> On Sat, May 10, 2003 at 01:51:07PM -0400, Ahmed Masud wrote:
> > That becomes a bit more difficult to time, because the attacker doesn't
> > know when the system call will actually perform its own copy_from_user vs.
> > return vs. the audit's copy_from_user, If the correct upper threshold for
> > each system call is picked timing attacks can be made alot harder.
>
> no it's not. just make sure the page with the filename is paged
> out, and use mincore to poll for the pagefault ;)
> And with unlink you can observe the results as well (think dnotify) so you
> can intervene before the second audit copy
>
> still not secure, now you copy 3 times so all I need to do is flip
> data twice ;)
>
Very interesting indeed, good thing i am not auditing parameters ;)
hehe. The only thing i was tracking was whether the particular system call
was allowed or denied to the user, due to an ACL and because that doesn't
rely on the user-land data i am not particulary effected.
I will setup some parametric auditing on pointer data and attack the
environment using your technique above to see if something can be done
about it.
(heheh there goes the afternoon!)
Cheers,
Ahmed.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/