On Thu, 2007-11-29 at 11:11 -0800, Ray Lee wrote:
On Nov 29, 2007 10:56 AM, Jon Masters [EMAIL PROTECTED] wrote:
On Thu, 2007-11-29 at 10:40 -0800, Ray Lee wrote:
On Nov 29, 2007 9:36 AM, Alan Cox [EMAIL PROTECTED] wrote:
closed. But more importantly further access to it can be blocked
On Thu, 29 Nov 2007 14:45:51 EST, Jon Masters said:
Ah, but I could write a sequence of pages that on their own looked
garbage, but in reality, when executed would print out a copy of the
Jargon File in all its glory. And if you still think you could look for
patterns, how about executable
Alan Cox [EMAIL PROTECTED] writes:
If I want I can have 16 threads executing code in a shared object being
written to by ten other programs at once and shared over a network while
we are at it. Its probably not a good idea but I can do it if I have
reason to.
Actually the kernel prevents
Jargon File in all its glory. And if you still think you could look for
patterns, how about executable code that self-modifies in random ways
but when executed as a whole actually has the functionality of fetchmail
embedded within it? How would you guard against that?
Thats a problem for
On Thu, Nov 29, 2007 at 03:56:28PM -0500, [EMAIL PROTECTED] wrote:
Yes, most of these schemes *can* be bypassed because some malicious code does
a
mmap() or similar trick. But what is being overlooked here is that in most
cases, what is *desired* is a way to filter things being handled by
Alan Cox wrote
Jargon File in all its glory. And if you still think you could look for
patterns, how about executable code that self-modifies in random ways
but when executed as a whole actually has the functionality of fetchmail
embedded within it? How would you guard against that?
Alan Cox [EMAIL PROTECTED] writes:
The simple case is
open
write cathedral and bazaar in some order
close
trap close - process - label eric_t
open (eric_t) - SELinux no
Anyone smart will then write it out of order and keep the file open, or
That would
On Thu, 2007-11-29 at 15:56 -0500, [EMAIL PROTECTED] wrote:
On Thu, 29 Nov 2007 14:45:51 EST, Jon Masters said:
Ah, but I could write a sequence of pages that on their own looked
garbage, but in reality, when executed would print out a copy of the
Jargon File in all its glory. And if you
On Thu, 2007-11-29 at 21:45 +, Alan Cox wrote:
Jargon File in all its glory. And if you still think you could look for
patterns, how about executable code that self-modifies in random ways
but when executed as a whole actually has the functionality of fetchmail
embedded within it? How
On Thu, 29 Nov 2007, Al Viro wrote:
Incidentally, I would really love to see the threat profile we are talking
about.
Exactly.
Please come up with a set of requirements that can be reviewed by the core
kernel folk, and perhaps then focus on how to meet those requirements once
they have
On Thu, Nov 29, 2007 at 03:12:38PM -0700, Justin Banks wrote:
It's not perfect, but as was recently pointed out, if you can only get
98% of the way there rather than 100% is that a reason for not trying to
make it possible?
BTW, that's a fine example of a common fallacy: $FOO is 98% of the
On Thu, 29 Nov 2007 18:34:33 EST, Jon Masters said:
On Thu, 2007-11-29 at 21:45 +, Alan Cox wrote:
Jargon File in all its glory. And if you still think you could look for
patterns, how about executable code that self-modifies in random ways
but when executed as a whole actually has
--- Jan Engelhardt <[EMAIL PROTECTED]> wrote:
>
> On Nov 28 2007 18:22, [EMAIL PROTECTED] wrote:
> >
> >Talpa is modular itself being composed of a set of kernel modules of which
> >not all are loaded simultaneously. Where possible LSM can be used and _no_
> >messing with syscall table will
On Thu, Nov 29, 2007 at 01:53:46AM +0100, Jan Engelhardt wrote:
>
> On Nov 28 2007 16:38, Greg KH wrote:
> >>
> >> And if we are talking about the situation when files are written to
> >> in controlled way (i.e. we are not concerned with malware running on
> >> the box in question and just want
On Wed, Nov 28, 2007 at 12:42:52PM +, Tvrtko A. Ursulin wrote:
>
> Hi Linus, all,
>
> During one recent LKML discussion
> (http://marc.info/?l=linux-kernel=119267398722085=2) about LSM going
> static you called for LSM users to speak up.
