JFFS2/xattr problems.
Theodore Tso
tytso at mit.edu
Wed Jun 14 17:58:35 EDT 2006
On Tue, Jun 13, 2006 at 04:13:17PM +0200, Jörn Engel wrote:
> On Tue, 13 June 2006 22:36:59 +0900, KaiGai Kohei wrote:
> >
> > >Seems you missed Ted's presentation at LCA this year. Among the
> > >interesting bits:
> >
> > If this presentation is public, could you tell me the URL?
> > This indication is highly suggestive for me.
> > Especially, I have not imagine yet the possibility that
> > malware uses xattr to hide itself.
>
> I can only find the abstract:
> http://lca2006.linux.org.au/abstract.php?id=384
>
> [ adding Ted to Cc: ]
>
> Ted, do still have your foils and can make them available? Kaigai-san
> is working on an xattr implementation for jffs2.
Sure, here you go (see attached)
> > >o The biggest user of Alternate Streams (less-limited versions of
> > > xattr on Windows, Solaris, etc.) arguably is root kits. Alternate
> > > Streams have the advantage that tripwire etc. don't understand them
> > > and won't look for malware there.
> > >o Some system administrators have no plans to upgrade to Solaris 9
> > > ever, because it supports Alternate Streams. The trouble of hidden
> > > malware is not worth the gains.
> > >
> > >Notable was also, that Ted repeated the last two points in several
> > >variations. Not sure if I would follow his line of thought 100%, but
> > >he does have a point.
See the article referenced in the slide, "Alternate Data Streams:
Threat or Menace?"
http://www.awprofessional.com/articles/article.asp?p=413685
(I love the title. "Threat or Menace?" "Menace or Threat?" Or, to
take a line from an old Bugs Bunny/Daffy Duck cartoon, "You got me
dead to rights, Doc. Would you like to shoot him now or shoot him
later?" :-)
- Ted
More information about the linux-mtd
mailing list