From: Theodore Tso <tytso@mit.edu>
To: "Jörn Engel" <joern@wohnheim.fh-wedel.de>
Cc: KaiGai Kohei <kaigai@kaigai.gr.jp>,
linux-mtd@lists.infradead.org,
David Woodhouse <dwmw2@infradead.org>,
KaiGai Kohei <kaigai@ak.jp.nec.com>
Subject: Re: JFFS2/xattr problems.
Date: Wed, 14 Jun 2006 17:58:35 -0400 [thread overview]
Message-ID: <20060614215835.GA5983@thunk.org> (raw)
In-Reply-To: <20060613141317.GB30066@wohnheim.fh-wedel.de>
On Tue, Jun 13, 2006 at 04:13:17PM +0200, Jörn Engel wrote:
> On Tue, 13 June 2006 22:36:59 +0900, KaiGai Kohei wrote:
> >
> > >Seems you missed Ted's presentation at LCA this year. Among the
> > >interesting bits:
> >
> > If this presentation is public, could you tell me the URL?
> > This indication is highly suggestive for me.
> > Especially, I have not imagine yet the possibility that
> > malware uses xattr to hide itself.
>
> I can only find the abstract:
> http://lca2006.linux.org.au/abstract.php?id=384
>
> [ adding Ted to Cc: ]
>
> Ted, do still have your foils and can make them available? Kaigai-san
> is working on an xattr implementation for jffs2.
Sure, here you go (see attached)
> > >o The biggest user of Alternate Streams (less-limited versions of
> > > xattr on Windows, Solaris, etc.) arguably is root kits. Alternate
> > > Streams have the advantage that tripwire etc. don't understand them
> > > and won't look for malware there.
> > >o Some system administrators have no plans to upgrade to Solaris 9
> > > ever, because it supports Alternate Streams. The trouble of hidden
> > > malware is not worth the gains.
> > >
> > >Notable was also, that Ted repeated the last two points in several
> > >variations. Not sure if I would follow his line of thought 100%, but
> > >he does have a point.
See the article referenced in the slide, "Alternate Data Streams:
Threat or Menace?"
http://www.awprofessional.com/articles/article.asp?p=413685
(I love the title. "Threat or Menace?" "Menace or Threat?" Or, to
take a line from an old Bugs Bunny/Daffy Duck cartoon, "You got me
dead to rights, Doc. Would you like to shoot him now or shoot him
later?" :-)
- Ted
next prev parent reply other threads:[~2006-06-15 3:12 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-05-20 18:41 JFFS2/xattr problems David Woodhouse
2006-05-21 3:22 ` David Woodhouse
2006-05-21 11:24 ` KaiGai Kohei
2006-05-21 11:19 ` KaiGai Kohei
2006-05-21 12:41 ` David Woodhouse
2006-06-12 2:17 ` KaiGai Kohei
2006-06-12 8:03 ` David Woodhouse
2006-06-12 9:43 ` KaiGai Kohei
2006-06-12 9:53 ` David Woodhouse
2006-06-12 18:06 ` Jörn Engel
2006-06-13 13:36 ` KaiGai Kohei
2006-06-13 14:13 ` Jörn Engel
2006-06-14 21:58 ` Theodore Tso [this message]
2006-06-15 11:47 ` Jörn Engel
2006-06-15 15:24 ` Theodore Tso
2006-06-13 13:30 ` KaiGai Kohei
2006-06-24 5:58 ` KaiGai Kohei
2006-06-24 12:44 ` David Woodhouse
2006-06-26 15:45 ` David Woodhouse
2006-06-27 2:43 ` KaiGai Kohei
2006-06-29 6:02 ` KaiGai Kohei
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20060614215835.GA5983@thunk.org \
--to=tytso@mit.edu \
--cc=dwmw2@infradead.org \
--cc=joern@wohnheim.fh-wedel.de \
--cc=kaigai@ak.jp.nec.com \
--cc=kaigai@kaigai.gr.jp \
--cc=linux-mtd@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox