On Tue, Aug 05, 2008 at 06:12:34PM -0400, Press, Jonathan wrote:
> Sorry for the top-post... but I give up.
>
> I don't think I'm stupid, but frankly I don't understand the point of
> the questions being asked in the last three responses to my statement.
> I don't know why they are relevant, and I don't know how to answer
> them in a framework that we can all understand at the same time. What
> is my threat model? Naively stated, it is that there is a file on a
> machine that might do damage, either there or elsewhere, and I want to
> find it and get rid of it in the most efficient way. I am not
> defining the nature of the damage or the mechanism.
If you can not define this, in a precise manner, then how can we expect
to review the proposed solution to ensure that it matches your needs?
Without that, this patchset is going to go nowhere but into the circular
bin :(
greg k-h
On Tue, Aug 05, 2008 at 03:26:38PM -0700, Greg KH wrote:
> On Tue, Aug 05, 2008 at 06:12:34PM -0400, Press, Jonathan wrote:
> > Sorry for the top-post... but I give up.
> >
> > I don't think I'm stupid, but frankly I don't understand the point of
> > the questions being asked in the last three responses to my statement.
> > I don't know why they are relevant, and I don't know how to answer
> > them in a framework that we can all understand at the same time.
Excuse me? One of those questions had been a very specific yes-or-no one
and I certainly hope that we all can understand either answer to such...
For the record, the question is
"Do you or do you not expect the malware to be active on scanning host?"
I hope that relevance of that to the analysis of software involved in
scanning should be obvious.
On Wed, 2008-08-06 at 00:37 +0100, Al Viro wrote:
> On Tue, Aug 05, 2008 at 03:26:38PM -0700, Greg KH wrote:
> > On Tue, Aug 05, 2008 at 06:12:34PM -0400, Press, Jonathan wrote:
> > > Sorry for the top-post... but I give up.
> > >
> > > I don't think I'm stupid, but frankly I don't understand the point of
> > > the questions being asked in the last three responses to my statement.
> > > I don't know why they are relevant, and I don't know how to answer
> > > them in a framework that we can all understand at the same time.
>
> Excuse me? One of those questions had been a very specific yes-or-no one
> and I certainly hope that we all can understand either answer to such...
>
> For the record, the question is
>
> "Do you or do you not expect the malware to be active on scanning host?"
I do believe for a number of AV vendors the answer is yes. I will try
to have some offline conversations with the right people at a number of
vendors and work to better define the threats that they wish to or
believe they are able to help mitigate.
-Eric
> I hope that relevance of that to the analysis of software involved in
> scanning should be obvious.
On Tue, Aug 05, 2008 at 07:48:52PM -0400, Eric Paris wrote:
> I do believe for a number of AV vendors the answer is yes. I will try
> to have some offline conversations with the right people at a number of
> vendors and work to better define the threats that they wish to or
> believe they are able to help mitigate.
OK, and if the malware is running on the machine, does the malware
have root (superuser) access?
- Ted
On Tue, Aug 05, 2008 at 07:48:52PM -0400, Eric Paris wrote:
> On Wed, 2008-08-06 at 00:37 +0100, Al Viro wrote:
> > On Tue, Aug 05, 2008 at 03:26:38PM -0700, Greg KH wrote:
> > > On Tue, Aug 05, 2008 at 06:12:34PM -0400, Press, Jonathan wrote:
> > > > Sorry for the top-post... but I give up.
> > > >
> > > > I don't think I'm stupid, but frankly I don't understand the point of
> > > > the questions being asked in the last three responses to my statement.
> > > > I don't know why they are relevant, and I don't know how to answer
> > > > them in a framework that we can all understand at the same time.
> >
> > Excuse me? One of those questions had been a very specific yes-or-no one
> > and I certainly hope that we all can understand either answer to such...
> >
> > For the record, the question is
> >
> > "Do you or do you not expect the malware to be active on scanning host?"
>
> I do believe for a number of AV vendors the answer is yes. I will try
> to have some offline conversations with the right people at a number of
> vendors and work to better define the threats that they wish to or
> believe they are able to help mitigate.
This is troubling to me. Why "offline conversations"? Why are you
being forced to be the mediator here? Why will these companies not
contribute directly to the development of this code/model in public,
like all other major Linux kernel contributions?
Isn't this the point of the malware-list in the first place?
For them to hide behind _anyone_ seems very suspect.
thanks,
greg k-h
On Tue, 2008-08-05 at 17:11 -0700, Greg KH wrote:
> On Tue, Aug 05, 2008 at 07:48:52PM -0400, Eric Paris wrote:
> > On Wed, 2008-08-06 at 00:37 +0100, Al Viro wrote:
> > > On Tue, Aug 05, 2008 at 03:26:38PM -0700, Greg KH wrote:
> > > > On Tue, Aug 05, 2008 at 06:12:34PM -0400, Press, Jonathan wrote:
> > > > > Sorry for the top-post... but I give up.
