The Inquirer-Home

Critical Linux security API is still a kludge

One Mad Geek In 2006, dazuko should be part of IT
Sun Oct 22 2006, 21:43
THE TALK lately has centred about Vista's security APIs, but Linux certainly needs improvements in this area, because AV vendors still rely on an external kernel module to implement "real time" file scanning.

The problem
Resident virus scanners need to intercept file access and allow or deny read operations on executable files only after a file's safety has been determined. On the Linux world, a German company dubbed "Avira GmbH" designed an API to allow "on-access" virus scanning, which based on a kernel module allows to intercept file access calls and passing control to a third party application, in this case the anti-virus scanner. According to the project's web page, "Dazuko has been released as Free Software in order to allow users to compile the device driver for their own custom kernels". The problem is that it's not a part of the current Linux kernel, so users must either rely on the Linux distributor's willingness to ship pre-built binaries of the loadable kernel modules, or more often than not, having to compile such modules themselves.

This project is very important and has also been ported to other operating systems like FreeBSD, and can be used not only for virus scanners but also for file-access monitoring/logging or for third party or external security implementations, so it's amazing why it is still not part of the kernel, in this day and age. Personally, I didn't even know about this whole state of affairs until it crossed my mind to install an AV solution on my Linux system due to the concern about win32 executables lying around on the file system for use with Wine and Windows virtual machines.

Today, Linux antivirus vendors tell users to "install dazuko" to get resident virus scanning, but as said above, that involves a time consuming process of downloading kernel sources and then compiling a custom kernel module. Plus, on every kernel update, the process must be repeated because the kernel module must be rebuilt to keep up with the changes in the kernel's source code tree.

John Ogness, a dazuko maintainer says packaging the dazuko module is not always easy, due to a variety of reasons: "Until recently, Novell/SUSE shipped with a Dazuko module. However, their new AppArmor application comes in conflict with Dazuko", "We have had contact with RedHat several times, but the response is usually quite negative. RedHat has many kernel developers, so the (dazuko way of doing things) of syscall hooking is not OK for them". Eneko Lacunza of the R&D department at Panda software especulated in a recent mailing list post "This should make dazuko to be in the Linus kernel tree sooner or later, and after that all kernel module ABI change related problems will be gone".

The future
This kind of stupid complications in desktop Linux need to be removed in order to gain mainstream appeal. If Windows users are not expected to do a "kernel recompile" -not that it's even possible- in order to install a "resident" antivirus scanner, neither should the Linux users. And no, save your hate mail and flames about how "immune" to viruses desktop Linux is, as advances in WINE and virtualization technologies means that more and more win32 and possibly win64 files are going to end up saved on Linux file systems, and those files need to be scanned as the potentially dangerous elements those are.

John Ogness said two months ago: "My main goal is getting DazukoFS ready. This is a technical point that is quite important for acceptance of Dazuko. Once DazukoFS is ready, distributions will not have much of an argument why they shouldn't accept it. Although the functionality won't change with DazukoFS, the technical concept is quite different, which is important for kernel and distribution maintainers".

Hopefully, more and more distro maintainers will realize the need to make things easier for Linux users, and they will either begin offering pre-built dazuko kernel modules for each new kernel release, saving the end users from the hassle of dealing with kernel source code downloads and module recompilation, or do it with the upcoming "dazukoFS" file system driver. The dazuko FAQ page mentions that Suse offers pre-built dazuko kernel modules, although as explained above that might not be true as of the latest version.

According to another recent message on the dazuko development mailing list, Ubuntu offers dazuko modules as of Ubuntu 6.06. In the future, it should be really appropriate to make this functionality part of the Linux kernel and stop this madness, regardless if it's as a dazuko module or the upcoming DazukoFS. They better hurry, because people, in case you haven't checked your calendar, it's 2006 already not 1996!. And I don't blame it on the dazuko developers but on every other large corporation which insists they're serious about pushing Linux to the desktops. This issue should be settled by now. Sheesh. µ

2003 white paper: "DAZUKO: an open solution to facilitate 'on access' file scanning
Dazuko FAQ
Discussion about moving Dazuko to the kernel tree
Fedora Core Linux issues for Dazuko
Dazuko docs for NOD32 antivirus
Discussion about azuko based antivirus solutions, and the dazuko hassle
AVG on Gentoo

See Also
Microsoft, McAfee trade barbs over Vista security
Vista SP1 to include common security API for partners


Share this:

blog comments powered by Disqus
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

INQ Poll

Heartbleed bug discovered in OpenSSL

Have you reacted to Heartbleed?