Re: The disappearing sys_call_table export.

Arjan van de Ven (arjanv@redhat.com)
Sat, 10 May 2003 17:56:25 +0000

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Ahmed Masud: "Re: The disappearing sys_call_table export."
Previous message: Ahmed Masud: "Re: The disappearing sys_call_table export."

On Sat, May 10, 2003 at 01:51:07PM -0400, Ahmed Masud wrote:
> What are your thoughts on the following two
> A)
> long wrapper_call(args) {
> yield(random(threshold)); /* yeild is a sleep */
> rv = orig_syscall(args...);
> copy_from_user(audit_data,args...);
> audit_log(audit_data);
> return rv;
> }
>
> That becomes a bit more difficult to time, because the attacker doesn't
> know when the system call will actually perform its own copy_from_user vs.
> return vs. the audit's copy_from_user, If the correct upper threshold for
> each system call is picked timing attacks can be made alot harder.

no it's not. just make sure the page with the filename is paged
out, and use mincore to poll for the pagefault ;)
And with unlink you can observe the results as well (think dnotify) so you
can intervene before the second audit copy

>
> B)
> long wrapper_call(args) {
> yield(random(threshold));
> copy_from_user(audit_data1,args...);
> rv = orig_syscall(args...);
> yield(random(threshold));
> copy_from_user(audit_data2,args...);
> audit_log(audit_data1);
> audit_log(audit_data2);
> return rv;
> }
>
> Suspicious data analysis is then performed by a user-land tool to
> further ensure integrity.

still not secure, now you copy 3 times so all I need to do is flip
data twice ;)

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Ahmed Masud: "Re: The disappearing sys_call_table export."
Previous message: Ahmed Masud: "Re: The disappearing sys_call_table export."