Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S264460AbTEJRx2 (ORCPT ); Sat, 10 May 2003 13:53:28 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S264461AbTEJRx2 (ORCPT ); Sat, 10 May 2003 13:53:28 -0400 Received: from host132.googgun.cust.cyberus.ca ([209.195.125.132]:43437 "EHLO marauder.googgun.com") by vger.kernel.org with ESMTP id S264460AbTEJRx1 (ORCPT ); Sat, 10 May 2003 13:53:27 -0400 Date: Sat, 10 May 2003 14:03:57 -0400 (EDT) From: Ahmed Masud To: Arjan van de Ven Cc: Alan Cox , Jesse Pollard , Chuck Ebbert <76306.1226@compuserve.com>, "viro@parcelfarce.linux.theplanet.co.uk" , Linux Kernel Mailing List , Terje Eggestad Subject: Re: The disappearing sys_call_table export. In-Reply-To: <20030510175625.B28820@devserv.devel.redhat.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1470 Lines: 39 On Sat, 10 May 2003, Arjan van de Ven wrote: > On Sat, May 10, 2003 at 01:51:07PM -0400, Ahmed Masud wrote: > > That becomes a bit more difficult to time, because the attacker doesn't > > know when the system call will actually perform its own copy_from_user vs. > > return vs. the audit's copy_from_user, If the correct upper threshold for > > each system call is picked timing attacks can be made alot harder. > > no it's not. just make sure the page with the filename is paged > out, and use mincore to poll for the pagefault ;) > And with unlink you can observe the results as well (think dnotify) so you > can intervene before the second audit copy > > still not secure, now you copy 3 times so all I need to do is flip > data twice ;) > Very interesting indeed, good thing i am not auditing parameters ;) hehe. The only thing i was tracking was whether the particular system call was allowed or denied to the user, due to an ACL and because that doesn't rely on the user-land data i am not particulary effected. I will setup some parametric auditing on pointer data and attack the environment using your technique above to see if something can be done about it. (heheh there goes the afternoon!) Cheers, Ahmed. - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/