Does Linux process exist information leakage?

Scott Lovenberg scott.lovenberg at gmail.com
Mon Jan 16 15:44:45 EST 2012


On Mon, Jan 16, 2012 at 13:45, Greg Freemyer <greg.freemyer at gmail.com>wrote:

> On Thu, Jan 12, 2012 at 12:00 PM, Jonathan Neuschäfer
> <j.neuschaefer at gmx.net> wrote:
> > On Wed, Jan 11, 2012 at 12:52:33PM -0500, Scott Lovenberg wrote:
> >> Real world example in C; I fixed a security bug in Samba that dealt with
> >> this exact problem.  Credential files were read to memory as the root
> user
> >> and then the memory was freed without being zeroed.  A user could
> therefore
> >> read the contents of a file that they didn't have permission to read
> >> because the whole thing was put in memory by a user that had permission
> to
> >> view the file.  Someone clever could churn through memory and find the
> >> credentials if they knew that the mount command was just run.
> >>
> >> I added a memset() to the end of the parsing function to zero out the
> >> memory before freeing back to the OS.
> >
> > Could you please clarify how this "churning through memory" would work?
> >
> > Of course someone could find another security bug and access heap space,
> > but that requires said other bug. Debuggers are also irrelevant to this,
> > because you need certain parmissions to run a program through a
> > debugger, and if you do that, you might also set a breakpoint in the
> > function and catch the credentials when it's run.
> >
> > Swap disk are a real issue under some circumstances, though.
> > A page containing sensitive data may be swapped out and not be over-
> > written before an attacker can boot from an external medium (CD etc.)
> > and peek through the swap disk.
>
> Boot CDs mean physical access.  If the bad guy has physical access, all is
> lost.
>
> === specifically
> If you want to defend against reboots to a boot CD, then all of memory
> is potential leak.
>
> http://citp.princeton.edu/research/memory/
>
> My personal favorite is when they actually move the RAM chips from one
> PC to another to get the data out of it.
>
> After removing power, they immediately spray freon (or something
> similarly cold) on the RAM chips to stabilize them, then move them to
> another PC and recover the content.
>
> I can't get the video to work right now, but here's a walk-thru with
> photos.
>
> I quote:
> ===
> We stored data in these memory modules, then cooled them, removed them
> from the computer, and placed them in a container of liquid nitrogen
> for an hour. After returning them to the computer, we found
> practically no information had been lost. (Using liquid nitrogen would
> be overkill for most attacks, since cheap, widely-available duster
> spray would adequately cool the chips.)
> ===
>
> Greg
>

I should clarify (because someone asked), the memory that I was talking
about wouldn't be allocatable until after the process that read it and
freed it exited.


-- 
Peace and Blessings,
-Scott.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20120116/ebfad31d/attachment.html 


More information about the Kernelnewbies mailing list