So which do you think is better:
1. buy/write/update virus software to catch/trap the virus
2. Fix the security hole.
I put my money on #2.
There are several ways to trap attacks on daemons that have such
vulnerabilities. And using virus scanners CANNOT keep up.
The obvious solution is:
1. Use one of the high security patches (SELinux or RSBAC) and use
compartmentalization to keep the problem under control.
2. Use the detected problem to locate and fix the security problem in
the daemon.
Virus scanners cannot keep up. The virus that does the damage is the one
the scanner doesn't recognize. This is equivalent to the bug that wasn't
fixed.
Generation and propagation of a patch is nearly as fast if not faster
than generating another virus signature; and is a LOT more effective.
The high security patches allow the system to continue functioning even
in the presence of the virus, as long as the virus itself is compartmented.
At one time, there was some discription of the Ramen/lion worm attempting
to attack a SELinux based system.. and failed. It did get in the daemon,
but was then isolated from the rest of the system.
I do believe that the kernel can be improved - not including daemon services
in the kernel itself is one (tux?,nfs?,... yes they work faster, but is it
worth the security risk?).
-------------------------------------------------------------------------
Jesse I Pollard, II
Email: pollard@navo.hpc.mil
Any opinions expressed are solely my own.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/