Does Linux process exist information leakage?
Greg Freemyer
greg.freemyer at gmail.com
Mon Jan 16 13:45:15 EST 2012
On Thu, Jan 12, 2012 at 12:00 PM, Jonathan Neuschäfer
<j.neuschaefer at gmx.net> wrote:
> On Wed, Jan 11, 2012 at 12:52:33PM -0500, Scott Lovenberg wrote:
>> Real world example in C; I fixed a security bug in Samba that dealt with
>> this exact problem. Credential files were read to memory as the root user
>> and then the memory was freed without being zeroed. A user could therefore
>> read the contents of a file that they didn't have permission to read
>> because the whole thing was put in memory by a user that had permission to
>> view the file. Someone clever could churn through memory and find the
>> credentials if they knew that the mount command was just run.
>>
>> I added a memset() to the end of the parsing function to zero out the
>> memory before freeing back to the OS.
>
> Could you please clarify how this "churning through memory" would work?
>
> Of course someone could find another security bug and access heap space,
> but that requires said other bug. Debuggers are also irrelevant to this,
> because you need certain parmissions to run a program through a
> debugger, and if you do that, you might also set a breakpoint in the
> function and catch the credentials when it's run.
>
> Swap disk are a real issue under some circumstances, though.
> A page containing sensitive data may be swapped out and not be over-
> written before an attacker can boot from an external medium (CD etc.)
> and peek through the swap disk.
Boot CDs mean physical access. If the bad guy has physical access, all is lost.
=== specifically
If you want to defend against reboots to a boot CD, then all of memory
is potential leak.
http://citp.princeton.edu/research/memory/
My personal favorite is when they actually move the RAM chips from one
PC to another to get the data out of it.
After removing power, they immediately spray freon (or something
similarly cold) on the RAM chips to stabilize them, then move them to
another PC and recover the content.
I can't get the video to work right now, but here's a walk-thru with photos.
I quote:
===
We stored data in these memory modules, then cooled them, removed them
from the computer, and placed them in a container of liquid nitrogen
for an hour. After returning them to the computer, we found
practically no information had been lost. (Using liquid nitrogen would
be overkill for most attacks, since cheap, widely-available duster
spray would adequately cool the chips.)
===
Greg
More information about the Kernelnewbies
mailing list