>
> We here at Sophos (the fourth largest endpoint
On Nov 28 2007 16:38, Greg KH wrote:
>>
>> And if we are talking about the situation when files are written to
>> in controlled way (i.e. we are not concerned with malware running on
>> the box in question and just want to stop it from passing through
>> mailsewer, etc.), then there's no damn
On Nov 28 2007 18:22, [EMAIL PROTECTED] wrote:
>
>Talpa is modular itself being composed of a set of kernel modules of which
>not all are loaded simultaneously. Where possible LSM can be used and _no_
>messing with syscall table will take place. Unfortunately where another
>LSM user is present
On Wed, Nov 28, 2007 at 06:30:40PM +, Al Viro wrote:
> On Wed, Nov 28, 2007 at 01:15:05PM -0500, [EMAIL PROTECTED] wrote:
> > (Note that the concept has interesting implications in the other direction
> > as
> > well - rather than stopping you from reading a file that has malware, you
> >
On Wed, 28 Nov 2007, [EMAIL PROTECTED] wrote:
> So as there is no question the current code does some ugly things it is
> even more true that we would be even more happy to use an official API.
How about becoming involved in creating that official API ?
"A person will stand on the top of a
On Wed, 28 Nov 2007 19:52:46 GMT, Alan Cox said:
> > It might be better to identify the services (gateway, samba, file
> > server whatever) that are actually dealing with possible infected
> > "external" files and then define some generic interface that would
> > allow you to check those as the
> It might be better to identify the services (gateway, samba, file
> server whatever) that are actually dealing with possible infected
> "external" files and then define some generic interface that would
> allow you to check those as the data appears.
I am wondering if the right interface is
> So as there is no question the current code does some ugly things it is
> even more true that we would be even more happy to use an official API.
> LSM was that and we were happily using it which we won't be able to do if
> it abruptly goes away. Yes it is not a perfect match but until it is
"Tvrtko A. Ursulin" <[EMAIL PROTECTED]> writes:
> We here at Sophos (the fourth largest endpoint security vendor in the world)
> have such a module called Talpa which is a part of our main endpoint security
> product
What is a "endpoint security product" exactly? A gateway that scans
files
On Wed, Nov 28, 2007 at 01:15:05PM -0500, [EMAIL PROTECTED] wrote:
> (Note that the concept has interesting implications in the other direction as
> well - rather than stopping you from reading a file that has malware, you
> could
> in theory write an anti-export package that would let you write
[EMAIL PROTECTED] wrote on 28/11/2007 17:39:56:
> On Wed, 28 Nov 2007 16:46:13 +
> Christoph Hellwig <[EMAIL PROTECTED]> wrote:
>
> > On Wed, Nov 28, 2007 at 08:38:43AM -0800, Casey Schaufler wrote:
> > > Would you like to expound on that, or do you feel your claws
> > > are sharp enough
On Wed, 28 Nov 2007 16:46:13 GMT, Christoph Hellwig said:
> On Wed, Nov 28, 2007 at 08:38:43AM -0800, Casey Schaufler wrote:
> > Would you like to expound on that, or do you feel your claws
> > are sharp enough already?
>
> Just take a look at code.
Just to clarify - you're OK with the *concept*
On Wed, 28 Nov 2007 16:46:13 +
Christoph Hellwig <[EMAIL PROTECTED]> wrote:
> On Wed, Nov 28, 2007 at 08:38:43AM -0800, Casey Schaufler wrote:
> > Would you like to expound on that, or do you feel your claws
> > are sharp enough already?
>
> Just take a look at code.
>
The module in
On Wed, Nov 28, 2007 at 08:38:43AM -0800, Casey Schaufler wrote:
> Would you like to expound on that, or do you feel your claws
> are sharp enough already?
Just take a look at code.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL
--- Christoph Hellwig <[EMAIL PROTECTED]> wrote:
> On Wed, Nov 28, 2007 at 12:42:52PM +, Tvrtko A. Ursulin wrote:
> >
> > Hi Linus, all,
> >
> > During one recent LKML discussion
> > (http://marc.info/?l=linux-kernel=119267398722085=2) about LSM going
> > static you called for LSM users
On Wed, Nov 28, 2007 at 12:42:52PM +, Tvrtko A. Ursulin wrote:
>
> Hi Linus, all,
>
> During one recent LKML discussion
> (http://marc.info/?l=linux-kernel=119267398722085=2) about LSM going
> static you called for LSM users to speak up.
>
> We here at Sophos (the fourth largest endpoint
Hi Linus, all,
During one recent LKML discussion
(http://marc.info/?l=linux-kernel=119267398722085=2) about LSM going
static you called for LSM users to speak up.
We here at Sophos (the fourth largest endpoint security vendor in the world)
have such a module called Talpa which is a part of
Hi Linus, all,
During one recent LKML discussion
(http://marc.info/?l=linux-kernelm=119267398722085w=2) about LSM going
static you called for LSM users to speak up.
We here at Sophos (the fourth largest endpoint security vendor in the world)
have such a module called Talpa which is a part
On Wed, Nov 28, 2007 at 12:42:52PM +, Tvrtko A. Ursulin wrote:
Hi Linus, all,
During one recent LKML discussion
(http://marc.info/?l=linux-kernelm=119267398722085w=2) about LSM going
static you called for LSM users to speak up.
