[go: up one dir, main page]
|
|
Log in / Subscribe / Register

TALPA strides forward

TALPA strides forward

Posted Aug 28, 2008 18:26 UTC (Thu) by iabervon (subscriber, #722)
Parent article: TALPA strides forward

The main problem I see with this is that it makes every untrusted file write a probable denial of service. If you can find a plain-text string that the scanner will reject, you can probably defeat fail2ban trivially by getting ssh to log that somebody tried to log in as {the reject string}, which means that the log file now contains a virus and can't be read by most programs. Or if you email a brand-new virus to root before the mailer is ready to reject it, and the system is using mail spools, all of root's mail is in a file containing a virus (once the description files get updated). If you get a virus into a backup, the backup becomes likely impossible to restore. If you post a virus to a web form that puts it into a database, the database may stop working.

The assumption that, if a region of a file is unexpectedly blocked from being read, important system tools won't misbehave in exploitable ways is highly optimistic, considering that this currently only happens when the system has major hardware issues. I wouldn't be too surprised to hear about systems with scanning set up turning out to be vulnerable to a variety of attacks which cause the system to be unable to process security updates.

In the Windows world, there are relatively few important helper processes, because services tend to be monolithic, so there's a relatively clear distinction between what should be prevented from using virus-infected files and what should be able to help clean them up. The UNIX world just isn't like that, making it unlikely that people will be able to have non-trivial policies that don't create security issues themselves.

to post comments

TALPA strides forward

Posted Aug 28, 2008 20:11 UTC (Thu) by oak (guest, #2786) [Link]

And if attacker knows that a widely used scanner has a security/DOS issue,
he only needs to get a suitable file to the target machine through any
channel (mail, browser cache, cookie etc).

TALPA strides forward

Posted Aug 28, 2008 21:56 UTC (Thu) by ballombe (subscriber, #9523) [Link]

I completely agree with you.

I will go even farther:
Suppose someone write a malware that include code from e.g. glibc.
The antivirus vendor dutifully add that to the malware database,
and all the Linux box get DOSed when they update their malware
database.

TALPA is a poorly thought out thread model that create more threats.

TALPA strides forward

Posted Sep 1, 2008 14:50 UTC (Mon) by kleptog (guest, #1183) [Link] (3 responses)

These arn't hypothetical problems either. On the postgresql lists there are regularly reports of people complaining that tables spontaneously vanish or worse, the transaction logs suddenly can't be written out. The cause is invariably that some antivirus has blocked the writes and uninstalling it fixes all the problems.

There's enough safeguards to prevent data loss in most cases, but once the scanner starts violating write-order guarentees, the shit will really hit the fan.

TALPA strides forward

Posted Sep 1, 2008 19:07 UTC (Mon) by nix (subscriber, #2304) [Link] (2 responses)

Wow. This highlights the need to be able to exclude stuff from antivirus
scanning if anything does: what kind of idiot scans an RDBMS's data for
viruses? This is as silly as searching a filesystem's *metadata* for
viruses and banning only part of a metadata write if it thinks it finds
one: instant disaster...

TALPA strides forward

Posted Sep 1, 2008 21:10 UTC (Mon) by kleptog (guest, #1183) [Link] (1 responses)

I suppose popular antivirus software comes with tables of stuff not to scan. Can you imagine the news if an antivirus product killed an Oracle installaion by helpfully renaming a datafile that looked suspicous.

Generally you can configure the software to exclude certain directories from scanning, but the default is always scan everything unless told otherwise. On the whole violating FS semantics for some silly scanning software seems insane.

TALPA strides forward

Posted Sep 1, 2008 22:03 UTC (Mon) by nix (subscriber, #2304) [Link]

Oh, I agree, but the existence of horrible things like Oracle*Mail
indicates that if you think you have to scan everything that might, say,
contain email that might be read by people using vulnerable clients, you
have to add a virus scanner *inside the database* as well, to scan
everything going to and from tables.

Likewise you have to add a scanner inside everything else that maintains
structured/transactioned data storage.

Even discounting the security-brokenness of 'excluding the bad software',
this obviously will not scale.


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds