Re: Out of tree module using LSM

[Valdis.Kletnieks@vt.edu]

On Thu, 29 Nov 2007 18:34:33 EST, Jon Masters said:
> 
> On Thu, 2007-11-29 at 21:45 +0000, Alan Cox wrote:
> > > Jargon File in all its glory. And if you still think you could look for
> > > patterns, how about executable code that self-modifies in random ways
> > > but when executed as a whole actually has the functionality of fetchmail
> > > embedded within it? How would you guard against that?
> > 
> > Thats a problem for whoever writes the ESR detection tool and to what
> > level it works. The question for the kernel is how do we provide a
> > mechanism to allow (to some extent at least) this kind of tool to run.
> 
> Right. I'm just saying reading a single page out of context (no pun
> intended) is not going to be very useful. 

Fortunately for all concerned, although Alan's self-modifying code is indeed a
possibility, it's much less of an issue than the sort of malware that can be
found with a simple "find this 27-byte sequence, which will be found in either
block 36 or 37 of the file".

And I'll make the prediction that we won't see anything doing the sorts of
things that Alan's program does, until that's the *easiest* way to get into
a system.  Until that time, they're either going to be sending simpler stuff
that a scanner can easily template and find, or using other means of attacks
that are outside the scope of a scanner.

Remember guys - we want to think about *realistic* threat models.  The e-mail
virus scanners we use catch hundreds to thousands of known viruses *every day*.
But I can count on the fingers of both hands the number of times I've had to
deal with a *real* "0-day" in a quarter century.  The scanner doesn't have to
be perfect - it just has to make it hard enough to bypass to render it
economically infeasible.  If you're targeted by a military/govt/political/
religious group that doesn't *care* if it's economically viable, you have
other, bigger problems to deal with...

Attachment: pgp5VCgC5BChN.pgp
Description: PGP signature