We here at Sophos (the fourth largest endpoint
--- Christoph Hellwig [EMAIL PROTECTED] wrote:
On Wed, Nov 28, 2007 at 12:42:52PM +, Tvrtko A. Ursulin wrote:
Hi Linus, all,
During one recent LKML discussion
(http://marc.info/?l=linux-kernelm=119267398722085w=2) about LSM going
static you called for LSM users to speak up.
On Wed, Nov 28, 2007 at 08:38:43AM -0800, Casey Schaufler wrote:
Would you like to expound on that, or do you feel your claws
are sharp enough already?
Just take a look at code.
-
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL
On Wed, 28 Nov 2007 16:46:13 +
Christoph Hellwig [EMAIL PROTECTED] wrote:
On Wed, Nov 28, 2007 at 08:38:43AM -0800, Casey Schaufler wrote:
Would you like to expound on that, or do you feel your claws
are sharp enough already?
Just take a look at code.
The module in question hooks
[EMAIL PROTECTED] wrote on 28/11/2007 17:39:56:
On Wed, 28 Nov 2007 16:46:13 +
Christoph Hellwig [EMAIL PROTECTED] wrote:
On Wed, Nov 28, 2007 at 08:38:43AM -0800, Casey Schaufler wrote:
Would you like to expound on that, or do you feel your claws
are sharp enough already?
On Wed, 28 Nov 2007 16:46:13 GMT, Christoph Hellwig said:
On Wed, Nov 28, 2007 at 08:38:43AM -0800, Casey Schaufler wrote:
Would you like to expound on that, or do you feel your claws
are sharp enough already?
Just take a look at code.
Just to clarify - you're OK with the *concept* (a
On Wed, Nov 28, 2007 at 01:15:05PM -0500, [EMAIL PROTECTED] wrote:
(Note that the concept has interesting implications in the other direction as
well - rather than stopping you from reading a file that has malware, you
could
in theory write an anti-export package that would let you write onto
Tvrtko A. Ursulin [EMAIL PROTECTED] writes:
We here at Sophos (the fourth largest endpoint security vendor in the world)
have such a module called Talpa which is a part of our main endpoint security
product
What is a endpoint security product exactly? A gateway that scans
files passing
So as there is no question the current code does some ugly things it is
even more true that we would be even more happy to use an official API.
LSM was that and we were happily using it which we won't be able to do if
it abruptly goes away. Yes it is not a perfect match but until it is
It might be better to identify the services (gateway, samba, file
server whatever) that are actually dealing with possible infected
external files and then define some generic interface that would
allow you to check those as the data appears.
I am wondering if the right interface is actually
On Wed, 28 Nov 2007 19:52:46 GMT, Alan Cox said:
It might be better to identify the services (gateway, samba, file
server whatever) that are actually dealing with possible infected
external files and then define some generic interface that would
allow you to check those as the data
On Wed, 28 Nov 2007, [EMAIL PROTECTED] wrote:
So as there is no question the current code does some ugly things it is
even more true that we would be even more happy to use an official API.
How about becoming involved in creating that official API ?
A person will stand on the top of a hill
On Wed, Nov 28, 2007 at 06:30:40PM +, Al Viro wrote:
On Wed, Nov 28, 2007 at 01:15:05PM -0500, [EMAIL PROTECTED] wrote:
(Note that the concept has interesting implications in the other direction
as
well - rather than stopping you from reading a file that has malware, you
could
in
On Nov 28 2007 18:22, [EMAIL PROTECTED] wrote:
Talpa is modular itself being composed of a set of kernel modules of which
not all are loaded simultaneously. Where possible LSM can be used and _no_
messing with syscall table will take place. Unfortunately where another
LSM user is present that
On Nov 28 2007 16:38, Greg KH wrote:
And if we are talking about the situation when files are written to
in controlled way (i.e. we are not concerned with malware running on
the box in question and just want to stop it from passing through
mailsewer, etc.), then there's no damn need to play
On Wed, Nov 28, 2007 at 12:42:52PM +, Tvrtko A. Ursulin wrote:
Hi Linus, all,
During one recent LKML discussion
(http://marc.info/?l=linux-kernelm=119267398722085w=2) about LSM going
static you called for LSM users to speak up.
We here at Sophos (the fourth largest endpoint
On Thu, Nov 29, 2007 at 01:53:46AM +0100, Jan Engelhardt wrote:
On Nov 28 2007 16:38, Greg KH wrote:
And if we are talking about the situation when files are written to
in controlled way (i.e. we are not concerned with malware running on
the box in question and just want to stop it
--- Jan Engelhardt [EMAIL PROTECTED] wrote:
On Nov 28 2007 18:22, [EMAIL PROTECTED] wrote:
Talpa is modular itself being composed of a set of kernel modules of which
not all are loaded simultaneously. Where possible LSM can be used and _no_
messing with syscall table will take place.
101 - 150 of 150 matches
Mail list logo