty case async (and a little time
delayed)
> > is that repeated writes will get lumped up into one scan in practice,
> > saving a ton of performance.
> > (scan-on-close is just another way of implementing "delay the dirty
> > scan").
> > Based on Alans comments, to me this sounds like we should have an
> > efficient mechanism to notify userspace of "dirty events"; this is not
> > virus scan specific in any way or form. And this mechanism likely will
> > need to allow multiple subscribers.
>
> I'm certainly willing to go down the inotify'ish path for async
> notification of 'dirty' inodes instead of implement my own async
> mechanism if I can find a way to do it.
Do I understand correctly that everyone agrees scanning whenever an inode
gets dirty would be a terrible thing for performance?
Another thing we have here is that malware could not be neccessariliy
identified until the very last write (one example where it will always be
the case are PDF files (I think)).
So the whole question is at which point should be performing an async
scan. Close seems like a natural point which should be ideal for majority
of applications, I don't see how any time-based lumping/delaying scheme
can be better than close?
> > for the open() case, I would argue that you don't need synchronous
> > behavior as long as the read() case is synchronous. I can imagine that
> > open() kicks off an async scan, and if it's done by the time the first
> > read() happens, no blocking at all happens.
>
> An interesting addition. Trying to keep these queues of events gets
> much more complex, but if people really think the open to read race is
> that important I've always said it wasn't impossible to close.
This really sounds pretty interesting. Not necessariliy so much as a
performance optimisation, because I am not sure there are so many programs
where first read comes long after the first open, but as closing the
open-read race.
Could the implementation be not so complicated after all? If we generated
the same (roughly) event on reads and pass it for scanning if cache has
been invalidated in the mean time? The only thing is this could be a big
performance hit so some benchmarking might be in order depending on which
the read hook could be made run-time optional.
--
Tvrtko A. Ursulin
Senior Software Engineer, Sophos
"Views and opinions expressed in this email are strictly those of the
author.
The contents has not been reviewed or approved by Sophos."
Sophos Plc, The Pentagon, Abingdon Science Park, Abingdon,
OX14 3YP, United Kingdom.
Company Reg No 2096520. VAT Reg No GB 348 3873 20.