English | Deutsch
Home »

OpenVAS Change Request #53: Remove Support for Shared Sockets

Status: Voted +4. Done as of SVN rev. 11046. Will be first released with OpenVAS Scanner 3.3.0.

References

Purpose

Remove support for shared socket concept used for SSH access.

Rationale

NVTs using SSH connections to perform Local Security Checks (LSCs) currently do so through a so called shared socket. The idea of this concept is that the first NVT needing an SSH connection will establish a connection and store a reference to the socket which has been used for this connection in the knowledge base (KB). Other NVTs will then use this socket for their SSH connection instead of establishing their own separate connections.

While this idea is commendable, it has a number of drawbacks:

With this in mind we propose that support for shared sockets should be removed from LSCs via SSH. Since this is the only instance where shared sockets are used, this makes a complete removal of the then superfluous shared socket support code in the OpenVAS Scanner and the OpenVAS Libraries possible and advisable.

Effects

Tests have shown that removing the use of shared sockets for SSH connections on the NASL (which can be done experimentally using the patch attached to this mail) causes a "Full and fast" scan with LSCs to take considerable less time. Scans of a single system took only a third of the time needed with shared sockets enabled.

A large part of the speed-up is likely caused by the parallelization of LSCs; since the LSCs no longer have to wait for the shared sockets they can be done concurrently.

A side effect is that doing concurrent LSCs increases the load of the target system; however, even the increased load of multiple LSCs was very small and is probably negligible for practical purposes. Multiple concurrent SSH connections could also theoretically trigger some very old firewalls.

However, the side effects described are mainly a general effect of doing concurrent checks and can be mitigated by adjusting the appropriate Scanner preference.

Design and Implementation

A first change would be removing the use of shared sockets from the ssh_func.inc NASL function library similar to the way it was done for the proof-of-concept patch mentioned above.

This change would mean that a number of code paths in OpenVAS Libraries and OpenVAS Scanner would be no longer necessary and could be subsequently removed.

History