JFFS2/xattr problems.
Jörn Engel
joern at wohnheim.fh-wedel.de
Tue Jun 13 10:13:17 EDT 2006
On Tue, 13 June 2006 22:36:59 +0900, KaiGai Kohei wrote:
>
> >Seems you missed Ted's presentation at LCA this year. Among the
> >interesting bits:
>
> If this presentation is public, could you tell me the URL?
> This indication is highly suggestive for me.
> Especially, I have not imagine yet the possibility that
> malware uses xattr to hide itself.
I can only find the abstract:
http://lca2006.linux.org.au/abstract.php?id=384
[ adding Ted to Cc: ]
Ted, do still have your foils and can make them available? Kaigai-san
is working on an xattr implementation for jffs2.
> >o Pretty much anything on Linux is limited to 64KiB or less.
> >o Ext[23] is limited to 4KiB total for all attributes, including all
> > keys and all values.
> >o The biggest user of Alternate Streams (less-limited versions of
> > xattr on Windows, Solaris, etc.) arguably is root kits. Alternate
> > Streams have the advantage that tripwire etc. don't understand them
> > and won't look for malware there.
> >o Some system administrators have no plans to upgrade to Solaris 9
> > ever, because it supports Alternate Streams. The trouble of hidden
> > malware is not worth the gains.
> >
> >Notable was also, that Ted repeated the last two points in several
> >variations. Not sure if I would follow his line of thought 100%, but
> >he does have a point.
Jörn
--
Why do musicians compose symphonies and poets write poems?
They do it because life wouldn't have any meaning for them if they didn't.
That's why I draw cartoons. It's my life.
-- Charles Shultz
More information about the linux-mtd
mailing list