> > > > >
> > > > > I don't think I'm stupid, but frankly I don't understand the point of
> > > > > the questions being asked in the last three responses to my statement.
> > > > > I don't know why they are relevant, and I don't know how to answer
> > > > > them in a framework that we can all understand at the same time.
> > >
> > > Excuse me? One of those questions had been a very specific yes-or-no one
> > > and I certainly hope that we all can understand either answer to such...
> > >
> > > For the record, the question is
> > >
> > > "Do you or do you not expect the malware to be active on scanning host?"
> >
> > I do believe for a number of AV vendors the answer is yes. I will try
> > to have some offline conversations with the right people at a number of
> > vendors and work to better define the threats that they wish to or
> > believe they are able to help mitigate.
>
> This is troubling to me. Why "offline conversations"? Why are you
> being forced to be the mediator here? Why will these companies not
> contribute directly to the development of this code/model in public,
> like all other major Linux kernel contributions?
I'm going to be trying to get them to talk offline because obviously few
people from the AV industry are stepping up online. I'm told we'll be
hearing from Sophos tomorrow and hopefully they will have read all of
today chatter and will form a coherent position.
> Isn't this the point of the malware-list in the first place?
Yes it is, hopefully if we can move parts of this conversation to
malware list the AV vendors will feel a bit less like this is an us
against them proposition and more like a collaborative effort. From my
point of view I'd have to say that everyone has been refreshingly
polite :)
> For them to hide behind _anyone_ seems very suspect.
I don't think its hiding, I'm attempting to bring these companies who
just don't understand how to work in public after years of building
walls along at a reasonable pace so noone feels they have to give up or
that finding a real solution is an impossible task.
-Eric
On Tue, 05 Aug 2008 20:25:29 -0400
Eric Paris <[email protected]> wrote:
> I don't think its hiding, I'm attempting to bring these companies who
> just don't understand how to work in public
That's not my worry.
My real worry is that the anti-virus companies have been working
with an enforcement policy that has been evolving slowly from the
DOS days, while today's threat model has changed considerably.
I do not see how the proposed hooks would close off a system
sufficiently to claim anything approaching security.
The way forward is to:
1) define a threat model
2) figure out what infrastructure is needed for protection
3) come up with interfaces that also help other software
(eg. file range inotify to help disk indexing software)
Trying to shoe-horn the DOS anti-virus security model into a
multi-user operating system with networking may not be sufficient
protection for today's world. Eg. it does not protect against
script virusses fetched off web sites and executed directly in
a browser, office suite or any gnome-vfs enabled program. This
is a major vulnerability in modern systems.
What problem are we really trying to solve?
Which problems are out of scope?
What infrastructure can solve the problem, while being useful
for other things too?
--
All rights reversed.
On Tue, Aug 05, 2008 at 08:46:00PM -0400, Rik van Riel wrote:
> My real worry is that the anti-virus companies have been working
> with an enforcement policy that has been evolving slowly from the
> DOS days, while today's threat model has changed considerably.
... and which also doesn't into account some of the facilities which
Linux has, that DOS/Windows does not have.
Part of the problem I suspect is that the AV folks have managed to get
CIO's believe that all computer systems need to have anti-virus
software, of the same design that is needed for DOS/Windows systems.
This state of delusion is so bad that apparently some AV engineers
aren't even willing to reason from first principles what is necessary
or not to maintain a secure system.
And arguably, if the goal is security theater, much like the security
lines in airports, perhaps it doesn't matter. If there are silly
CIO's that are willing to pay for such a thing, regardless of whether
or not it is actually *necessary* to maintain security, one school of
capitalism would say it doesn't matter if it actually provides any
functional value or not.
On the other hand, it seems pretty clear there are plenty of LKML
developers who aren't buying it. :-)
It may be helpful to separate the threat model into at least three
different scenarios:
The Linux Desktop (where clueless users may be tricked into
running malware).
The Linux File Server (where it is *highly* unlikely to have
active running malware, since there are no clueless
users running on said file server), but where malware
may be stored and read over CIFS, NFS, etc.
The Linux Mail server is really a restricted case of the Linux
Fileserver; where the only way in is SMTP, and the
only protocol out is IMAP/POP.
Clamav arguably does a very nice job for the third case. And the
number of ways in and out for a Linux fileserver is sufficiently small
(and there are no clueless users to start the malware program
running), that it's relatively easy to reason about.
In the Linux Desktop case, you do have to worry about clueless users,
but in general you don't have to worry about serving CIFS or NFS on
such boxes.
It seems that the AV folks are trying to argue for a worst case
scenario --- one where you have a clueless user, *and* you have a root
comproise, *and* it is also simultaneously serving as a high output
fileserver. #1, I think it is questionable whether this is a
reasonable model, and #2, if root is compromised, no amount of
scanning software will helpyou, since the malware can simply directly
attach and disable the scanning software.
But it is specifically this sort of threat analysis and explicit
detailing of the assumptions of what capabilities the attacker has
which is critical for proceeding. The fact at least one AV engineer
thinks it's pointless to do this sort of low-level design is
disappointing.
- Ted
Am Mittwoch, 6. August 2008 03:44 schrieb Theodore Tso:
> On Tue, Aug 05, 2008 at 08:46:00PM -0400, Rik van Riel wrote:
...
I'm trying to fill in some other thread models, not all directly related to
virus-scanning, but if we want to get a complete anti-threat model for linux,
we should take them into account too.
In addition I'll add some usage scenarios for later extracting some threat
scenarios ...
Desktop-Users:
----------------------
> The Linux Desktop (where clueless users may be tricked into
> running malware).
I would add the chance of users exporting there locally stored Files via CIFS,
SMB, http, ... for accessing them with there beloveled streaming clients.
Speaking of exporting Files from a Desktop PC we should also take in account
File-Sharing clients.
Some more examples of a Desktop Users desire would be:
- copying Files to/from there PDA (BT,USB,WLAN)
- sharing internet connection with there PDA (BT,USB,WLAN)
Another threads would be:
- giving access to the Desktop-PC to guest-users for
"just let me look up something in the internet"
and the guest-user on the Desktop not informing about the (in his point of
view) urgent installation of there beloved
Browser-malware^H^H^H^H^H -adware ^H^H^H^H^H -extention
For all the Files stored on the Desktop PC we should also take in account,
that the paranoid Desktop user would store them inside a crypted
device/container. Some examples would be: truecrypt-container/-partition,
External crypted Harddrive, ...
... speaking of storing Files I would expect even Desktop Homeusers to store
there Files on a local mini Fileserver (like a Fritz-Box, NSLU2, ...) to
share them with other devices like Multimedia players, ...
Notebook-Users:
------------------------
And then we have the Linux Notebook users. I separate these from the Desktop
users, because they will have most of the Scenarios for Desktop users plus
some additional treats.
- Connecting to random accesspoints (Airports, Hotels, ...)
- Exporting there Wireless (BT,WLAN,UMTS, ...) to random people. Sometimes
willingly, sometimes unwillingly
- leaving there Notebooks unattended
- without Bios password
- without HDD-encrytion
- without Boot-Manager Password
- without screenlock
- ...
Linux Desktops in public places:
--------------------------------------------
I'm thinking of Linux Desktop PCs in places like Internet-Cafe,
Public-Library, School, ...
These would be similar to the Standard Linux Desktop but adding some
additional threats.
- willingly trying to attack the PC with physical access to
- CD-Rom
- USB-Devices
USB-Stick
Card Reader
- Network cable
- Floppy drive (if still existing)
- Reset Button
> The Linux File Server (where it is *highly* unlikely to have
> active running malware, since there are no clueless
> users running on said file server), but where malware
> may be stored and read over CIFS, NFS, etc.
Maybe it "was" unlikely, but you can see more and more
(Now-)Unix-administrators originally used to other operating systems and with
a different view to security. So it would be nice if we would be able to
protect these users/admins/installations too.
Mail-Proxy:
--------------
> The Linux Mail server is really a restricted case of the Linux
> Fileserver; where the only way in is SMTP, and the
> only protocol out is IMAP/POP.
I would add SMTP for the outgoing channel too.
Web-Proxy:
----------------
Only to complete the list:
The Linux Web Proxy is another example of a Linux Server.
The way in would be http traffic (mostly over port
80 and 443) and the way out will be either over a shared
proxy port or offered transparent if the Linux machine is used
as router.
In my opinion all good webproxies with scanner already provide a pretty good
solution here.
--
J?rg Ostertag - Manager UNIX SW Development - Avira GmbH
Phone: +49 (0) 7542/500-500
Fax: +49 (0) 7542/500-576
Lindauer Str. 21, D-88069 Tettnang, Germany, http://www.avira.com
PGP Key-ID: 0x46BDEF37
Gesch?ftsf?hrender Gesellschafter: Tjark Auerbach
Sitz der Gesellschaft: Tettnang
Handelsregister: Amtsgericht Ulm, HRB 630992
ALLGEMEINE GESCH?FTSBEDINGUNGEN
Es gelten unsere Allgemeinen Gesch?ftsbedingungen
(AGB). Sie finden sie in der jeweils g?ltigen Fassung
im Internet unter http://www.avira.de/agb
***************************************************
On Fri, Aug 8, 2008 at 8:48 PM, J?rg Ostertag <[email protected]> wrote:
> Am Mittwoch, 6. August 2008 03:44 schrieb Theodore Tso:
>> On Tue, Aug 05, 2008 at 08:46:00PM -0400, Rik van Riel wrote:
>
> ...
>
> I'm trying to fill in some other thread models, not all directly related to
> virus-scanning, but if we want to get a complete anti-threat model for linux,
> we should take them into account too.
> In addition I'll add some usage scenarios for later extracting some threat
> scenarios ...
>
> Desktop-Users:
> ----------------------
>> The Linux Desktop (where clueless users may be tricked into
>> running malware).
>
> I would add the chance of users exporting there locally stored Files via CIFS,
> SMB, http, ... for accessing them with there beloveled streaming clients.
>
> Speaking of exporting Files from a Desktop PC we should also take in account
> File-Sharing clients.
>
> Some more examples of a Desktop Users desire would be:
> - copying Files to/from there PDA (BT,USB,WLAN)
> - sharing internet connection with there PDA (BT,USB,WLAN)
>
> Another threads would be:
> - giving access to the Desktop-PC to guest-users for
> "just let me look up something in the internet"
> and the guest-user on the Desktop not informing about the (in his point of
> view) urgent installation of there beloved
> Browser-malware^H^H^H^H^H -adware ^H^H^H^H^H -extention
>
> For all the Files stored on the Desktop PC we should also take in account,
> that the paranoid Desktop user would store them inside a crypted
> device/container. Some examples would be: truecrypt-container/-partition,
> External crypted Harddrive, ...
>
> ... speaking of storing Files I would expect even Desktop Homeusers to store
> there Files on a local mini Fileserver (like a Fritz-Box, NSLU2, ...) to
> share them with other devices like Multimedia players, ...
>
> Notebook-Users:
> ------------------------
> And then we have the Linux Notebook users. I separate these from the Desktop
> users, because they will have most of the Scenarios for Desktop users plus
> some additional treats.
> - Connecting to random accesspoints (Airports, Hotels, ...)
> - Exporting there Wireless (BT,WLAN,UMTS, ...) to random people. Sometimes
> willingly, sometimes unwillingly
> - leaving there Notebooks unattended
> - without Bios password
> - without HDD-encrytion
> - without Boot-Manager Password
> - without screenlock
> - ...
>
> Linux Desktops in public places:
> --------------------------------------------
> I'm thinking of Linux Desktop PCs in places like Internet-Cafe,
> Public-Library, School, ...
> These would be similar to the Standard Linux Desktop but adding some
> additional threats.
> - willingly trying to attack the PC with physical access to
> - CD-Rom
> - USB-Devices
> USB-Stick
> Card Reader
> - Network cable
> - Floppy drive (if still existing)
> - Reset Button
>
>
>> The Linux File Server (where it is *highly* unlikely to have
>> active running malware, since there are no clueless
>> users running on said file server), but where malware
>> may be stored and read over CIFS, NFS, etc.
>
> Maybe it "was" unlikely, but you can see more and more
> (Now-)Unix-administrators originally used to other operating systems and with
> a different view to security. So it would be nice if we would be able to
> protect these users/admins/installations too.
>
> Mail-Proxy:
> --------------
>> The Linux Mail server is really a restricted case of the Linux
>> Fileserver; where the only way in is SMTP, and the
>> only protocol out is IMAP/POP.
>
> I would add SMTP for the outgoing channel too.
>
>
> Web-Proxy:
> ----------------
> Only to complete the list:
> The Linux Web Proxy is another example of a Linux Server.
> The way in would be http traffic (mostly over port
> 80 and 443) and the way out will be either over a shared
> proxy port or offered transparent if the Linux machine is used
> as router.
>
> In my opinion all good webproxies with scanner already provide a pretty good
> solution here.
>
>
Software Conflits
------------------------
Anti-virus Software conflicting with other secuirty software. This is
a design issue on Windows and some of the hooks different companies
have tried to develop for the Linux world.
Linux systems can have HIDS and other non anti-virus monitoring
software. On windows realtime scanning can be crippled if you
install 2 anti-viruses at a time due to stuffing up each others hooks.
We need to avoid this on Linux. There is more that will want to
monitor the same things as a Antivirus on Linux looking for different
kinds of problems. Yes the first platform where 1 alone running does
not cut it.
Peter Dolding
On Fri, 8 Aug 2008, J?rg Ostertag wrote:
> Another threads would be:
> - giving access to the Desktop-PC to guest-users for
> "just let me look up something in the internet"
> and the guest-user on the Desktop not informing about the (in his point of
> view) urgent installation of there beloved
> Browser-malware^H^H^H^H^H -adware ^H^H^H^H^H -extention
if you give the guest user access to your account this is the same as the
clueless desktop user.
if you make a new account for that user the standard *nix permissions and
user seperation come to your rescue, they may infect that temporary
account, but that won't infect the normal user.
David Lang